Since its introduction in June 2022, Bill C-27, the Digital Charter Implementation Act, 2022 ("Bill C-27"), has taken centre stage in the world of Canadian privacy law. However, privacy law developments extend beyond federal jurisdiction, with provinces like Alberta leading its own regulatory reforms to address modern challenges. In 2024, Alberta initiated a review of the Personal Information Protection Act ("AB PIPA"), soliciting feedback from key stakeholders. This article explores key updates from Alberta's AB PIPA review and highlights the province's alignment with federal efforts under Bill C-27 to foster interoperability and enhance privacy protections in Canada.
Consultation to review Alberta Personal Information and Protection Act
In May, the Alberta Standing Committee on Resource Stewardship (the "AB Standing Committee") invited written submissions in relation to its review of the AB PIPA.
On June 13, 2024, Commissioner Diane McLeod ("Commissioner McLeod") of the Office of the Information and Privacy Commissioner of Alberta ("OIPC") made recommendations on revisions to the AB PIPA to modernize the legislation amid rapid technological advancements. In submissions to the AB Standing Committee, the OIPC emphasized the need to align the AB PIPA with global privacy standards and address the privacy challenges posed by modern technologies like artificial intelligence ("AI") and quantum computing. Aligning with its federal counterpart, Office of the Privacy Commissioner of Canada ("OPC"), the OIPC advocates for the recognition of the protection of personal information as a fundamental right.
Key proposed changes include:
- Expansion of the AB PIPA's scope: Applying the legislation to political parties and not-for-profit organizations, potentially increasing compliance obligations for these entities.
- Enhanced individual rights:
-
- Affirming Albertans' rights to access their personal information.
- Introducing a "right to be forgotten," which may allow individuals to request deletion of their personal data.
- Granting data portability rights which may enable the transfer of personal information between organizations.
- Specific protections for children's information: Implementing specific protection for personal data of minors.
- Regulation of automated decision-making: Establishing rules for decisions made by automated processes, including the right for individuals to contest such decisions.
- Mandatory privacy management programs: Requiring organizations to develop specific privacy management programs, conduct privacy impact assessments, and other modifications for mandatory reporting data breaches.
- Additional compliance requirements: Requirements for compliance by service providers and enhanced requirements for organizations to use security safeguards based on the sensitivity of the personal information.
- Enhanced enforcement mechanisms: Providing the OIPC with greater authority to enforce compliance with PIPA.
- New compliance, communication and enforcement recommendations: Requiring plain language communication standards, requirements for the de-identification and anonymization of personal information, introducing a regulatory sandbox operated by the OIPC for testing privacy solutions, and enhanced enforcement provisions under the AB PIPA.
The Office of the Information and Privacy Commissioner for British Columbia ("IPC") and the OPC each provided written submissions to and delivered oral submissions before the AB Standing Committee.
In submissions to the AB Standing Committee, Commissioner Michael Harvey of the IPC ("Commissioner Harvey") referred to the most recent statutory review of the BC PIPA in 2020 and 2021. Commissioner Harvey highlighted five areas articulated in the IPC's submissions, which also apply to proposed amendments to the AB PIPA, including:
- Right to data portability: Individuals should be entitled to obtain their personal information from an organization or have it sent to another organization at no expense to them.
- Automated decision-making, notice and rights: Organizations should be required to notify individuals of the use of automated decision-making.
- Service providers: Organizations should be required to use contractual or other means to ensure service providers comply with the AB PIPA.
- Notice: The AB PIPA should be amended to require organizations to use comprehensive, specific, clear and plain language when giving notice of all the purposes for which personal information is being collected, used and disclosed.
- Enforcement: The AB PIPA should be amended to enable the OIPC to impose a monetary penalty on an organization for noncompliance with statutory requirements.
Similarly, Commissioner Philippe Dufresne of the OPC ("Commissioner Dufresne") provided submissions to the AB Standing Committee, in which he highlighted the importance of modernizing privacy laws to address emerging technologies, evolving business models and increasing privacy risks. Commissioner Dufresne emphasizes the need for interoperability between federal and provincial privacy laws, which simplifies compliance for businesses and builds consumer trust by ensuring personal data is adequately protected, regardless of jurisdiction. Further, Commissioner Dufresne summarized the status and key considerations of Bill C-27, and stressed the need to align provincial legislation with proposed federal reforms under Bill C-27 to support innovation, simplify compliance and foster trust in the digital economy.
Both Commissioners Harvey and Dufresne made oral submissions to the AB Standing Committee on Sept. 24, 2024. In his comments, Commissioner Harvey expanded on his written submissions by addressing the topic of children's privacy and the contrast between the AB PIPA and BC PIPA with respect to the application of legislation to political parties and the non-profit sector.
Commissioner Dufresne delivered an opening statement to the AB Standing Committee, in which he elaborated on his previous written submissions and reiterated the importance of interoperability of privacy laws. Commissioner Dufresne reaffirmed the three pillars of his privacy vision, first introduced at the start of his mandate two years ago:
- Privacy as a fundamental right;
- Privacy supporting the public interest in Canada's innovation and competitiveness; and
- Privacy as an accelerator of Canadians' trust in their institutions and their participation as digital citizens.
The OPC's strategic plan to uphold these three pillars involves investing in partnerships and joint initiatives with provincial and territorial data protection authorities. This approach highlights the necessity for interoperable privacy laws to address modern privacy challenges and facilitate a consistent and effective regulatory framework across Canada and internationally. Commissioner Dufresne emphasized that Canadians should be able to trust that their personal information is secure, regardless of its location or transfer, and that enhancing interoperability would also lower compliance costs for organizations. He further discussed the implications of Bill C-27, which is currently under study by the House of Commons' Standing Committee on Industry and Technology.
As privacy risks grow and technologies like AI reshape the digital landscape, aligning federal and provincial privacy laws is increasingly important. Alberta's proposed changes to the AB PIPA—such as expanded individual rights, stronger enforcement and new compliance requirements—reflect significant efforts to modernize privacy legislation. These proposed reforms align with federal initiatives under Bill C-27 and aim to enhance the protection of personal information. Effective coordination between federal and provincial frameworks is essential for ensuring consistent and robust privacy protection for Canadian individuals and organizations alike.
Read the original article on GowlingWLG.com
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.