Against the backdrop of the doomed federal Bill C-27 (which would have introduced the new Consumer Privacy Protection Act (CPPA)), the Alberta government is moving forward with its modernization of Alberta’s private sector privacy legislation, the Personal Information Protection Act (PIPA). The special committee reviewing PIPA just released its Final Report making recommendations for revisions.
Proposed revisions would include new powers for the Office of the Information and Privacy Commissioner of Alberta (OIPC) to directly levy monetary penalties, and other revisions would address anonymization, children’s privacy, requirements for consent, and assessing harm in the context of breaches.
Background
PIPA came into force over two decades ago and is required to be reviewed by a special committee of the Alberta Legislature every 6 years. On December 5, 2023, the Legislative Assembly of Alberta referred PIPA to the Standing Committee on Resource Stewardship (Committee) for the purposes of a comprehensive review. The Committee’s review started in January 2024 and in February of that year, it released a paper titled Emerging Issues: The Personal Information Protection Act, outlining some emerging issues in privacy to be considered in the review. A consultation period followed (see our earlier blog post).
The OIPC also made its own series of recommendations.
The Committee issued its Final Report to the Legislature in February 2025, and it will now go to Cabinet for decisions on implementing the recommendations.
Recommendations
The Committee’s Final Report recommends extensive changes to the PIPA, which largely align PIPA with global privacy laws and the now defunct CPPA. These can be summarized as follows:
Minors’ personal information: The amended PIPA should contain specific provisions regarding the collection, use and disclosure of minors’ personal information, ensuring that privacy protections are robust for younger individuals.
Application to Nonprofits: Nonprofit organizations are currently not subject to PIPA, except when they engage in commercial activity. Amendments should clarify the meaning of “commercial activity” in relation to nonprofit organizations and their responsibilities regarding the protection of personal information.
Consent requirements: The Final Report maintains consent as the primary basis for processing. Amendments should revise consent requirements for the collection, use, and disclosure of personal information to clearly define express consent, deemed consent, and opt-out consent.
Data deidentification and anonymization: PIPA is currently silent on anonymization, and amendments should introduce standardized definitions and clear requirements for subsequent use of de-identified data, of personal information, which could make it easier for organizations to handle data while minimizing privacy risks. The Committee also recommended that Cabinet consider the OIPC’s recommendations on these issues:
- creating standards and requirements the process of both de-identification and anonymization;
- allowing the use of de-identified data for “legitimate purposes” and specifically permit organizations to create anonymized information;
- introducing prohibitions against:
- de-identification or anonymization outside of accepted standards;
- use of the term “de-identified” or “anonymized” to suggest no personal information is being used unless the standards are met;
- selling de-identified personal information;
- re-identification (outside certain narrow situations);
- requirements to conduct risk assessments, maintain documents and records, for both types of information and to separate identifying information from the de-identified data set; and
- make violation of the de-identification and anonymization provisions subject to penalties.
Notification of automated decisions: Amendments should introduce provisions requiring notifications when automated decision-making processes are used, ensuring transparency for individuals affected by these technologies.
Strengthening enforcement: Amendments should authorize the OIPC to impose administrative monetary penalties for violations of PIPA and increase the amount of fines allowed to be levied by courts for offences to match those of other provinces (up to a maximum of CA$10,000 for individuals and CA$100,000 for “non-individuals”).
Cross-jurisdictional alignment: Amendments should seek to harmonize Alberta’s PIPA with other federal and provincial laws and international standards to ensure consistency and to facilitate smoother cross-jurisdictional data transfers.
Significant harm definition: Amendments should create a definition of “significant harm” in respect of the loss or unauthorized access or disclosure of personal information.
Third-party service providers: New provisions should formalize the requirement for an organization to contractually bind a third-party service provider to comply with the requirements of PIPA in respect of personal information in its custody or under its control.
Next steps
Many of these changes reflect the provisions proposed in the CPPA and in effect in the new Quebec privacy law. The Committee specifically had recommended that the Alberta government monitor the progress of Bill C-27 and take the necessary steps to ensure that the PIPA continues to be substantially similar to federal private-sector personal information privacy legislation.
Given the prorogation of Parliament, bills such as Bill C-27 that have not received Royal Assent are effectively terminated and Bill C-27 (or its new incarnation) would have to be re-introduced in the new Parliamentary session. The uncertainty facing any new federal legislation may mean the Alberta amendments may pass ahead of any federal law and could then require further changes to ensure that the substantially similar threshold is met.
If Cabinet moves forward with the recommendations for amendments to PIPA, Alberta will be the second province after Quebec to align itself with world-leading jurisdictions that have enacted comprehensive privacy legislation.
For more information on this topic, please contact the author Melika Mostowfi or other members of the Dentons Privacy and Cybersecurity group.
