Insights Header image
Insights Header image
Insights Header image

Alberta Proposes Modernized Public Sector Privacy and Information Access Legislation: Unpacking Bills 33 and 34

November 20, 2024 Privacy & Data Protection Bulletin 8 minute read

On November 6, 2024, the Alberta government introduced legislative proposals aimed at modernizing the province’s privacy and access to information laws. Bill 33: the Protection of Privacy Act,[1] and Bill 34: the Access to Information Act,[2] represent the first major updates to Alberta’s public sector privacy and access legislation since the early 2000s.

This bulletin provides of overview of the key components of these bills and highlights the potential impact on organizations interacting with Alberta’s public bodies.

Background

The existing Freedom of Information and Protection of Privacy Act[3] (“FOIP Act”), introduced in 1995, is at risk of becoming obsolete due to rapid technological advancements and increasing reliance on digital platforms. As the Alberta government noted, “Alberta’s privacy law is outdated and must be refreshed to meet the realities of the modern world.”[4] The proposed division of the FOIP Act into two separate pieces of legislation, similar to the current federal approach, aims to provide dedicated attention to both access to information and strengthened privacy protections.

Timeline

If passed, both bills will take effect upon proclamation, expected in Spring 2025. Supporting regulations, which would provide further details on requirements such as privacy management programs and privacy impact assessments (“PIAs”), are also anticipated to be published in Spring 2025. Both bills mandate a regular review of the legislation every six years to ensure that the laws remain current with evolving technology and societal needs.[5]

Bill 33: Protection of Privacy Act (“POPA”)

Bill 33 seeks to implement what the Alberta government describes as “the strongest privacy protections in Canada.”[6] If passed, the key components would include the following:

Prohibition on Selling Personal Information

Alberta public bodies would be explicitly prohibited from selling personal information under any circumstances, including for marketing or advertising purposes.[7] Public bodies are defined as Alberta government departments, branches, offices, agencies, boards or commissions, or local government bodies.[8] There are some notable exceptions to what constitutes a “public body” under POPA and ATIA, being the office of the Speaker of the Legislative Assembly and the office of a Member of the Legislative Assembly, and the province’s three levels of court.

Notwithstanding the foregoing, post-secondary educational bodies would be permitted to use alumni records for their own fundraising activities but must discontinue using an individual’s personal information if an alumnus requests.[9]

Mandatory Breach Notification

In the event of a privacy breach that poses a real risk of significant harm (“RROSH”), such as bodily harm, financial loss, identity theft, fraud, or blackmail, public bodies would be required to promptly notify each of the affected individuals, Alberta’s Office of the Information and Privacy Commissioner (“OIPC”), and the applicable Minister determined under Alberta’s Government Organization Act.[10]

The proposed RROSH threshold mirrors the existing privacy breach reporting threshold found in various private, public, and health sector privacy statutes across Canada, including Alberta’s current private sector Personal Information Protection Act.[11] While public bodies in Alberta are not currently required by law to notify the OIPC of a privacy breach, the OIPC encourages public bodies to voluntarily report privacy breaches.[12]

Transparency in Automated Decision-Making

Alberta public bodies would be required to notify individuals when they collect their personal information if they intend to input it into an automated system to generate content or make decisions, recommendations, or predictions.[13] These terms, including “automated system”, “generate content” and “decisions, recommendations or predictions”,  are not currently defined, so it is unclear whether there will be further guidance in the regulations to specify the circumstances captured under this section.

If an individual’s personal information would be used to make a decision that directly affects them, including decisions made using automated systems, the public body would be required to “make every reasonable effort to ensure that the information is accurate and complete”, and retain it for at least one year (unless a shorter period is agreed upon) to allow the individual reasonable access to it.[14] Again, “every reasonable effort” has not been defined under the new bills, but the meaning of “reasonable efforts” generally has been subject to much discussion in case law and literature.

Privacy Management Programs

Alberta public bodies would be required to implement a privacy management program with documented policies and procedures outlining their privacy practices. The program would need to be proportional to the volume and sensitivity of the personal information the public body intends to handle. Any person would be able to request a copy of a public body’s program to understand how their personal information will be/is managed. However, the bill provides a grace period of one year from the date the section comes into force for public bodies to implement such a program. During such period, public bodies would not be required to respond to requests for a copy of the program.[15]

Privacy Impact Assessments (“PIAs”)

Alberta public bodies would be required to conduct PIAs to identify and mitigate potential privacy risks in specific circumstances to assess and address privacy risks in their programs and services.[16] The assessment would require public bodies to identify and review risks related to the collection, use, and disclosure of personal information, develop mitigation strategies and safeguards, and address compliance with POPA. This requirement aligns with best practices and mirrors obligations under Alberta’s Health Information Act. The regulations, expected in Spring 2025, are expected to provide further details on when PIAs will be required and their necessary content.

Data Matching and Non-Personal Data Rules

Alberta public bodies would be permitted to use data matching, the process of linking personal information across multiple databases, to create data derived from personal information for purposes such as research, analysis, or program planning (e.g., two government ministries may align datasets to evaluate program eligibility for an applicant). This process would be required to comply with security measures prescribed under POPA and would only permit the use of personal information that is already in the custody of the public body or obtained from another Alberta public body. Derived data would only be permitted to be retained for its intended purpose and would have to be destroyed or transformed into non-personal data (i.e., anonymized information that does not identify individuals) when no longer required.[17]

Non-personal data would be permitted to be created by Alberta public bodies for research, analysis, or service delivery improvements (e.g., analyzing anonymized data to identify demographic trends in service usage), using secure and prescribed methods so individuals cannot be identified. While non-personal data can be shared under strict conditions prohibiting re-identification and unauthorized use, public bodies would be required to maintain records of its creation and protect it against risks such as unauthorized access or disclosure.[18]

Stronger Penalties

Bill 33 proposes “the strictest penalties in Canada” for misuse of personal information:[19]

  • For breaches involving personal information (e.g., disclosure without consent), individuals would be subject to fines of up to $125,000, while organizations can be fined up to $750,000.
  • In cases involving non-personal data or broader data-related violations (e.g., research partner knowingly re-identifying non-personal data), individuals would be subject to penalties of up to $200,000, with organizations potentially facing fines as high as $1 million.

Impact on Organizations

While Bill 33 places significant responsibilities on Alberta public bodies, private sector organizations may also feel indirect effects. Businesses interacting with public bodies (such as through goods and services procurement contracts, or as part of regulatory processes) may face stricter contractual or policy requirements related to privacy and data protection. Private organizations may need to align their data handling practices with the heightened standards to maintain relationships with public sector clients.

Bill 34: Access to Information Act (“ATIA”)

Bill 34 aims to modernize Alberta’s access to information law to align with other Canadian jurisdictions that have recently updated their legislation to reflect the digital age. If passed, the key components would include the following:

Recognition of Electronic Records

Bill 34 defines “electronic record” broadly as “a record that exists at the time a request for access is made or that is routinely generated by a public body that can be any combination of texts, graphics, data, audio, pictorial or other information represented in a digital form that is created, maintained, archived, retrieved or distributed by a computer system”.[20] “Public body” has the same meaning as discussed above under POPA.

Extended Timeline for OIPC Review

The timelines for responses and applicant communications would be changed by specifying “business days”, which adjusts existing deadlines to exclude Saturdays, holidays, or days when Alberta government offices are closed as part of the Government of Alberta’s Christmas closure.[21] This change, while aligning with operational realities, could result in longer waiting times for applicants.

Emergency Extensions

During emergencies, public bodies would be permitted to extend access request timelines, allowing them to focus resources on critical, immediate response efforts, if necessary.[22]

Expanded Cabinet Confidentiality

Bill 34 expands on cabinet confidentiality obligations, adding new exemptions for communications solely among political staff or between political staff and members of the Executive Council, potentially limiting the transparency of political discussions.[23]

Expanded Grounds for Disregarding Requests

Bill 34 also allows requests to be disregarded if they are abusive, threatening, frivolous, fail to meet new criteria for clarity and scope, or are otherwise overly broad or incomprehensible.[24] These terms have not been defined, so it is unclear if the regulations will provide guidance on the criteria for disregarding a request and how the public body is to make its decision.

If a request has been disregarded by a public body, the applicant would need to be notified within 30 business days with the reasons, and the applicant would be able to request a review of that decision.[25]

Workplace Investigative Records

The confidentiality of workplace investigation records would be strengthened, with Bill 34 expanding the exceptions to disclosure to protect workplace investigative processes if their release could harm the integrity of an investigation or the safety of individuals involved.[26] In comparison, the FOIP Act provided more generalized protections for law enforcement or privacy-related disclosures.[27]

Requests Between Public Bodies

Public bodies would be explicitly prohibited from submitting an access request to another public body.[28] This change could foster a more direct communication model among public bodies rather than relying on formal access-to-information processes. However, it could also lead to friction or unanswered requests where public bodies do not have strong working relationships.

Proactive Disclosure

Alberta public bodies would be able to specify categories of records that are made publicly available without a formal access request. While this aligns with the existing FOIP Act,[29] Bill 34 permits public bodies to exclude exempted information from a record that is proactively available to the public and removes the right to seek a review of decisions related to proactive public disclosure.[30]

Impact on Organizations

Like Bill 33, the changes introduced by Bill 34 primarily target public bodies but will likely have indirect implications for organizations that interact with these entities. Businesses relying on access to governmental data for decision-making or operational purposes may face delays due to extended response timelines. Additionally, changing access parameters may limit the availability of certain records, requiring adjustments in how entities request and utilize public information.

For assistance in navigating these legislative proposals and understanding their impact on your business, please contact our Privacy & Data Protection Group. We are here to assist you in staying informed about regulatory developments and adapting to Alberta’s evolving privacy and access to information laws.

[1] Bill 33: Protection of Privacy Act, 2024, Government of Alberta (“POPA“).
[2] Bill 34: Access to Information Act, 2024, Government of Alberta (“ATIA“).
[3] Freedom of Information and Protection of Privacy Act, RSA 2000, c F-25 (“FOIP Act“).
[4] Protection of Privacy Act frequently asked questions, 2024, Government of Alberta.
[5] POPA, s.63; ATIA, s.100.
[6] Strengthening privacy protections for the digital age | alberta.ca.
[7] POPA, s.11.
[8] The term “public body” under POPA has the same meaning as public body, as defined in ATIA, s.1(t).
[9] POPA, s.12.
[10] POPA, s.10(2).
[11] Personal Information Protection Act, SA 2003, c P-6.5, s.34(1).
[12] How to Notify the OIPC of a Privacy Breach – Office of the Information and Privacy Commissioner of Alberta
[13] POPA, s.5(2)(d).
[14] POPA, s.6.
[15] POPA, s.25.
[16] POPA, s.26.
[17] POPA, ss.17-20.
[18] POPA, ss.21-24.
[19] POPA, ss.60(2-3).
[20] ATIA, s.1(f).
[21] ATIA, s.1(c). The Government of Alberta “Christmas closure directive” is a directive covering Christmas Closure of government offices and non-continuous operations.
[22] ATIA, ss.16(9), 36(2).
[23] ATIA, ss.4(1), 27.
[24] ATIA, s.9(1).
[25] ATIA, s.9.
[26] ATIA, s.24.
[27] FOIP Act, ss.17, 20.
[28] ATIA, s.8.
[29] FOIP Act, s.88.
[30] ATIA, s.90.

by Julia Loney, Stephen Johnson, Meghna Jain (Articling Student)

A Cautionary Note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2024

Insights (5 Posts)View More

Featured Insight

Reminder: New Lower Criminal Interest Rate Now in Effect

As of January 1, 2025, the criminal interest rate was reduced to a cap of 35% annual percentage rate (APR).

Read More
Jan 14, 2025
Featured Insight

Alberta Rate Filing Requirements for Motor Vehicle Protection Products

Overview of the Alberta Insurance Rate Board's bulletin outlining rate filing requirements for automobile insurance on vehicle protection products in Alberta.

Read More
Jan 14, 2025
Featured Insight

Alberta’s Captive Insurers Gain Reinsurance Flexibility for Third-Party Risks

Overview of Alberta's updated rules for captive insurance companies.

Read More
Jan 14, 2025
Featured Insight

CSSB Releases Final Canadian Sustainability Disclosure Standards: Mandatory Disclosure Rules are on the Horizon

The CSSB has released the final Canadian Sustainability Disclosure Standards, with sustainability-related disclosure and climate-specific requirements.

Read More
Jan 14, 2025