Thank you very much.
Thank you, Mr. Chair and committee members, for the invitation to speak to you today as you review the Personal Information Protection and Electronic Documents Act. Here in Alberta, we call it “PIPEEDA” as opposed to “PIPEDA”, as Drew just referred to it. With me are Sharon Ashmore, who is general counsel with my office, and Kim Kreutzer Work, who is the director of knowledge management.
I thought I would start my comments today by speaking briefly about Alberta's Personal Information Protection Act, or PIPA, and then in a very similar way to Drew's presentation, I will provide some brief comments on the four topics that I understand you're interested in. I'll speak about PIPEDA's adequacy vis-à-vis the European Union enforcement powers, and in particular my ability to order compliance, as well as meaningful consent and privacy and reputation. Then, of course, I would be happy to address any questions you might have.
To begin, Alberta's Personal Information Protection Act, or PIPA, came into force on January 1, 2004. The act balances the privacy interest of Albertans with the need of organizations to collect, use, and disclose personal information of their customers, clients, employees, and volunteers for reasonable purposes. PIPA has been declared substantially similar to PIPEDA, which means that in Alberta it is PIPA, and not PIPEDA, that generally covers provincially regulated private sector organizations and businesses.
My role is to provide oversight for the act. I have a number of powers and responsibilities under the legislation to ensure that its purposes are achieved. So far, PIPA has undergone two reviews by all-party committees of the Alberta legislature. This in fact is built into the legislation and is a statutory requirement.
The first review took place in 2006-07 and led to several amendments, most notably, mandatory breach reporting and notification requirements, which came into effect in May of 2010. Alberta became the first private sector jurisdiction in Canada to have mandatory breach reporting and notification, and we have since become the model for many other jurisdictions that are contemplating similar amendments.
I think I'll mention that since 2010 we have seen close to 750 breach reports under PIPA and have issued close to 600 notification decisions. So far, we've found that in approximately 56% of those cases there was a real risk of significant harm, in which case I required the organization to notify affected individuals.
The second review of PIPA was more recent and concluded at the end of 2016. During one of my appearances before that review committee, I spoke about the importance of global considerations when considering amendments to Alberta's legislation. I believe those comments are relevant here again in regard to PIPEDA's adequacy status vis-à-vis the European Union.
When it comes into force, the European Union's general data protection regulation, or GDPR, will make privacy law across Europe stricter and will enhance the protection for Europeans' personal information in such areas as consent, accountability, privacy management frameworks, breach notification, and privacy impact assessments. In a global economy where Canadian and Alberta businesses are participants, and where private sector privacy law needs to be adequate and substantially similar, the effect of the GDPR must be considered in any discussion about amendments to our legislation governing the collection, use, and disclosure of personal information.
I'm not necessarily suggesting that PIPEDA or, by extension, PIPA will be deemed to be inadequate, but I am suggesting that there's a need to be mindful of global and national considerations when we're contemplating amendments, to ensure that they don't weaken the legislation and that they are not out of step with global and national considerations. I think it's important to remember that although legislative requirements and regulations may sometimes seem to be burdensome, they also help to provide the public and businesses and their service partners with stability and reassurance, both of which are necessary to win customers and to facilitate business and information sharing.
Going on to enforcement powers, I'm able to issue orders under all three of the acts for which I provide oversight: our public sector's Freedom of Information and Protection of Privacy Act and our health sector's Health Information Act, as well as PIPA.
Order-making power does not preclude my office from resolving cases by an informal mediation process rather than going through the formal inquiry process. In fact, in most cases when we receive a request for review or a complaint, we investigate and attempt to mediate and resolve that matter informally. It's only when findings and recommendations are not accepted that the matter may proceed to inquiry. In 2015-16, approximately 80% of our cases under PIPA were resolved through that mediation process as opposed to inquiry, and since 2004 we have issued 134 PIPA orders.
In most cases organizations comply with orders. In the very odd case where an organization does not, I can file the order in the Court of Queen's Bench, at which time it becomes enforceable as a judgment of that court. I have had occasion to file orders twice in the last year. In one of those cases it was under the Health Information Act and not PIPA, and in the other case, it had to do with ensuring compliance with a breach notification decision I had issued under PIPA. In both cases, after filing with the court, the matters were resolved before the court heard the cases. In those examples, order-making power was extremely valuable in obtaining compliance.
Moving on to meaningful consent, I will first note that in Alberta, we talk about PIPA as being consent-based legislation, and generally, I think it works well. Requiring organizations to obtain the consent of an individual before collecting personal information and to provide notice of the purpose for collection helps to ensure that individuals are able to make informed decisions and exert some measure of control over their personal information.
However, I am aware of ongoing discussions in certain forums that suggest that a consent-based framework is not always adequate. I seldom hear that consent and notice should be done away with entirely, but there does seem to be concern that in this age of big data, predictive analytics, and complex information systems, consent and notice may not be adequate in all cases and may stifle innovation as well as initiatives that are in the public interest.
I've certainly participated in a number of these conversations where we've tried to define the problem, if there is a problem, and to identify and consider some proposed solutions. In those discussions, I often make reference to Alberta's Health Information Act, for example, which is not consent-based but based on a circle-of-care idea, the concept of legislated acceptable uses. We also make reference to the personal information code under Alberta's PIPA, which again recognizes that consent in an employer-employee relationship might not work, and so consent is not required for collecting certain information. We also look to the Health Information Act for the framework around research and research ethics boards. As Drew mentioned earlier, there are commissioners in the country who are interested in some of the projects, notably the Information Accountability Foundation, and a project on developing an ethical assessment framework for certain big data initiatives.
In any event, I believe any solution to the problem, if there is a problem in this area, would involve a mix of legislative, regulatory, and voluntary options, and I certainly support discussion of these issues, including consultations such as the exercise the federal Privacy Commissioner recently undertook.
Finally, I have a few words to say on privacy and reputation. This topic has seen a lot of attention in recent times, particularly around the idea of a right to be forgotten, and whether such a thing exists in Canada or not, and if it does, how it might be enforced in today's global world.
I mentioned this in the trends and issues section of my 2014-15 annual report and said that this was a topic we should be watching over the next couple of years. In particular, we've seen cases like the May 2014 case in the Court of Justice of the European Union; the recent case involving Globe24h at Canada's Federal Court involving information posted on a Romanian website; and a pending decision from the Supreme Court of Canada in Google v. Equustek Solutions. I think that brings home the fact that these are live issues.
Of note, these cases highlight questions of jurisdiction and legal boundaries and the ability to compel compliance; privacy versus freedom of expression; transparency for public figures such as politicians; and the technical challenges and costs for global companies. These are all complicated issues, but they have found their way to my office, as we have seen a recent uptick in the number of right-to-be-forgotten-type cases in the office. We had previously seen about half a dozen of them over the first seven or eight years of the legislation, but I think we have half a dozen in the office right now. They tend to be focused on such issues as websites publishing personal information collected from some source other than the individual whom the information is about. There are also sometimes complaints around decision-making bodies, including personal information, in their published decisions.
As there are a number of live matters in my office at the moment, I'm not going to get into too many specifics. We will be issuing decisions in some of these cases. It is worth noting that these discussions have made their way from other countries, contexts, and the courts to real complaints made by real individuals that are currently in my office.
On that note, I will leave my comments there. I'd be happy to respond to any questions.
Thank you.