Bill C-27 was proposed by the federal government in 2022 and was designed to modernize the framework for the protection of personal information in the private sector. In January 2025, Bill C-27 failed to clear the legislative process due to the prorogation of Parliament, and is thus no longer actively under consideration (see our earlier article).

During this time, Alberta was also working toward modernizing its Personal Information Protection Act ("PIPA"), the province's private sector privacy legislation. After a comprehensive review and corresponding consultation period, a final report has been submitted to the Legislative Assembly of Alberta by the Standing Committee on Resource Stewardship (the "Committee") that includes several recommendations to bring PIPA in line with global privacy standards, and to maintain PIPA’s status as “substantially similar” to the federal privacy law should federal reform efforts proceed.

Recommendations

The final report includes the following recommendations:

  1. Implementing specific requirements for the collection, use and disclosure of personal information of a minor.
  2. Permitting the Information and Privacy Commissioner to impose monetary administrative penalties on organizations and formulate a mechanism for an organization to appeal a penalty.
  3. Ramping up measures relating to deidentification and anonymization of personal information including standardized definitions and requirements for the use of such data.
  4. Increasing alignment of provincial privacy legislation and privacy standards across the private, public and health sectors.
  5. Clearly defining the activities in which non-profit organizations will become subject to governance under the privacy legislation and develop best practices for data collection and disclosure when carrying out such activities.
  6. More clearly define, using simple language, key concepts such as "deemed consent," "express consent" and "opt-out consent" so individuals can gain a better understanding of the degree of collection, use and disclosure they are providing to the organization over the information they have disclosed.
  7. Defining significant harm in respect of a loss, unauthorized access or unauthorized disclosure of personal information to set a clear threshold that may trigger reporting, notification or other corrective action.
  8. Requiring notification to an individual where an organization may use automated processing to make a decision about that individual.
  9. Requiring organizations to contractually bind third-party service providers to comply with the requirements of the legislation in respect of personal information in its custody or control.
  10. Aligning with other jurisdictions in Canada with respect to penalizing an organization who does not comply with the legislation — ensuring the penalties in Alberta are the same or higher than those under similar legislation elsewhere in Canada.
  11. Ensuring ongoing monitoring of progressive privacy legislation globally, as well as Bill C-27 (or other federal proposals for privacy reform) nationally, to enhance effectiveness and cohesiveness and maintain PIPA’s status as substantially similar to the federal law.

Cabinet will review these recommendations and determine the exact manner in which they will be implemented into the next iteration of PIPA.

Gowling WLG’s Cyber Security & Data Protection Group continues to monitor the status of these recommendations and any progress regarding proposals for reformed federal privacy legislation. For information on how these changes may affect your organization, please reach out to a member of our team.