Call for submissions for review of Alberta’s Personal Information Protection Act

On December 5, 2023, the Legislative Assembly of Alberta referred the Personal Information Protection Act (“PIPA” or “Act”) to the Standing Committee on Resource Stewardship (the “Committee”) for the purposes of a comprehensive review.

The Committee is currently seeking input from stakeholders on the Act. Written submissions are due on May 31, 2024 at 4:30 p.m.

Emerging issues

The Committee prepared a paper titled Emerging Issues: The Personal Information Protection Act (the “Paper”), outlining some emerging issues in privacy that may be useful to consider in the review, including issues related to the proposed federal legislation currently under consideration by the House of Commons in Bill C-27, Digital Charter Implementation Act, 2022.

A summary of the key issues identified in the Paper are provided below:

Issue 1: The changing legislative landscape in Canada and internationally

There have been significant technological changes in Canada following PIPA’s original enactment in 2004. Notably, the business opportunities regarding the ‘trade’ of personal information has increased the need for updated legislation in order to protect Canadians’ personal privacy. In other jurisdictions, new privacy legislation have been enacted or proposed to protect individuals’ personal information.

• Are there specific amendments needed to harmonize PIPA with other jurisdictions to make it easier for businesses to operate in all jurisdictions?
• Are there specific amendments to PIPA needed to modernize the Act for relevant businesses and organizations to conduct business in Alberta?

Issue 2: The changing digital economy, the use of artificial intelligence and the potential need to regulate its design, development, and use

With a rise in artificial intelligence (AI) comes a greater need for up-to-date privacy legislation. Canada’s Artificial Intelligence and Data Act creates heightened obligations on those using high-impact AI systems, and regulates the inter-provincial and international scope of trade and commerce with respect to AI—giving provinces the ability to mitigate risks internally.

Alberta’s PIPA was drafted uses technologically neutral language to capture any personal information collected, used, or disseminated electronically. The primary concern going forward may be how to address the rapidly changing technology in this space, and balance the individuals’ right to privacy and the need for transparency and accountability by companies, with the need to support AI sector’s development and protect companies’ proprietary rights.

• Should PIPA include a framework to regulate the design, development, and/or use of artificial intelligence systems within Alberta? If so, what should be included?

Issue 3: the application of PIPA to non-profit organizations and political parties

PIPA applies broadly to organizations, excluding individuals interacting with personal information for personal purposes.[1] However, there are special provisions for non-profits and political parties. Non-profit organizations that fit certain established criteria are not subject to the Act unless they are involved in a commercial activity. Moreover, registered constituency associations, provincial political parties, and individuals running for office, are not included under the definition for organization under the Act.

• Should all non-profit organizations be fully subject to PIPA for all their activities?
• Should PIPA apply to political parties?

Issue 4: protection of sensitive personal information

The collection, use of, or disclosure of personal information—information that is about an identifiable individual—is governed by PIPA. The Act also qualifies biometric information as personal information, and has provisions regarding personal employee information. Unliked other jurisdictions, PIPA does not have express legislative provisions towards sensitive personal information, biometric information, and/or children’s personal information.

• Should provisions be added to PIPA to further protect potentially sensitive information? If so, for which information?
• Should provisions be added for biometric information?
• Should provisions be added to enhance the protection of children’s personal information?

Issue 5: requirements for meaningful consent

Consent is central to the collection, use, and disclosure of personal information by organizations. PIPA allows for organizations to obtain consent through 1) express consent, 2) implied or deemed consent, or 3) consent by not opting out. Other jurisdictions have ‘clear and plain language’ provisions to ensure consent is meaningfully obtained using intelligible and easily accessible language.

• Are the provisions in PIPA dealing with forms of consent and the conditions attached to their use appropriate?
• Should individuals receive notice in plain language when organizations explain the purposes for which personal information is collected, used, or disclosed?

Issue 6: individual rights that are not included under PIPA

PIPA allows an individual to withdraw or vary consent by giving the organization reasonable notice. However, PIPA does not contains provisions to support individual’s requesting organizations to remove, erase or de-index their personal information; obtain a copy of personal data; or receive clear information about logic involved in automated decision systems.

• Should PIPA include other protections for individual information, such as an individual’s right to be forgotten or de-indexed?
• Upon an individual’s request, should organizations be required to transfer that individual’s digital personal information to another organization in a structured, commonly used, and machine-readable format when it is technically feasible (data portability)?
• Should organizations be required to provide individuals with the logic involved in automated decision making about that individual (algorithmic transparency)?

Issue 7: safeguarding personal information

PIPA provides that organizations can only keep non-identifying information (if it chooses to not destroy the information) after its identified purpose has been fulfilled. PIPA has limited requirements for a privacy management program (a program ensuring privacy is engrained in all organizational interactions with personal information, with related oversight). Accordingly, there are no provisions in PIPA for a privacy impact assessment—a process that relates to privacy risks for an individual—to be completed or reported, no matter the severity of risk.

• Should PIPA regulate the de-identification and/or anonymization or personal information within the control of an organization and the subsequent use or disclosure of the de-identified or anonymized information? If so, how?
• Should organizations be required to have a privacy management program and provide written information about the program to individuals and the Commissioner?
• Should organizations be required to complete and submit a privacy impact assessment to the Commissioner for specific initiatives involving personal information?

Issue 8: breach notification

PIPA provides that organizations must notify the Office of the Information and Privacy Commissioner of any privacy breaches (loss or unauthorized access to, or disclosure of, personal information). The Commissioner may impose obligations for the organization to notify affected individuals within a certain timeframe if there is a “real risk of significant harm.” Comparative legislation has a less strict risk of harm threshold requirement, and/or a more strict notification deadline.

• Are the provisions for notification of breaches to the Commissioner and individuals under PIPA appropriate?

Issue 9: administrative monetary penalties

Administrative monetary penalties (“AMP”) are financial penalties imposed on individuals or organizations for contravention of a given regulatory scheme. PIPA has no AMP provision for contravention of the Act, unlike other jurisdictions.

• Should PIPA include the ability of the Commissioner to levy administrative monetary penalties against an organization for certain contraventions of the Act?

Written submissions must be sent to the Standing Committee on Resource Stewardship, c/o Committee Clerk, 3^rd Floor, 9820 – 107 Street NW, Edmonton, Alberta T5K 1E7 or via email here.

Follow Dentons Data Blog to stay up to date on the latest privacy developments in Canada. For any questions, or if you require any guidance on navigating the submission process, please contact the author, Kirsten Thompson.

The author would like to thank articling student George Hua, and summer student Amanda Kennedy, for their assistance in preparing this blog.

---

[1] PIPA’s definition of organizations includes: corporations; unincorporated associations; trade unions; partnerships; individuals acting in a commercial capacity; and, certain non-profit organizations when acting in a commercial capacity.