On June 15, the federal government introduced Bill C-36, the Protecting Privacy and Consumer Data Act. If it becomes law, it would replace the core of PIPEDA, the rules that have governed how Canadian businesses handle personal information for the past 25 years. It is the third attempt in six years to modernize that law, so nobody should treat it as a done deal. But the direction is clear, and it is worth understanding now rather than the week it takes effect.
For most small businesses, the headline is not the legal fine print. It is that two questions you could previously answer with a shrug are about to become things you need to be able to explain: where does our customer data actually live, and who can legally reach it.
What Bill C-36 actually is
Bill C-36 replaces Part 1 of PIPEDA with a new framework called the Protecting Privacy and Consumer Data Act. A few things stand out.
It names privacy a fundamental right. That sounds like symbolism, but it changes how the law gets interpreted: when a regulator or a court weighs a business’s interest against an individual’s privacy, the individual’s side now starts from a stronger position.
It is still built on consent. You still need meaningful, plain-language permission to collect and use personal information, and the bill leans harder on the “plain-language” part. Burying consent in a wall of legalese is exactly what it is designed to stop.
And it is early. The bill had its first reading on June 15 and still has to clear second reading and committee, where it will almost certainly change. We are flagging it now because the obligations it points to are the kind you want to get ahead of, not scramble to meet.
The part that matters most: moving data across the border
Here is the detail that gets lost in most of the coverage. Bill C-36 does not require you to keep Canadian data in Canada. There is no data-localization mandate.
What it does introduce is an explicit obligation to assess and mitigate the privacy risks before you transfer personal information outside the country. In plain terms: if your customer data ends up on a server in the United States, or anywhere else, you are now expected to have thought about what that exposes it to, and to be able to show your work.
This is the practical heart of the data sovereignty conversation, and it is why we keep coming back to it. Hosting in Canada has never been legally mandatory, and we have said so plainly before. What changes with C-36 is that the cross-border question stops being a philosophical preference and becomes something you are expected to document. The simplest way to keep that assessment short is to not send the data across the border in the first place.
Real enforcement, with real numbers
The reason this is worth paying attention to is enforcement. C-36 creates a new Digital Safety and Data Protection Commission of Canada that can issue binding orders and levy penalties directly, without the slower tribunal process the previous bill proposed.
The penalties are not symbolic. Administrative penalties can reach the greater of 10 million dollars or 3 percent of global revenue. The most serious violations carry fines up to the greater of 25 million dollars or 5 percent of global revenue. Those ceilings are aimed at large players, but the obligations underneath them apply broadly, and “we are too small for this to matter” is the wrong reflex. The new rules also tighten up the things most businesses actually do touch: clear consent, disclosing when an automated system makes a significant decision about someone, stronger handling of children’s data, and notifying both the regulator and the affected people after a breach.
What this means for where you host
None of this means moving your servers to Canada makes you compliant on its own. Compliance is about how you handle data, not just where it sits. But hosting in Canada removes the single hardest question from the list, because there is no cross-border transfer to assess when the data never leaves. It shrinks your risk surface and shortens the paperwork at the same time.
And it is not only your website. Personal information flows through your email, your backups, your analytics, your payment processor, and every plugin or SaaS tool that touches a customer record. Each of those is a place data can cross a border without anyone deciding it should.
What to do now
You do not need a compliance department to get ahead of this. A few practical steps cover most of it:
- Map where your customer data actually lives: website, email, backups, analytics, form submissions, and any third-party tool that stores records.
- For each one, find out which country it is hosted in and whether the provider moves data across borders.
- Write down, even informally, why you collect what you collect and how long you keep it. That is the seed of the privacy management program the bill expects.
- Rewrite any consent language a normal person cannot understand on first read.
- Know your breach plan: who you would notify, and how fast.
The point
Bill C-36 is not law yet, and it will look different by the time it is. But the direction is set: Canadian privacy is being treated as a fundamental right with real teeth, and how you move personal data across borders is becoming something you have to account for. Knowing where your data lives is the cheapest first step you can take, and for a lot of Canadian businesses, keeping it on Canadian soil is the one that makes every other question easier to answer.
Full disclosure, since this is a hosting provider’s blog: we are CanSpace, a Canadian-incorporated company with all of our servers in Canada and Canadian-staffed support. We have a stake in the data sovereignty conversation, but our position has always been the honest version of it. Hosting in Canada is not a legal requirement; it is a way to make questions like the ones C-36 raises simpler to answer.
If you want to see how that looks in practice, our hosting plans and email hosting keep both your site and your mail on Canadian servers, and our why-Canadian explainer goes deeper on the jurisdiction question. If you would rather just ask where your data would live and who can reach it, send us the question directly and we will answer it plainly.
