Written By Simon Johnson

Apart from the inherent value in protecting individuals' privacy, there are at least four practical reasons for compliance with the Alberta Personal Information Protection Act (“PIPA”) by businesses and organizations.

First, an individual who believes that there has been noncompliance with PIPA may contact the Commissioner to request a review or make a complaint. A review or complaint that is not resolved informally may lead to an inquiry by the Commissioner. Following an inquiry, the Commissioner has a broad power to make orders, including an order requiring an organization to stop collecting, using or disclosing personal information in contravention of PIPA, or to destroy information collected in violation of PIPA. While it may be possible to negotiate terms of an order with the Commissioner, a business or organization that has been found to be violating PIPA is inherently negotiating from a position of weakness. A compliance strategy developed proactively and voluntarily is likely to be less expensive, and more responsive to an organization's needs, than a compliance strategy negotiated with, or imposed by, the Commissioner.

Second, PIPA creates a number of offences for noncompliance. An individual may be fined up to $10,000, while a corporation may be fined up to $100,000. It is not likely that prosecutions will be a first-line enforcement strategy under PIPA, but there is a risk of prosecution, either by the Commissioner or by an aggrieved individual.

Third, PIPA creates a civil remedy for damages once the Commissioner has made an Order. Unlike the federal privacy legislation, which gives a right of action to “the complainant”, PIPA gives a right of action to an “individual affected by the order”. This phrase probably means that, in those circumstances where an order relates to the general practices of a business or an organization, every person whose personal information is subject to those general practices has a right of action. This is very significant due to the coming into force of the Alberta Class Proceedings Act on April 1, 2004. This Act permits one individual to bring a class action on behalf of all affected individuals. Even though the damages that any one individual could claim may be small, the total damages for the entire class could be very large. Class actions are probably the most important developing area of litigation risk for businesses and organizations in Alberta, and class action litigation risk is probably the most significant potential exposure created by PIPA. Breach of privacy legislation is a textbook example of the type of claim that is not economically feasible for an individual but is attractive to plaintiff s' counsel as a class action.

Fourth, PIPA makes privacy compliance an important issue in mergers and acquisitions. To the extent that vendors are warranting compliance with privacy legislation specifically, or regulatory statutes generally, they are open to claims for breach of those warranties to the extent that there is noncompliance with PIPA. Conversely, a purchaser in a share purchase transaction or amalgamation may find itself assuming civil or even quasi-criminal liabilities for its acquisition's failure to comply with PIPA. Respecting privacy is more than an inherently good practice. Now that PIPA is in force, compliance with its provisions is imperative to avoid a wide range of potentially serious and expensive liabilities.