Overview
On August 13, 2020, Ontario’s Ministry of Government and Consumer Services announced that the Ontario government has launched consultations to improve the province’s privacy protection laws.1 The focus of the consultations is on strengthening transparency and accountability concerning the collection, use and safeguarding of personal information online, with the goal of creating a “legislative framework for privacy in the province’s private sector”. The government cited the impact that the COVID-19 pandemic has had on increasing reliance on digital platforms to carry out day-to-day tasks as a key motivator for launching these consultations now.
Specifically, the province provided a list of privacy issues on which it is seeking advice during these consultations. The list includes issues related to:
- Increased transparency on how an individual’s personal information is used;
- Improved consent rules;
- A right for individuals to request that information related to them be deleted (i.e., the right to be forgotten);
- Providing individuals with more portable, digital access to their data;
- Clearer requirements related to data derived from personal information;
- Enforcement of the province’s privacy laws; and
- Expanding the scope and application of the province’s privacy laws.
The consultations will take place in the form of web conferences, written submissions and an online survey. The government emphasized that anyone in Ontario is allowed and encouraged to participate in the consultations by completing the online survey or by submitting a written submission between now and October 1, 2020.
Significance for Ontario Businesses
Given that the stated goal of these consultations is to create a new legislative framework for privacy in Ontario’s private sector, these consultations are likely to lead to a substantial change in how privacy law applies to private organizations, including businesses and employers in Ontario. The collection, use and disclosure of personal information is currently governed by federal statute, namely, the Personal Information Protection and Electronic Documents Act (PIPEDA), meaning that, contrary to popular belief, Ontario does not currently have its own provincial privacy legislation that regulates the collection, use and disclosure of personal information by private sector organizations. It is also important to note that PIPEDA only applies to employee information in connection with organizations that are considered to be federal works, undertakings or businesses (FWUBs). As a result, a provincial privacy statute may impose new obligations on handling employee personal information by employers in the province who would not meet the definition of an FWUB.
The creation of a new privacy legislative framework in Ontario may also significantly impact the extent to which PIPEDA applies in Ontario. If a provincial privacy law provides an equal or greater level of privacy protection as PIPEDA and incorporates PIPEDA’s fair information practices, the federal Governor in Council (i.e., the federal cabinet) may issue an order by which the provincial law will be classified as “substantially similar” to PIPEDA. The effect of this classification is that organizations subject to the provincial law would generally be exempt from PIPEDA with respect to the collection, use or disclosure of personal information that occurs within that province. Currently, Alberta, British Columbia and Quebec have general-application private-sector privacy laws for which these orders have been issued, so it is possible that a robust new Ontario privacy statute could receive the same designation.
History of Ontario’s Privacy Law Developments
It should also be noted that this is not Ontario’s first attempt at creating a general provincial privacy statute. In 2002, a proposed statute entitled the Privacy of Personal Information Act, 2002 (PPIA) was circulated for public comment. This proposed statute did not become the law in Ontario, but there are reasons to believe that the Ontario government’s newest attempt at creating provincial privacy legislation will be more successful.
In addition to the general increase in public awareness and concern over privacy laws and data protection that has occurred over the last two decades, any new proposed privacy legislation in Ontario is likely to benefit from being simpler than the PPIA proposal had been. At the time that PPIA was proposed, Ontario did not have a provincial privacy statute that governed the health sector. As a result, the PPIA incorporated both general privacy provisions and additional provisions specifically applicable to the health sector, leading the proposal to receive criticism for being too complex and confusing. However, now that Ontario has addressed personal health information through the Personal Health Information Protection Act, 2004 (PHIPA)2, any new proposed provincial privacy statute for Ontario will likely be simpler and clearer, which may increase its chances of becoming law.
Other Canadian Privacy Law Developments
Following a series of consultations in 2018, the Canadian federal government announced a new Digital Charter3 and published a discussion paper entitled “Strengthening Privacy for the Digital Age”4 containing a set of proposals aimed at modernizing Canadian federal privacy laws. Through the Digital Charter and its accompanying discussion paper, the federal government provided insight into the manner in which it plans to introduce a number of systemic changes to PIPEDA, including a move away from a consent-based system to a hybrid regime under which alternative legal grounds for the collection, use, and disclosure of personal information may be implemented. Some of the suggested changes include narrowing the circumstances under which individuals are required to provide their consent, standardizing the language organizations use when obtaining consent, introducing a right to be forgotten and greater data mobility rights, and implementing more robust enforcement mechanisms similar to those that are available to regulators under the European Union’s General Data Protection Regulation (GDPR).
At the provincial level Ontario is not the only province in Canada that is currently considering a significant overhaul to its privacy laws. On June 12, 2020, Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, was introduced into the National Assembly of Quebec (Bill 64)5. The bill introduces many new and stricter requirements on organizations in relation to their collection, use and disclosure of personal information. These include:
- New transparency and breach reporting requirements;
- New requirements for the transfer of personal information outside of Quebec, including an adequacy system based on similar principles as contained in the GDPR;
- New rights to data portability, the right to be forgotten, and the right to object to automatic processing;
- New accountability rules relating to roles and responsibilities within organizations to ensure compliance (e.g., mandatory governance policies, privacy impact assessments, privacy by design requirements);
- More stringent consent requirements;
- Greater enforcement capabilities, including the imposition of administrative monetary penalties of CAD$10,000,000 or, if greater, the amount corresponding to 2% of worldwide sales in the preceding year. For more significant infractions, penalties of up to CAD$25,000,000 or 4% of worldwide sales for the preceding year would be available; and
- A private right of action for individuals.
In Bill 64 new provisions that are favourable to organizations are also introduced, including the right to use personal information for “consistent purposes”, new consent exceptions for research and business transactions, the exclusion of business contact information from the definition of “personal information”, and an acknowledgment that consent may be given from individuals 14 years or older.
Businesses that are subject to Canadian privacy laws should be aware that change is in the wind and that potentially significant changes to PIPEDA as well as the possible introduction of new privacy laws in Ontario and Quebec could alter the manner in which these businesses process personal information.
Next Steps
If you would like assistance in preparing a submission in connection with the Ontario Government’s consultation, the Information Technology & Data Privacy Group at Cassels is able to assist. Throughout the consultation process, we will provide further news and updates as they occur.
The authors of this article gratefully acknowledge the contributions of Summer Law Student Steven Henderson.
_____________________________
1 Ministry of Government and Consumer Services, “Ontario Launches Consultations to Strengthen Privacy Protections of Personal Data” (August 14, 2020), online: <https://news.ontario.ca/mgs/en/2020/08/ontario-launches-consultations-to-strengthen-privacy-protections-of-personal-data.html?utm_source=ondemand&utm_medium=email&utm_campaign=p>
2 Personal Health Information Protection Act, 2004, SO 2004, c 3.
3 Available at: https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html.
4 Available at: https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00107.html
5 National Assembly of Quebec, “Bill 64, An Act to modernize legislative provisions as regards to the protection of personal information” (June 12, 2020), online: <http://m.assnat.qc.ca/en/travaux-parlementaires/projets-loi/projet-loi-64-42-1.html>