The fine ceiling climbs to 5% of global revenue - and clients get a new way to sue
Canadian wealth firms could face fines reaching the greater of $25 million or 5 percent of global revenue under a new federal privacy bill.
The federal government introduced Bill C-36 on June 15, 2026, and it would rewrite how advisors, fund managers and wealth firms handle the personal information they collect every day. The bill enacts the Protecting Privacy and Consumer Data Act, repeals Part 1 of the Personal Information Protection and Electronic Documents Act, and renames what is left of that statute the Electronic Documents Act. It was tabled by the Minister of Artificial Intelligence and Digital Innovation.
For an industry built on client data - account details, financial histories, identification - the reach is broad. The new act applies to organizations that collect, use or disclose personal information in the course of commercial activities, which captures wealth managers and the bank divisions that house them.
The penalties are the part to watch. The bill sets a maximum administrative penalty, for all contraventions found in a single investigation, of the greater of $10 million or 3 percent of an organization's gross global revenue in the prior financial year. Separately, an organization that knowingly breaches certain provisions - or obstructs the Commissioner or the Commission - commits an offence. On indictment, the fine can reach the greater of $25 million or 5 percent of gross global revenue; on summary conviction, the greater of $20 million or 4 percent.
The bill also opens a direct route for clients to sue. Once a contravention is established through the Commissioner, the courts, or a final decision, an affected individual has a cause of action against the organization for damages tied to the loss or injury they suffered.
Day-to-day obligations are spelled out. Organizations must maintain a privacy management program, limit collection, obtain consent, and dispose of information no longer needed. They must report any breach of security safeguards to the Commission when it is reasonable to believe the breach creates a real risk of significant harm to an individual, and notify the people affected.
One provision speaks directly to advisors worried about vulnerable clients. The act lets an organization disclose personal information, without consent, to a government institution or the individual's next of kin or authorized representative when it has reasonable grounds to believe the person has been, is, or may be the victim of financial abuse - provided the disclosure is made solely to prevent or investigate that abuse.
Enforcement would sit with a new Privacy and Consumer Data Division inside the renamed Digital Safety and Data Protection Commission of Canada. The bill also amends financial-sector statutes including the Bank Act, the Insurance Companies Act, the Trust and Loan Companies Act and the Cooperative Credit Associations Act.
Most of the act would come into force on a day set by order of the Governor in Council. A parliamentary committee would review the law five years after it takes effect, and every five years after that.
The full text of Bill C-36 is available at https://www.parl.ca/DocumentViewer/en/45-1/bill/C-36/first-reading.
