COVID-19 Realities Push Ontario Government to Launch Public Consultation to Improve the Province’s Privacy Laws

COVID-19 Realities Push Ontario Government to Launch Public Consultation to Improve the Province’s Privacy Laws

On August 13th, 2020, the Ontario government launched a public consultation to improve and enhance the province’s privacy protection laws (the “Consultation”).[1] The Consultation comes in the wake of COVID-19 and the realities of, and concerns with, our increasingly data-driven economy. The survey, along with written submissions and web conferences, will guide the government in creating a modernized legislative framework for strengthening privacy and data protections in the province’s private sector.

The Current Privacy Legislative Framework in Ontario

Currently, the legislative framework in Ontario only regulates the provincial and municipal public sector organizations, as well as the collection, use and disclosure of personal information by the province’s public institutions and specific health care providers.[2] The province does not have privacy legislation that specifically governs its private sector; rather, the federal Personal Information Protection and Electronic Documents Act[3] (“PIPEDA”) applies to the private sector in Ontario. However, the application of PIPEDA is limited in its scope as it only applies to “commercial activities”. This creates a legislative gap – there are currently no privacy laws in Ontario that govern non-commercial activities in the private sector, such as handling employees personal information by employers in Ontario who do not carry out federal works or undertakings, or extra-provincial businesses.

Privacy discussion topics tabled by the Ontario government for consultation

The Ontario government has set out privacy issues that it is seeking guidance on during the Consultation. These are:

• Increased transparency – providing individuals with more detail about how businesses and organizations use their information.
• Enhanced consent – ensuring that consent is informed, providing an opt-in model for secondary uses of information, and allowing individuals to revoke consent.
• The “right to be forgotten” – allowing individuals to request that information that relates to them be deleted. This may include de-indexing (removal from online search results or references), or other ways of preventing information from being disseminated.
• Data portability – introducing a right for individuals to access their data in a common and portable format, which allows greater freedom to change service providers.
• Enforcement – increasing the enforcement powers of Ontario’s Information and Privacy Commissioner to ensure compliance with the new legislation.
• De-identification – introducing requirements for de-identification of personal information and clarifying the applicability of certain privacy protections. De-identification refers to the process by which a service can remove identifying information to preserve the privacy of its users.
• Scope – increasing the scope of the law to include organizations engaged in non-commercial activities.
• Data trusts – creating a legislative framework to enable the establishment of data trusts. A data trust is a legal mechanism that allows a third party to govern an organization’s data. They help ensure transparency and accountability, but currently no Canadian jurisdiction has a legislative framework for data trusts.

Take-away

With the government’s end goal of creating a privacy legislative framework that governs the private sector, businesses and organizations in Ontario should prepare to implement significant changes in how they collect, use and disclose personal information. Given the potential impact of the fruits of the Consultation, and the increasing value that consumers place on businesses that have privacy protection values and designs, we encourage businesses and organizations to participate in the Consultation.

How to participate

Formal response:

Organizations may submit a formal response to the topics listed above to access.privacy@ontario.ca.

Survey:

Organizations may also submit feedback and thoughts on the privacy discussion topics listed above through an online survey.

If you wish to learn more about the Consultation process, Consultation submissions or the privacy discussion topics tabled by the Ontario government, please contact McMillan’s privacy lawyers or McMillan’s Vantage Policy Group.

by Chiedza Museredza, Grace Shaw, and Kristen Shaw (Summer Student)

[1] Ministry of Government and Consumer Services, News Release, “Ontario Launches Consultations to Strengthen Privacy Protections of Personal Data” (13 August 2020), online: Government of Ontario.
[2] Freedom of Information and Protection of Privacy Act, RSO 1990, c F31; Municipal Freedom of Information and Protection of Privacy Act, RSO 1990, c M56; Recent changes to the Personal Health Information Protection Act, SO 2004, c 3 have impacts on the use, collection and disclosure of personal health information by certain private businesses and organizations. These changes were introduced in Bill 188, An Act to enact and amend various statutes, 1st Sess, 42nd Leg, Ontario, 2020 (assented to 25 March 2020), SO 2020, c 5 and discussed in a recent bulletin by McMillan.
[3] Personal Information Protection and Electronic Documents Act, SC 2000, c 5.

A Cautionary Note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2020