Alberta and British Columbia are two of three provinces in Canada that have their own provincial private-sector privacy legislation deemed to be substantially similar to the current federal Personal Information Protection and Electronic Documents Act. This year marked the 20th anniversary of the enactment of both Alberta’s Personal Information Protection Act (“AB PIPA”) and British Columbia’s Personal Information Protection Act (“BC PIPA”), along with their respective associated regulations introduced in 2004. These milestones provide an opportunity to reflect on the evolving landscape of privacy law in both provinces over the last year.

Appointment of new British Columbia Information and Privacy Commissioner

On April 11, 2024, Michael Harvey was appointed as Information and Privacy Commissioner for BC for a six-year term, commencing on May 6, 2024. In his statement during Privacy Awareness Week, Commissioner Harvey reiterated the importance of transparency, accountability and security with respect to privacy law, particularly in the face of increased use of technology, such as artificial intelligence systems.

Changes to privacy impact assessments in Alberta

Effective Oct. 1, 2024, the Office of the Information and Privacy Commissioner of Alberta (“OIPC”) updated its process for managing privacy impact assessments (“PIAs”) to increase efficiency and reduce backlog in the review process, enable timely resolution of PIA submissions and permit the OIPC to allocate resources to PIA submissions which require additional attention.

The changes primarily affect custodians under the Health Information Act (Alberta), which are legally required to submit PIAs to the OIPC for review and comment before implementing new administrative practices or information systems. Public bodies under Freedom of Information and Protection of Privacy Act (Alberta) and private-sector organizations under the AB PIPA are not statutorily required to submit PIAs to the OIPC, but are recommended and encouraged by the OIPC to voluntarily submit PIAs for review and feedback.

As a result of these changes, PIAs will no longer be accepted, conditionally accepted or not accepted. The OIPC will review PIAs and issue a closing letter with comments and recommendations. If a PIA submission is incomplete or insufficient, the OIPC will not generally ask additional questions to avoid delay in the review process. The OIPC will close the file and notify the submitter as well as advise them to consider resubmitting the PIA.

Additional updates include changes to the OIPC’s Privacy Impact Assessment Requirements Guide and the development of new PIA resources to assist parties in completing and submitting PIAs to the OIPC.

Changes to privacy breach reporting

Alberta

Effective April 1, 2024, the OIPC updated its procedure for processing privacy breach notifications under the AB PIPA. The revised procedure involves an expedited process to prioritize processing of PIPA breach files involving a real risk of significant harm (“RROSH”), especially where organizations have not notified affected individuals or failed to meet the AB PIPA Regulation requirements. The OIPC now issues breach notification decisions only for cases involving RROSH and publishes decisions in its discretion. We previously wrote about this update, which can be found here.

British Columbia

On Jan. 29, 2024, then-Privacy Commissioner Michael McEvoy (“Commissioner McEvoy”) of the Office of the Information and Privacy Commissioner of BC (“IPC”) published a statement in honour of Data Privacy Day and the 20th anniversary of the enactment of the BC PIPA. Commissioner McEvoy highlighted that the BC PIPA warrants review to include a statutory requirement for breach reporting:

PIPA is nearly alone among private sector laws in North America in lacking mandatory breach notification – an obligation for organizations to inform our office and individuals affected of privacy breaches that could cause serious harm, so that we can work with them to mitigate those risks. Among other things, the legislation should also provide for administrative monetary penalties that ensure a financial deterrent for bad actors flagrantly disregarding someone’s privacy rights.

BC introduced mandatory breach reporting and privacy management program requirements for public bodies on Feb. 1, 2023, through additions to the Freedom of Information and Protection of Privacy Act (British Columbia) and associated regulations. To date, breach reporting for organizations subject to the BC PIPA remains voluntary.

This gap has drawn scrutiny at both the provincial and federal levels. The Office of the Privacy Commissioner of Canada (“OPC”) has noted similar disparities between public and private-sector breach reporting frameworks. Although federal institutions governed by the Privacy Act follow breach reporting guidelines from the Treasury Board Secretariat, they are not legally obligated to report breaches, unlike private-sector organizations subject to PIPEDA.

The OPC’s 2023-2024 Annual Report highlights the impact of these inconsistencies: the OPC received 321 cyber incident reports from the private sector but only 37 reports from federal institutions. Since the introduction of mandatory breach reporting under PIPEDA in November 2018, the number of reported breaches has increased sixfold, reflecting both an increase in incidents and greater compliance with reporting requirements.

The OPC continues to advocate for stronger breach reporting rules. It has recommended that Bill C-27 introduce a requirement for both organizations and service providers to report breaches to the OPC without unreasonable delay—and no later than seven days after becoming aware of the incident. These changes aim to align federal regulations with best practices, ensuring timely breach reporting and minimizing harm. We previously wrote about the OPC’s key recommendations on Bill C-27, which can be found here.

The profound technological changes over the past two decades since the AB PIPA and BC PIPA were enacted highlight the need to update provincial privacy laws to address new risks and challenges. As privacy risks grow more complex, provinces may need to pursue their own reforms rather than await federal updates through Bill C-27, which faces uncertainty in Parliament amid recent political developments.

We continue to monitor privacy law developments in Alberta, British Columbia and federally. To discuss privacy law developments in Alberta and British Columbia further, please contact a member of our Cyber Security and Data Protection Group.