Is Private Sector Privacy Legislation Looming in Ontario?
Is Private Sector Privacy Legislation Looming in Ontario?
Impetus for Change
Private sector organizations in Ontario that collect, use or disclose personal information in the course of commercial activities are currently subject to federal privacy legislation, the Personal Information Protection and Electronic Documents Act (“PIPEDA”).
Late last year, the federal government tabled Bill C-11 which, if passed, would introduce significant amendments to federal privacy legislation. However, the Bill has faced criticism from privacy advocates and businesses alike. Echoing the Privacy Commissioner of Canada’s view that Bill C-11 is a “step back” in protecting personal information, the Ontario government’s white paper suggests that the federal government should consider significant changes to Bill C-11, failing which Ontario will contemplate tabling a “made-in-Ontario” private sector privacy and data protection law.
Though the government has not yet tabled such a provincial law, the white paper provides examples of legislative language to demonstrate how its proposed policies could be reflected in law.
Key Proposed Policies
Some of the proposed policies set out in the white paper are similar to provisions that already exist in PIPEDA and accompanying regulatory guidance, or that have been proposed in Bill C-11. For example, the paper proposes the following:
- Fair and Appropriate Purpose. An organization would only be permitted to collect, use or disclose personal information for purposes that a reasonable person would consider fair and appropriate in the circumstances. Assessing the reasonableness of the purposes would take into account various factors, including the volume, nature and sensitivity of the personal information and whether there are any less intrusive means of achieving the purposes at a comparable cost and with comparable benefits.
- Transparency. The government is considering requiring organizations to implement privacy management programs to govern their collection, use and disclosure of personal information, and to provide individuals with certain key information, in plain language, in order to obtain meaningful consent.
- Right to Data Portability. Like Bill C-11, Ontario’s white paper contemplates that individuals may have the right to ask for their personal information in a digital format in order to enable them to transfer their information to another organization. The government is grappling with whether these data mobility rights should extend to information inferred from personal information by evidentiary reasoning or other analytical processes, a move that organizations may find impractical or a violation of proprietary information rights.
- Right to Disposal. Ontario is also contemplating the introduction of a right to require an organization and its service providers to dispose of the individual’s personal information, subject to certain limitations. The government is considering the scope of this right, including whether organizations should be required to inform individuals of the reasons for refusing such a request and any recourse available to the individual following a refusal.
The Ontario government has also proposed several areas of reform which, if passed into law, would differ significantly from PIPEDA (and, in some cases, existing substantially similar privacy statutes in other provinces), including:
- Expanded Application. Unlike PIPEDA (or its successor legislation, if passed), proposed legislation in Ontario would apply to charities, non-profit organizations, trade unions and other non-commercial organizations that handle personal information. It also appears that, like private sector privacy legislation in Alberta, British Columbia and Quebec, the legislation would apply to the personal information of employees of provincially-regulated businesses operating in Ontario.
- Rights-Based Approach to Privacy. The government proposes a fundamental right to privacy and protection of personal information for Ontarians, regardless of commercial interests. This approach is said to more closely align with Europe’s General Data Protection Regulation (the “GDPR”) and the explicit right to privacy set out in Quebec’s Charter of Human Rights and Freedoms and Civil Code.
- Other Lawful Uses of Personal Information. The Ontario government is considering condoning certain circumstances when personal information can be collected, used or disclosed without obtaining consent. Notably, the government disapproves of Bill C-11’s proposed exception to consent where obtaining such consent would be impracticable because the organization does not have a direct relationship with the individual.
- Right to be Forgotten. The Ontario government is considering expanding Bill C-11’s proposed right to deletion, by also introducing the “right to be forgotten” – i.e., the right, in some circumstances, to require an organization to de-index search results that contain personal information about the individual that have been posted by others.
- Automated Decision-Making. The Ontario government is contemplating introducing an obligation for organizations to disclose the use of automated decision-making systems to make predictions, recommendations or decisions about an individual and, borrowing from the GDPR, a prohibition on the use of automated decision systems to make decisions that would significantly affect individuals (with limited exceptions, including with the individual’s express consent).
- Protection of Children. The Ontario government may also introduce special privacy protections for children, including requiring parental or guardian consent on behalf of a child under the age of sixteen, and prohibiting organizations from monitoring children for the purpose of influencing their decisions or behaviour.
- Oversight & Enforcement. Like Bill C-11, the Ontario government proposes stronger oversight and enforcement mechanisms as compared to PIPEDA and current provincial equivalents. In particular, the government proposes that the Information and Privacy Commissioner of Ontario (“IPC”) would assume oversight of compliance with the legislation, including the development of certification codes of practice to help organizations meet their new obligations. Moreover, the government is considering the adoption of similar enforcement measures as proposed in Bill C-11, including the ability for the IPC to levy monetary penalties of up to $50,000 CAD for individuals and the greater of $10 million CAD or three percent (3%) of gross global revenue in the prior financial year for organizations, subject to judicial oversight.
The provincial government has launched a public consultation to seek feedback on the white paper’s proposals for strengthening privacy protections in Ontario. Comments on the proposals can be submitted online before August 3, 2021.
McMillan Vantage, McMillan LLP’s public affairs arm, is available to assist organizations that wish to engage with the provincial government by preparing and submitting feedback on the white paper.
Although the Ontario government has indicated that it intends to provide a minimum of two years for businesses to comply with any new privacy statute (if it, indeed, proceeds with tabling its own legislation), organizations should consider reviewing their existing privacy compliance programs in order to determine whether they are well-positioned to adapt if / when any statutory changes occur. McMillan’s Privacy & Data Protection Group is available to help your organization evaluate, develop and implement appropriate privacy and data protection policies and procedures.
A Cautionary Note
The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.
© McMillan LLP 2021
Insights (5 Posts)
Federal Privacy Commissioner Releases Key Recommendations for a New Federal Private Sector Privacy Law
The Office of the Privacy Commissioner of Canada released a summary of its key recommendations for a new federal private sector privacy law in Canada
Canadian prosecutors have for the first time agreed to a deferred prosecution agreement with a Canadian company.
As we have received a number of questions from clients regarding our open banking bulletins, we are putting together an interdisciplinary panel of experts to take a deep dive into the implications of an open banking system in Canada, exciting developments & expectations for further progression.
Ontario’s Court of Appeal has upheld the termination of a 30-year employee for cause following a single incident of sexual harassment.
Get updates delivered right to your inbox. You can unsubscribe at any time.