Insights Header image
Insights Header image
Insights Header image

Is Private Sector Privacy Legislation Looming in Ontario?

July 5, 2021 Privacy Law Bulletin 4 minute read

Ontario’s provincial government has released a white paper setting out various privacy policy proposals for input, signalling that Ontario private sector privacy legislation may be on the horizon.

Impetus for Change

Private sector organizations in Ontario that collect, use or disclose personal information in the course of commercial activities are currently subject to federal privacy legislation, the Personal Information Protection and Electronic Documents Act (“PIPEDA”).

Late last year, the federal government tabled Bill C-11 which, if passed, would introduce significant amendments to federal privacy legislation.  However, the Bill has faced criticism from privacy advocates and businesses alike.  Echoing the Privacy Commissioner of Canada’s view that Bill C-11 is a “step back” in protecting personal information, the Ontario government’s white paper suggests that the federal government should consider significant changes to Bill C-11, failing which Ontario will contemplate tabling a “made-in-Ontario” private sector privacy and data protection law.

Though the government has not yet tabled such a provincial law, the white paper provides examples of legislative language to demonstrate how its proposed policies could be reflected in law.

Key Proposed Policies

Some of the proposed policies set out in the white paper are similar to provisions that already exist in PIPEDA and accompanying regulatory guidance, or that have been proposed in Bill C-11.  For example, the paper proposes the following:

  • Fair and Appropriate Purpose.  An organization would only be permitted to collect, use or disclose personal information for purposes that a reasonable person would consider fair and appropriate in the circumstances.  Assessing the reasonableness of the purposes would take into account various factors, including the volume, nature and sensitivity of the personal information and whether there are any less intrusive means of achieving the purposes at a comparable cost and with comparable benefits.
  • Transparency. The government is considering requiring organizations to implement privacy management programs to govern their collection, use and disclosure of personal information, and to provide individuals with certain key information, in plain language, in order to obtain meaningful consent.
  • Right to Data Portability.  Like Bill C-11, Ontario’s white paper contemplates that individuals may have the right to ask for their personal information in a digital format in order to enable them to transfer their information to another organization. The government is grappling with whether these data mobility rights should extend to information inferred from personal information by evidentiary reasoning or other analytical processes, a move that organizations may find impractical or a violation of proprietary information rights.
  • Right to Disposal.  Ontario is also contemplating the introduction of a right to require an organization and its service providers to dispose of the individual’s personal information, subject to certain limitations. The government is considering the scope of this right, including whether organizations should be required to inform individuals of the reasons for refusing such a request and any recourse available to the individual following a refusal.

The Ontario government has also proposed several areas of reform which, if passed into law, would differ significantly from PIPEDA (and, in some cases, existing substantially similar privacy statutes in other provinces), including:

  • Expanded Application.  Unlike PIPEDA (or its successor legislation, if passed), proposed  legislation in Ontario would apply to charities, non-profit organizations, trade unions and other non-commercial organizations that handle personal information. It also appears that, like private sector privacy legislation in Alberta, British Columbia and Quebec, the legislation would apply to the personal information of employees of provincially-regulated businesses operating in Ontario.
  • Rights-Based Approach to Privacy.  The government proposes a fundamental right to privacy and protection of personal information for Ontarians, regardless of commercial interests.  This approach is said to more closely align with Europe’s General Data Protection Regulation (the “GDPR”) and the explicit right to privacy set out in Quebec’s Charter of Human Rights and Freedoms and Civil Code.
  • Other Lawful Uses of Personal Information.  The Ontario government is considering condoning certain circumstances when personal information can be collected, used or disclosed without obtaining consent.  Notably, the government disapproves of Bill C-11’s proposed exception to consent where obtaining such consent would be impracticable because the organization does not have a direct relationship with the individual.
  • Right to be Forgotten.  The Ontario government is considering expanding Bill C-11’s proposed right to deletion, by also introducing the “right to be forgotten” – i.e., the right, in some circumstances, to require an organization to de-index search results that contain personal information about the individual that have been posted by others.
  • Automated Decision-Making.  The Ontario government is contemplating introducing an obligation for organizations to disclose the use of automated decision-making systems to make predictions, recommendations or decisions about an individual and, borrowing from the GDPR, a prohibition on the use of automated decision systems to make decisions that would significantly affect individuals (with limited exceptions, including with the individual’s express consent).
  • Protection of Children.  The Ontario government may also introduce special privacy protections for children, including requiring parental or guardian consent on behalf of a child under the age of sixteen, and prohibiting organizations from monitoring children for the purpose of influencing their decisions or behaviour.
  • Oversight & Enforcement.  Like Bill C-11, the Ontario government proposes stronger oversight and enforcement mechanisms as compared to PIPEDA and current provincial equivalents.  In particular, the government proposes that the Information and Privacy Commissioner of Ontario (“IPC”) would assume oversight of compliance with the legislation, including the development of certification codes of practice to help organizations meet their new obligations. Moreover, the government is considering the adoption of similar enforcement measures as proposed in Bill C-11, including the ability for the IPC to levy monetary penalties of up to $50,000 CAD for individuals and the greater of $10 million CAD or three percent (3%) of gross global revenue in the prior financial year for organizations, subject to judicial oversight.

Next Steps

The provincial government has launched a public consultation to seek feedback on the white paper’s proposals for strengthening privacy protections in Ontario. Comments on the proposals can be submitted online before August 3, 2021.

McMillan Vantage, McMillan LLP’s public affairs arm, is available to assist organizations that wish to engage with the provincial government by preparing and submitting feedback on the white paper.

Although the Ontario government has indicated that it intends to provide a minimum of two years for businesses to comply with any new privacy statute (if it, indeed, proceeds with tabling its own legislation), organizations should consider reviewing their existing privacy compliance programs in order to determine whether they are well-positioned to adapt if / when any statutory changes occur.  McMillan’s Privacy & Data Protection Group is available to help your organization evaluate, develop and implement appropriate privacy and data protection policies and procedures.

By Lyndsay A. Wasser and Kristen Pennington

A Cautionary Note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2021

Insights (5 Posts)View More

Featured Insight

Investor Relations Activities Require Clear and Conspicuous Disclosure

BC Notice 51-703 emphasizes that investor relations activities must be “clearly and conspicuously” disclosed pursuant to Section 52(2) of the Securities Act.

Read More
May 22, 2024
Featured Insight

Unpacking Ontario’s Proposed Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024

Unpacking Ontario's Bill 194: Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024. Key changes & compliance strategies detailed.

Read More
May 17, 2024
Featured Insight

Navigating International Student Worker Restrictions: Post-Expiry Guidelines for Employers

On April 30, 2024, Canada’s temporary waiver allowing international students to exceed 20 hours of work per week expired.

Read More
May 14, 2024
Featured Insight

Understanding the Consumer-Driven Banking Framework: Key Insights from the Budget Implementation Act, 2024, No.1

On April 30, the federal government introduced the Budget Implementation Act, 2024, No. 1, which provides the legislative framework for open banking in Canada.

Read More
May 13, 2024
Featured Insight

Legal Risk Assessments – An Essential Risk Management Tool

The best way to address the legal issues that arise in any business is to focus on their identification and resolution before they become legal problems.

Read More
May 9, 2024