Skip to content

Brought to you by

Dentons logo

Dentons Data

Your trusted advisor for all things digital.

open menu close menu

Dentons Data

  • Home
  • About Us

Will Alberta have a new privacy law before the federal government?

By Melika Mostowfi
March 12, 2025
  • AB PIPA
  • Legislation
Share on Facebook Share on Twitter Share via email Share on LinkedIn

Against the backdrop of the doomed federal Bill C-27 (which would have introduced the new Consumer Privacy Protection Act (CPPA)), the Alberta government is moving forward with its modernization of Alberta’s private sector privacy legislation, the Personal Information Protection Act (PIPA). The special committee reviewing PIPA just released its Final Report making recommendations for revisions.

Proposed revisions would include new powers for the Office of the Information and Privacy Commissioner of Alberta (OIPC) to directly levy monetary penalties, and other revisions would address anonymization, children’s privacy, requirements for consent, and assessing harm in the context of breaches.

Background

PIPA came into force over two decades ago and is required to be reviewed by a special committee of the Alberta Legislature every 6 years. On December 5, 2023, the Legislative Assembly of Alberta referred PIPA to the Standing Committee on Resource Stewardship (Committee) for the purposes of a comprehensive review. The Committee’s review started in January 2024 and in February of that year, it released a paper titled Emerging Issues: The Personal Information Protection Act, outlining some emerging issues in privacy to be considered in the review. A consultation period followed (see our earlier blog post).

The OIPC also made its own series of recommendations.

The Committee issued its Final Report to the Legislature in February 2025, and it will now go to Cabinet for decisions on implementing the recommendations.

Recommendations

The Committee’s Final Report recommends extensive changes to the PIPA, which largely align PIPA with global privacy laws and the now defunct CPPA. These can be summarized as follows:

Minors’ personal information: The amended PIPA should contain specific provisions regarding the collection, use and disclosure of minors’ personal information, ensuring that privacy protections are robust for younger individuals.

Application to Nonprofits: Nonprofit organizations are currently not subject to PIPA, except when they engage in commercial activity. Amendments should clarify the meaning of “commercial activity” in relation to nonprofit organizations and their responsibilities regarding the protection of personal information.

Consent requirements: The Final Report maintains consent as the primary basis for processing. Amendments should revise consent requirements for the collection, use, and disclosure of personal information to clearly define express consent, deemed consent, and opt-out consent.

Data deidentification and anonymization: PIPA is currently silent on anonymization, and amendments should introduce standardized definitions and clear requirements for subsequent use of de-identified data, of personal information, which could make it easier for organizations to handle data while minimizing privacy risks. The Committee also recommended that Cabinet consider the OIPC’s recommendations on these issues:

  • creating standards and requirements the process of both de-identification and anonymization;
  • allowing the use of de-identified data for “legitimate purposes” and specifically permit organizations to create anonymized information;
  • introducing prohibitions against:
    •  de-identification or anonymization outside of accepted standards;
    • use of the term “de-identified” or “anonymized” to suggest no personal information is being used unless the standards are met;
    • selling de-identified personal information;
    • re-identification (outside certain narrow situations);
  • requirements to conduct risk assessments, maintain documents and records, for both types of information and to separate identifying information from the de-identified data set; and
  • make violation of the de-identification and anonymization provisions subject to penalties.

Notification of automated decisions: Amendments should introduce provisions requiring notifications when automated decision-making processes are used, ensuring transparency for individuals affected by these technologies.

Strengthening enforcement: Amendments should authorize the OIPC to impose administrative monetary penalties for violations of PIPA and increase the amount of fines allowed to be levied by courts for offences to match those of other provinces (up to a maximum of CA$10,000 for individuals and CA$100,000 for “non-individuals”).

Cross-jurisdictional alignment: Amendments should seek to harmonize Alberta’s PIPA with other federal and provincial laws and international standards to ensure consistency and to facilitate smoother cross-jurisdictional data transfers.

Significant harm definition: Amendments should create a definition of “significant harm” in respect of the loss or unauthorized access or disclosure of personal information.

Third-party service providers: New provisions should formalize the requirement for an organization to contractually bind a third-party service provider to comply with the requirements of PIPA in respect of personal information in its custody or under its control.

Next steps

Many of these changes reflect the provisions proposed in the CPPA and in effect in the new Quebec privacy law. The Committee specifically had recommended that the Alberta government monitor the progress of Bill C-27 and take the necessary steps to ensure that the PIPA continues to be substantially similar to federal private-sector personal information privacy legislation.

Given the prorogation of Parliament, bills such as Bill C-27 that have not received Royal Assent are effectively terminated and Bill C-27 (or its new incarnation) would have to be re-introduced in the new Parliamentary session. The uncertainty facing any new federal legislation may mean the Alberta amendments may pass ahead of any federal law and could then require further changes to ensure that the substantially similar threshold is met.

If Cabinet moves forward with the recommendations for amendments to PIPA, Alberta will be the second province after Quebec to align itself with world-leading jurisdictions that have enacted comprehensive privacy legislation.


For more information on this topic, please contact the author Melika Mostowfi or other members of the Dentons Privacy and Cybersecurity group.

Share on Facebook Share on Twitter Share via email Share on LinkedIn
Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
Melika Mostowfi

About Melika Mostowfi

Melika Mostowfi is an associate in the Litigation & Dispute Resolution group of Dentons’ Calgary office. She assists clients on a variety of commercial and civil litigation matters and is experienced in incident response in the areas of cybersecurity and privacy law.

All posts Full bio

RELATED POSTS

  • Cybersecurity
  • Data
  • Legislation

Data protection at the border: What travellers should know about Bill S-7

By Kirsten Thompson and Kelly Blackbeard
  • Artificial Intelligence
  • Cybersecurity
  • Legislation
  • Privacy

Ontario proposes modernization of public sector privacy, cybersecurity, and AI regulation

By Jaime Cardy
  • BC FIPPA
  • Legislation
  • Privacy

Proposed BC FIPPA amendments would loosen requirements to keep personal information in Canada

By Sasha Coutu and Eleni Kassaris

About Dentons

Redefining possibilities. Together, everywhere. For more information visit dentons.com

Grow, Protect, Operate, Finance. Dentons, the law firm of the future is here. Copyright 2023 Dentons. Dentons is a global legal practice providing client services worldwide through its member firms and affiliates. Please see dentons.com for Legal notices.

Categories

Subscribe and stay updated

Receive our latest blog posts by email.

Stay in Touch

Dentons logo in black and white

© 2025 Dentons

  • Legal notices
  • Privacy policy
  • Terms of use
  • Cookies on this site