The proclamation proroguing Parliament earlier this year significantly reduced the likelihood of reforms to Canada's Federal privacy legislation in the near term. However, the provinces are continuing to evaluate and move forward with potential reforms.
As described in our prior client update, Alberta Proposes Modernized Public Sector Privacy and Information Access Legislation: Unpacking Bills 33 and 34, Alberta has already passed Bill 33: the Protection of Privacy Act ("POPA") and Bill 34: the Access to Information Act ("ATIA"), which were both introduced to modernize Alberta's public sector privacy and access to information legislation. The ongoing implementation of POPA and ATIA is continuing, with minor amendments introduced for "clarity and consistency" on March 20, 2025.1 It is expected that POPA and ATIA will come into force later this year, and so public bodies in Alberta and organizations that do business with them should be actively working to update their practices to comply with the requirements of these two new statutes (which will replace the existing Freedom of Information and Protection of Privacy Act ("FOIP Act")).2
Meanwhile, Alberta is also examining potential changes to its private sector privacy regime. In particular, the Standing Committee on Resource Stewardship (the "Committee") recently concluded its review of Alberta's Personal Information Protection Act ("PIPA") and delivered 12 recommendations for potential reforms.3
Standing Committee's Final Report on PIPA
PIPA governs the collection, use, retention, protection, and disclosure of personal information by Alberta's private sector organizations. Under a legislative mandate, this Act undergoes periodic reviews by a special committee of Alberta's Legislative Assembly. The Committee began its second review in January 2024, held stakeholder consultations throughout 2024, and released its Final Report – Review of the Personal Information Protection Act on February 21, 2025.
The 12 Recommendations
After months of stakeholder consultations, technical briefings, and deliberations, the Committee issued 12 recommendations, addressing matters such as minors' privacy, administrative monetary penalties, and alignment with provincial, federal and global privacy laws. We have provided an overview of the recommendations below:
1. Protection of Minors
The Committee recommended that PIPA should: "...be amended to provide for specific requirements for the collection, use and disclosure of the personal information of a minor."
While the Committee acknowledged that "...the privacy concerns of children should be considered separately and there should be specific provisions in the Act for minors," it did not elaborate on what those provisions might entail. Canada does not have legislation specifically dedicated to children's privacy (like the COPPA4 in the United States). However, Quebec's private sector privacy legislation (the "Quebec Act") does provide that personal information concerning a minor under 14 years of age may not be collected from them without parental consent unless collecting the information is clearly for the minor's benefit.5 Despite the absence of a dedicated children's privacy statute, children's personal information is still covered by Canada's private sector privacy laws, and regulators have increasingly emphasized the importance of protecting minors in recent years. For more information on handling children's data under Canadian law, please see our recent bulletin on this topic.
2. Maintaining "Substantially Similar" Designation
The Committee recommended that the Alberta Government should: "...monitor the consideration of the federal Bill C-27 and take the necessary steps to ensure that the Personal Information Protection Act continues to be substantially similar to federal private-sector personal information privacy legislation."
Given the prorogation of Parliament on January 6, 2025, Bill C-27 was effectively terminated. Accordingly, this recommendation may be somewhat moot. Any future federal privacy reforms will need to be evaluated to determine if and how Alberta can maintain its "substantially similar" designation. With no clear timeline for new federal legislation, any potential upcoming amendments to PIPA may be introduced first and could later require further adjustments to align with evolving federal standards.
3. Administrative Monetary Penalties ("AMPs")
The Committee recommended that PIPA should be amended to give the Office of the Information and Privacy Commissioner of Alberta ("OIPC") authority to impose AMPs, with clear criteria for determining the penalty amounts and a mechanism for organizations to appeal such AMPs.
In the OIPC's May 31, 2024, submission to the Committee, the OIPC pointed out that AMPs are already common in privacy frameworks such as the European Union's General Data Protection Regulation ("GDPR"), Ontario's Personal Health Information Protection Act, and the Quebec Act.6 AMPs could strengthen enforcement, encourage compliance, and help Alberta's PIPA remain "substantially similar" to potential emerging federal standards.
4. Aligning PIPA with World-leading Jurisdictions
The Committee recommended that the Alberta Government should: "...continue to monitor privacy legislation developments in world-leading jurisdictions and take necessary steps to ensure that the Personal Information Protection Act requires comparable or better requirements for organizations to protect personal information." However, as further noted below, it is unclear how this recommendation aligns with some of the other recommendations in the Final Report that appear to fall short of such global standards.
5. Deidentified and Anonymized Data
The Committee recommended that PIPA should: "...be amended to include comprehensive provisions regarding deidentification and anonymization of personal information..." and consider the OIPC's detailed recommendations. This includes introducing clearer definitions and standards for the creation and handling of deidentified and anonymized information, including prohibitions on reidentification.
The OIPC's submissions outlined how terms like "de-identified" and "anonymized" vary across jurisdictions and exist along a scale of identifiability, from weak pseudonymization to strong anonymization. The OIPC stressed the need for clear definitions, robust standards, and regular risk assessments to account for the growing ease of re-identification due to advances in computing and data-linking techniques.7
The OIPC also pointed to Quebec's draft anonymization regulation (now in force), which sets a notably high bar requiring periodic risk reassessments, expert oversight, and strong technical safeguards that must be consistent with generally accepted best practices.8 However, given the struggle that many organizations are currently experiencing to comply with the high standard for anonymization set out in the Quebec legislation, it is unclear how aligning Alberta's approach with the Quebec regime would promote the goal of facilitating data innovation in Alberta, which is also referenced in the Final Report.
6. Alignment with Other Alberta Privacy Legislation
The Committee recommended that the Alberta Government should take all necessary steps, including proposing amendments to PIPA, to improve alignment among Alberta's private, public, and health-sector privacy laws.
The Committee notes that aligning PIPA, the Health Information Act ("HIA"), and the soon-to-be-replaced FOIP Act "...would streamline compliance efforts and promote consistency in privacy practices of organizations across the public, private, and health sectors in Alberta".
We would note, however, that PIPA, HIA, and the forthcoming POPA and ATIA govern distinct sectors (private, health and public, respectively), and contain sector-specific provisions tailored to their unique contexts. Aligning these four Acts may require coordinated, targeted amendments to more than just PIPA.
7. Nonprofit Organizations
The Committee recommended amending PIPA to clarify the definition of a commercial activity for nonprofit organizations so that they can better understand their obligations. Separately, the Committee recommended that the Government of Alberta should develop guidelines for best practices when nonprofits handle personal information in the course of non-commercial activities.
8. Forms of Consent
The Committee recommended that PIPA should be: "...amended to more clearly define, using plain language, the forms of consent to the collection, use, and disclosure of an Individual's personal information, including deemed consent, express consent and opt-out consent."
Notably, the Committee did not address alternatives to consent as a legal basis for processing personal information. This contrasts with global frameworks like the European Union's GDPR, which recognizes multiple lawful bases for data processing beyond consent, such as contractual necessity, compliance with legal obligations, protection of vital interests, performance of tasks carried out in the public interest, and legitimate interests pursued by the data controller or a third party.9 This broader approach underscores that consent is not inherently the sole basis for processing personal information, suggesting that Alberta's framework might benefit from further alignment with these internationally recognized practices if they are truly aiming to "...position the province as a leader in responsible data innovation."10
9. Offences and Penalties
The Committee recommended that PIPA "...be amended to ensure that the penalties for committing an offence under the Act are the same or higher than those of similar legislation in other Canadian jurisdictions."
The Committee specifically points to the Quebec Act, which allows for the imposition of significant financial penalties, including fines for organizations up to the greater of $25 million or 4% of worldwide turnover, for organizations that violate privacy obligations such as failing to report confidentiality incidents, misusing de-identified or anonymized data, or obstructing investigations by the privacy regulator.11
10. Defining "Significant Harm"
The Committee recommended that PIPA should be: "...amended to define significant harm in respect of the loss or unauthorized access or disclosure of personal information."
In their submission to the Committee, the OIPC similarly recommended including a definition of "significant harm" and further submitted that PIPA should include a non-exhaustive list of factors relevant to determining the risk of harm, which would be consistent with the approach set out in the Quebec Act and the federal Personal Information Protection and Electronic Documents Act.12
11. Automated Decision-making Systems
The Committee recommended that PIPA should be: "...amended to require organizations to notify individuals if an automated processing system is used to make a decision about that individual."
This recommendation to merely notify individuals about the use of automated decision-making systems seems to fall short of the stronger protections found in some other jurisdictions. For instance, under the Quebec Act, an enterprise that uses personal information to render a decision based exclusively on an automated processing of such information must also, upon request, inform the individual of the personal information used, the reasons and principal factors and parameters that led to the decision, and their right to have the data corrected.13 Individuals must also be given the opportunity to submit observations to a member of personnel within the enterprise who is in a position to review the decision.14
Even further, subject to certain exceptions, the European Union's GDPR grants individuals the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects the individual. In some circumstances, the GDPR mandates suitable measures to safeguard individuals' rights and freedoms and legitimate interests, including the right to obtain human intervention and the right to contest automated decisions.15
12. Third-party Service Providers
The Committee recommended that PIPA should be: "...amended to require an organization to contractually bind a third-party service provider to comply with the requirements of the Act in respect of personal information in its custody or under its control."
It is worth noting that, currently, section 5(2) of PIPA already places responsibility on organizations for the acts of their service providers, and section 5(6) clarifies that this does not relieve service providers from their own obligations under PIPA. However, the OIPC noted in their submissions to the Committee that "The lack of clarity around Service Provider accountability under PIPA has created significant confusion for both organizations and its Service Providers", and "It has also been challenging for the OIPC when investigating any alleged non-compliance involving an organization and its Service Provider in determining accountability under the Act."16 Thus, the Committee appears to feel that further codifying accountability could help reduce compliance uncertainty, allow for more effective enforcement, and reduce risk for Albertan's personal information.
OIPC's Reaction: Commissioner "Generally Pleased"
Shortly after the Final Report was released, the OIPC Commissioner stated, "We were very happy to see that several of the recommendations in the report align with our recommendations to the standing committee" and expressed support for modernizing PIPA to address evolving technological needs.17
Looking Ahead
It is now up to the Alberta Government to consider the Committee's recommendations and determine if, when, and how to bring forward any potential amendments to PIPA.
The Committee's recommendations for PIPA suggest possible changes ahead for businesses operating in Alberta's private sector should the Government proceed with formal amendments to the legislation. If the Government decides to formally adopt any of these recommendations into law, organizations may need to prepare for possible AMPs, stricter enforcement mechanisms, revised definitions, and new obligations related to handling children's data, automated decision-making, and service-provider contracts.
Footnotes
1. Updates to privacy and access legislation | alberta.ca.
2. Ibid.
3. Standing Committee on Resource Stewardship: Final Report – Review of the Personal Information Protection Act ["Final Report"].
4. Children's Online Privacy Protection Act of 1998.
5. P-39.1 – Act respecting the protection of personal information in the private sector ["Quebec Act"], s.4.1.
6. PIPA Review 2024 – Office of the Information and Privacy Commissioner of Alberta ["OIPC Submission"], pages 82-83.
7. OIPC Submission, pages 65-74
8. Regulation respecting the anonymization of personal information, CQLR c A-2.1, r 0.1.
9. Art. 6 GDPR – Lawfulness of processing – General Data Protection Regulation (GDPR).
10. Final Report, page 12.
11. P-39.1 – Act respecting the protection of personal information in the private sector, s.91.
12. OIPC Submission, page 54.
13. Quebec Act, s.12.1.
14. Ibid.
16. OIPC Submission, page 57.
The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.
© McMillan LLP 2025
