A person types on a cellphone in Ottawa on, Dec. 15, 2025. THE CANADIAN PRESS/Sean KilpatrickSean Kilpatrick/The Canadian Press
Here comes the digital commission. It will make policy, take complaints, investigate abuses, review plans and regulate companies’ collection and use of personal information, how the data of children are scraped up into AI, social-media platforms, and more.
When it was first outlined in a bill to regulate social media last week, the Digital Safety Commission sounded like a body with some flexibility to grapple with some of the thorny, evolving problems of regulating big platforms – even if some worried its mandate to protect children and others came with extensive powers.
Less than a week later, a whole new series of mandates and powers were loaded onto the new regulator in a bill to revamp Canada’s privacy regime that proposes to make the body – now to be called the Digital Safety and Data Protection Commission of Canada – a super-regulating behemoth.
The new commission is still on the drawing board, but it is being overloaded with so many responsibilities that you have to wonder whether it will be crushed under its own weight before it can be stood up.
“This kind of model for a digital regulator of this size with such a large footprint is pretty unprecedented,” said Michael Walsh, a government affairs and privacy lawyer with Gowling WLG in Ottawa.
Opinion: Canada may get the strongest digital online safety framework in the world
The unprecedented part of this regime is that the regulation of the online world and of private-sector privacy matters has now been smooshed together under one new regulator, taking that latter function out of the hands of the office of the Privacy Commissioner.
Both aspects touch on a vast array of important things: the collection and abuses of personal information, data sovereignty, competition policy, artificial intelligence, and on and on.
Making policy for that whole nexus has vexed governments, in Canada and around the world. Under Justin Trudeau, the Liberal government made two previous attempts to update privacy legislation and twice introduced online harms legislation.
Under Prime Minister Mark Carney, the government’s strategy for encouraging adoption of AI is linked to privacy protection. Legislating policy for a world of evolving technology isn’t easy, either.
Mr. Carney’s government had to tackle a whole array of tricky issues, but they left a lot of the policy decisions to be made by the new regulator. So much so that it is hard to see how much will change.
One small example: Evan Solomon, the Minister of Artificial Intelligence, promised the bill would target surveillance pricing, where companies track personal information to evaluate which price to charge you – by asking the new commission to provide “guidance” on what companies are allowed to do.
But there are many different types of jobs to be done by the new regulator. It will set guidelines, advocate for privacy and online responsibility, review companies’ plans, field complaints, investigate abuses and levy hefty penalties.
“There’s a regulatory piece, there is an advocacy piece, there is a policy-making piece, there is an ombuds piece for potential complaints, and this has brought all of that together,” said Michael Geist, the Canada Research Chair in internet and e-commerce law at the University of Ottawa. “I do think there are real issues if you’ve got an entity that basically functions as judge and jury and advocate and investigator.”
Those questions will presumably be asked as the legislation winds through Parliament. There is another practical matter: Setting up the super-regulator will be a daunting bureaucratic challenge. In Ottawa, accomplishing it would be no small feat.
Hundreds will presumably be hired. Fielding complaints might sound easy, but ask the Canadian Transportation Agency about its backlog of air-passenger complaints. Many functions of the Privacy Commissioner will be dismantled and rebuilt at the commission. A vast array of standards must be established before regulators can hold companies to them.
All that will take two years or more.
The whole regime won’t be novel. Mr. Walsh noted that Canadian companies are already familiar with privacy impact assessments and privacy management plans. But they don’t know whether the new body will interpret them in the same way. Companies making decisions can’t know what the rules will be in two or three years.
If all that can really be pulled together, the new digital commission will be a behemoth, with a broader impact on lives and companies than any other. But with so many responsibilities and so many mandates, it might be so overloaded it never gets up and running.