Review of the Personal Information Protection Act of Alberta

Submission of the Office of the Privacy Commissioner of Canada to the Legislative Assembly of Alberta’s Standing Committee on Resource Stewardship

May 31, 2024

BY EMAIL

Mr. Garth Rowswell, MLA
Chair, Standing Committee on Resource Stewardship
Legislative Assembly of Alberta
9820 - 107 Street, NW
Edmonton, Alberta  T5K 1E7

Dear Mr. Rowswell:

The Office of Privacy Commissioner of Canada (OPC) welcomes the invitation of the Legislative Assembly’s Standing Committee on Resource Stewardship to participate in the Committee’s review of Alberta’s Personal Information Protection Act (PIPA). I am pleased to have this opportunity to highlight the context of federal privacy law reform and how the interoperability of privacy laws benefits both consumers and businesses.

My Office oversees compliance with the Privacy Act, which covers the personal information-handling practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private-sector privacy law.

Protecting privacy is more important and challenging than ever in a rapidly expanding environment of emerging technologies and business models that leverage the use, collection, and disclosure of personal information. These advancements bring many benefits for our lives and the economy, but they also introduce new privacy risks. Canadians need and expect modernized privacy laws that support innovation and enable them to enjoy the many benefits of technology with the reassurance that their personal information is being appropriately protected.

Interoperability of privacy laws, both domestically and internationally, is essential to fostering Canadians’ trust that their personal information will be treated in a manner that is compatible with our rights and values, no matter where their data resides or is transferred. Interoperability also benefits organizations, as it can simplify regulatory requirements and reduce compliance costs, thus facilitating innovation and competition for Canadian businesses. Organizations also benefit from the clarity provided by joint regulatory guidance.

PIPEDA sets national standards for privacy practices in the private sector. Organizations may be exempted from the application of PIPEDA with respect to the collection, use or disclosure of personal information that occurs within a province where a provincial law that has been deemed to be substantially similar to PIPEDA applies. Alberta, along with Quebec and British Columbia, currently have private-sector privacy laws that have been deemed substantially similar to PIPEDA. This means that in many circumstances, the provincial law applies instead of the federal law.

This framework allows me to work closely with my counterparts in Alberta, British Columbia and Quebec, on activities such as joint investigations and guidance for organizations to help them with compliance.

Interoperability at the international level is also important to facilitate commercial exchanges of personal information across borders. In January of this year, Canada’s adequacy status under the European Union’s General Data Protection Regulation was reviewed, with the European Commission finding that Canada continues to provide an adequate level of protection of personal information transferred from the EU to recipients subject to PIPEDA. In its report, the Commission recommended enshrining in legislation some of the protections that have been developed at sub-legislative level to enhance legal certainty and consolidate new requirements, such as requirements for sensitive personal information. The Commission stated an intention to closely monitor future developments in Canada. 

The Digital Charter Implementation Act, 2022

On June 16, 2022, the Government of Canada tabled Bill C-27, the Digital Charter Implementation Act, 2022, which would repeal Part 1 of PIPEDA and enact the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act. The bill is currently going through clause-by-clause consideration by the House of Commons Standing Committee on Industry and Technology (INDU).

Bill C-27 would maintain PIPEDA’s approach to substantial similarity. As under PIPEDA, the Governor in Council would determine whether the privacy legislation of a province is substantially similar to the CPPA. Under C-27, the Governor in Council may also make regulations establishing the criteria and process for making, or reconsidering, a determination of substantial similarity.

In many ways, Bill C-27 is an improvement over PIPEDA. Bill C-27 establishes stronger privacy protections for individuals and creates incentives for organizations to comply while allowing for greater flexibility to innovate. Encouraging innovation in a privacy protective manner will help increase individuals’ privacy and control over their personal information, as well as their trust and ability to realize the benefits of the online economy.

In April 2023, my Office made a submission on Bill C-27 to INDU with 15 key recommendations that I believe are necessary to better protect the privacy of Canadians while supporting Canada’s innovation and competitiveness. The full submission, containing details on my 15 key recommendations, is attached for reference.

I would note that our submission on Bill C-27 discussed many of the topics raised in the document posted by the Committee titled “Emerging Issues: The Personal Information Protection Act” such as consent, de-identification and anonymization, privacy impact assessments, administrative monetary penalties, automated decision-making, the right to erasure, and data portability.

For instance, our submission recommended strengthening the framework for de-identified and anonymized information to allow organizations flexibility in using de-identified information while ensuring that privacy is protected.

We also recommended requiring organizations to build privacy into the design of products and services, and to conduct privacy impact assessments (PIAs) for high-risk initiatives. PIAs can help organizations demonstrate that they are accountable for personal information under their control, ensure that they are in compliance with the law and limit the risk of privacy breaches. In my October 19, 2023, appearance before INDU on Bill C-27, I also highlighted PIAs as a particularly critical measure in the context of AI and other high-risk initiatives that may significantly impact individuals.

Achieving commercial objectives and privacy protection are not mutually exclusive. Privacy can be an accelerator of Canadians’ trust in the digital economy, rather than an obstacle to innovation and competition. However, in those rare circumstances where the two are in unavoidable conflict, fundamental privacy rights should prevail. That is why my first recommendation with regard to Bill C-27 was to recognize the fundamental right to privacy in the law, in both the preamble and purpose clause of the CPPA, and to embed the preamble in the Acts that would be enacted. I was pleased to see that INDU adopted an amendment embedding the preamble in the CPPA and recognizing the fundamental right to privacy in the law.

Another of my key recommendations was to amend the preamble to recognize the importance of children’s privacy and the best interests of the child. Importantly, INDU has also adopted this recommendation in the CPPA’s new preamble. Including the best interests of the child in the preamble will encourage organizations to build privacy for children into products and services, from the start and by design, and serve as an important interpretive tool. The addition of children’s privacy to the framing section of the legislation is especially encouraging, as it reflects the recommendations made in the Resolution of the Federal, Provincial and Territorial Privacy Commissioners and Ombuds with Responsibility for Privacy Oversight on Putting the best interests of young people at the forefront of privacy and access to personal information.

INDU has also amended the bill to include definitions for “lawful authority,” “minor,” “profiling,” and “sensitive information.” They have also notably amended the definition of “personal information” to include inferred information. These amendments will help to clarify organizations’ obligations under the law.

As clause-by-clause consideration of Bill C-27 continues, I hope to see INDU continue to implement my recommendations.

Conclusion

The Committee’s review of PIPA comes during a crucial time for privacy law reform in Canada. Fostering consumer confidence in organizations’ responsible use of personal information is critical in helping position Canada as a global leader in privacy. I believe a strong, harmonized federal-provincial-territorial privacy regime based on common principles will help to achieve this goal.

Sincerely,

(Original signed by)

Philippe Dufresne
Commissioner