Digital Brain
digital brain
digital brain

Is Private Sector Privacy Legislation Looming in Ontario?

July 5, 2021 Privacy Law Bulletin 4 minutes read

Ontario’s provincial government has released a white paper setting out various privacy policy proposals for input, signalling that Ontario private sector privacy legislation may be on the horizon.

Impetus for Change

Private sector organizations in Ontario that collect, use or disclose personal information in the course of commercial activities are currently subject to federal privacy legislation, the Personal Information Protection and Electronic Documents Act (“PIPEDA”).

Late last year, the federal government tabled Bill C-11 which, if passed, would introduce significant amendments to federal privacy legislation.  However, the Bill has faced criticism from privacy advocates and businesses alike.  Echoing the Privacy Commissioner of Canada’s view that Bill C-11 is a “step back” in protecting personal information, the Ontario government’s white paper suggests that the federal government should consider significant changes to Bill C-11, failing which Ontario will contemplate tabling a “made-in-Ontario” private sector privacy and data protection law.

Though the government has not yet tabled such a provincial law, the white paper provides examples of legislative language to demonstrate how its proposed policies could be reflected in law.

Key Proposed Policies

Some of the proposed policies set out in the white paper are similar to provisions that already exist in PIPEDA and accompanying regulatory guidance, or that have been proposed in Bill C-11.  For example, the paper proposes the following:

  • Fair and Appropriate Purpose.  An organization would only be permitted to collect, use or disclose personal information for purposes that a reasonable person would consider fair and appropriate in the circumstances.  Assessing the reasonableness of the purposes would take into account various factors, including the volume, nature and sensitivity of the personal information and whether there are any less intrusive means of achieving the purposes at a comparable cost and with comparable benefits.
  • Transparency. The government is considering requiring organizations to implement privacy management programs to govern their collection, use and disclosure of personal information, and to provide individuals with certain key information, in plain language, in order to obtain meaningful consent.
  • Right to Data Portability.  Like Bill C-11, Ontario’s white paper contemplates that individuals may have the right to ask for their personal information in a digital format in order to enable them to transfer their information to another organization. The government is grappling with whether these data mobility rights should extend to information inferred from personal information by evidentiary reasoning or other analytical processes, a move that organizations may find impractical or a violation of proprietary information rights.
  • Right to Disposal.  Ontario is also contemplating the introduction of a right to require an organization and its service providers to dispose of the individual’s personal information, subject to certain limitations. The government is considering the scope of this right, including whether organizations should be required to inform individuals of the reasons for refusing such a request and any recourse available to the individual following a refusal.

The Ontario government has also proposed several areas of reform which, if passed into law, would differ significantly from PIPEDA (and, in some cases, existing substantially similar privacy statutes in other provinces), including:

  • Expanded Application.  Unlike PIPEDA (or its successor legislation, if passed), proposed  legislation in Ontario would apply to charities, non-profit organizations, trade unions and other non-commercial organizations that handle personal information. It also appears that, like private sector privacy legislation in Alberta, British Columbia and Quebec, the legislation would apply to the personal information of employees of provincially-regulated businesses operating in Ontario.
  • Rights-Based Approach to Privacy.  The government proposes a fundamental right to privacy and protection of personal information for Ontarians, regardless of commercial interests.  This approach is said to more closely align with Europe’s General Data Protection Regulation (the “GDPR”) and the explicit right to privacy set out in Quebec’s Charter of Human Rights and Freedoms and Civil Code.
  • Other Lawful Uses of Personal Information.  The Ontario government is considering condoning certain circumstances when personal information can be collected, used or disclosed without obtaining consent.  Notably, the government disapproves of Bill C-11’s proposed exception to consent where obtaining such consent would be impracticable because the organization does not have a direct relationship with the individual.
  • Right to be Forgotten.  The Ontario government is considering expanding Bill C-11’s proposed right to deletion, by also introducing the “right to be forgotten” – i.e., the right, in some circumstances, to require an organization to de-index search results that contain personal information about the individual that have been posted by others.
  • Automated Decision-Making.  The Ontario government is contemplating introducing an obligation for organizations to disclose the use of automated decision-making systems to make predictions, recommendations or decisions about an individual and, borrowing from the GDPR, a prohibition on the use of automated decision systems to make decisions that would significantly affect individuals (with limited exceptions, including with the individual’s express consent).
  • Protection of Children.  The Ontario government may also introduce special privacy protections for children, including requiring parental or guardian consent on behalf of a child under the age of sixteen, and prohibiting organizations from monitoring children for the purpose of influencing their decisions or behaviour.
  • Oversight & Enforcement.  Like Bill C-11, the Ontario government proposes stronger oversight and enforcement mechanisms as compared to PIPEDA and current provincial equivalents.  In particular, the government proposes that the Information and Privacy Commissioner of Ontario (“IPC”) would assume oversight of compliance with the legislation, including the development of certification codes of practice to help organizations meet their new obligations. Moreover, the government is considering the adoption of similar enforcement measures as proposed in Bill C-11, including the ability for the IPC to levy monetary penalties of up to $50,000 CAD for individuals and the greater of $10 million CAD or three percent (3%) of gross global revenue in the prior financial year for organizations, subject to judicial oversight.

Next Steps

The provincial government has launched a public consultation to seek feedback on the white paper’s proposals for strengthening privacy protections in Ontario. Comments on the proposals can be submitted online before August 3, 2021.

McMillan Vantage, McMillan LLP’s public affairs arm, is available to assist organizations that wish to engage with the provincial government by preparing and submitting feedback on the white paper.

Although the Ontario government has indicated that it intends to provide a minimum of two years for businesses to comply with any new privacy statute (if it, indeed, proceeds with tabling its own legislation), organizations should consider reviewing their existing privacy compliance programs in order to determine whether they are well-positioned to adapt if / when any statutory changes occur.  McMillan’s Privacy & Data Protection Group is available to help your organization evaluate, develop and implement appropriate privacy and data protection policies and procedures.

By Lyndsay A. Wasser and Kristen Pennington

A Cautionary Note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2021

Related Publications (5 Posts)

Featured Insight

Real Estate Litigation: Summer Highlights

Even in the summer months, the legal news does not let up. Here are some recent decisions and legislative developments as we head into the 2021 fall season.

Read More
Sep 21, 2021
Featured Insight

McMillan’s Employment and Labour Webinar

Join McMillan's annual Employment and Labour Seminar on Tuesday, October 5th as we address significant legal developments and provide practical advice on responding to employee issues.

Details
Tuesday, October 5, 2021
Featured Insight

Supreme Court of Canada Confirms: CCAA Super-Priority Charges Rank Ahead of CRA’s Deemed Trusts

Canada v. Canada North Group Inc. provided much needed clarity regarding the order of priority for unremitted source deductions in restructuring proceedings.

Read More
Sep 17, 2021
Featured Insight

McMillan’s ESG Strategy Sessions

The COVID-19 pandemic and increased concerns over environmental and social issues, such as climate change and systemic racism, have prompted conversations throughout global capital markets.

Details
Wednesday, October 6, 2021
Featured Insight

Divisional Court confirms Environmental Significance of Ministerial Zoning Orders and Importance of Consultation under the Environmental Bill of Rights, 1993

Review of Divisional Court decision: Ontario’s compliance with Environmental Bill of Rights in passing Bill 197, particularly re: Ministerial Zoning Orders

Read More
Sep 13, 2021