Good afternoon. I would first like to thank the committee for inviting us here today as witnesses to your proceedings on Bill C-27.
This bill is an important step in modernizing Canada’s private sector privacy law. It would support responsible innovation and development of innovative technologies while adequately protecting privacy rights.
Innovation is occurring in all sectors. These activities benefit Canadians, but there are also risks. This law would play a key role in establishing a foundation of trust amongst Canadians, which would foster the growth of our digital economy.
Alberta's Personal Information Protection Act, PIPA, has been declared substantially similar to the Personal Information Protection and Electronic Documents Act, PIPEDA. The objective of PIPA is essentially the same as that of PIPEDA, and both acts are consent-driven with certain exceptions. Given these similarities, I will not go through PIPA in detail. Instead, I will focus on an aspect of PIPA that may be of interest as you consider the Consumer Privacy Protection Act portion of Bill C-27, and that is specifically our order-making power.
Most reviews and complaints, about 85%, are settled by our informal case resolution team. If settlement fails, the commissioner may conduct an inquiry, a quasi-judicial process, which involves formal submissions to an adjudicator, who then issues an order to remedy any non-compliance.
Our informal case resolution team operates separately from our adjudication team. When a file moves to inquiry, our adjudicators conduct a de novo hearing. They do not have access to what occurred in mediation. Orders are final, binding and not appealable, but they are subject to judicial review by the Alberta Court of King’s Bench.
The majority of our orders are complied with. We have sought a court order to enforce compliance in only a few cases.
This structure brings finality to allegations of non-compliance in a cost-effective, predictive and relatively timely manner. Finality serves several purposes. It creates certainty around the interpretation of PIPA, which serves the interests of both organizations and individuals. It encourages settlement. Because our services are free, our office is fully independent from government, and the majority of our orders are complied with. This reduces the time it takes to remedy non-compliance.
PIPA is scheduled for review by our Standing Committee on Resource Stewardship likely to begin in early in 2024.
Given this, we’ve been paying close attention to what is happening with Bill C-27, specifically the CPPA, as it may influence amendments to PIPA due to PIPA's substantially similar status. We are also considering the impact of Bill C-27 on Albertans when their personal information flows across borders.
In the CPPA, there are positive new privacy protections for Canadians. There is the right to request disposal of personal information, also known as the right to be forgotten; rights regarding the use of automated decision-making systems; and rights regarding data portability. Other improvements include clarification of service providers' role and accountability, administrative monetary penalties to deter non-compliance, proactive auditing, better protection for minors, and the inclusion of privacy as a fundamental right, as well as proposed amendments on the special interests of minors.
However, we have some concerns regarding a few provisions. We are concerned about individuals' loss of control over their personal information resulting from new authorities in section 18 regarding business activities and legitimate interests. We are concerned about how the provisions on de-identification and anonymization would be used, and whether more controls would be required to mitigate potential risks to individuals. We are concerned about whether the inclusion of the tribunal as an appeal body to the Privacy Commissioner's orders would impact our ability to conduct joint investigations.
In addition, there are areas in the bill that could be enhanced. Stronger protections for children, such as those provided for in California and the United Kingdom, could be built in, as could requiring the use of privacy impact assessments in specific circumstances where there are higher risks, and requiring increased rights for the use of automated decision-making systems, and expanding the definition of sensitive information to mitigate the risks of harm that may flow from the processing of certain kinds of personal information.
I thank you for your time. I look forward to further discussion.