Insights Header image
Insights Header image
Insights Header image

Is Private Sector Privacy Legislation Looming in Ontario?

July 5, 2021 Privacy Law Bulletin 4 minute read

Ontario’s provincial government has released a white paper setting out various privacy policy proposals for input, signalling that Ontario private sector privacy legislation may be on the horizon.

Impetus for Change

Private sector organizations in Ontario that collect, use or disclose personal information in the course of commercial activities are currently subject to federal privacy legislation, the Personal Information Protection and Electronic Documents Act (“PIPEDA”).

Late last year, the federal government tabled Bill C-11 which, if passed, would introduce significant amendments to federal privacy legislation.  However, the Bill has faced criticism from privacy advocates and businesses alike.  Echoing the Privacy Commissioner of Canada’s view that Bill C-11 is a “step back” in protecting personal information, the Ontario government’s white paper suggests that the federal government should consider significant changes to Bill C-11, failing which Ontario will contemplate tabling a “made-in-Ontario” private sector privacy and data protection law.

Though the government has not yet tabled such a provincial law, the white paper provides examples of legislative language to demonstrate how its proposed policies could be reflected in law.

Key Proposed Policies

Some of the proposed policies set out in the white paper are similar to provisions that already exist in PIPEDA and accompanying regulatory guidance, or that have been proposed in Bill C-11.  For example, the paper proposes the following:

  • Fair and Appropriate Purpose.  An organization would only be permitted to collect, use or disclose personal information for purposes that a reasonable person would consider fair and appropriate in the circumstances.  Assessing the reasonableness of the purposes would take into account various factors, including the volume, nature and sensitivity of the personal information and whether there are any less intrusive means of achieving the purposes at a comparable cost and with comparable benefits.
  • Transparency. The government is considering requiring organizations to implement privacy management programs to govern their collection, use and disclosure of personal information, and to provide individuals with certain key information, in plain language, in order to obtain meaningful consent.
  • Right to Data Portability.  Like Bill C-11, Ontario’s white paper contemplates that individuals may have the right to ask for their personal information in a digital format in order to enable them to transfer their information to another organization. The government is grappling with whether these data mobility rights should extend to information inferred from personal information by evidentiary reasoning or other analytical processes, a move that organizations may find impractical or a violation of proprietary information rights.
  • Right to Disposal.  Ontario is also contemplating the introduction of a right to require an organization and its service providers to dispose of the individual’s personal information, subject to certain limitations. The government is considering the scope of this right, including whether organizations should be required to inform individuals of the reasons for refusing such a request and any recourse available to the individual following a refusal.

The Ontario government has also proposed several areas of reform which, if passed into law, would differ significantly from PIPEDA (and, in some cases, existing substantially similar privacy statutes in other provinces), including:

  • Expanded Application.  Unlike PIPEDA (or its successor legislation, if passed), proposed  legislation in Ontario would apply to charities, non-profit organizations, trade unions and other non-commercial organizations that handle personal information. It also appears that, like private sector privacy legislation in Alberta, British Columbia and Quebec, the legislation would apply to the personal information of employees of provincially-regulated businesses operating in Ontario.
  • Rights-Based Approach to Privacy.  The government proposes a fundamental right to privacy and protection of personal information for Ontarians, regardless of commercial interests.  This approach is said to more closely align with Europe’s General Data Protection Regulation (the “GDPR”) and the explicit right to privacy set out in Quebec’s Charter of Human Rights and Freedoms and Civil Code.
  • Other Lawful Uses of Personal Information.  The Ontario government is considering condoning certain circumstances when personal information can be collected, used or disclosed without obtaining consent.  Notably, the government disapproves of Bill C-11’s proposed exception to consent where obtaining such consent would be impracticable because the organization does not have a direct relationship with the individual.
  • Right to be Forgotten.  The Ontario government is considering expanding Bill C-11’s proposed right to deletion, by also introducing the “right to be forgotten” – i.e., the right, in some circumstances, to require an organization to de-index search results that contain personal information about the individual that have been posted by others.
  • Automated Decision-Making.  The Ontario government is contemplating introducing an obligation for organizations to disclose the use of automated decision-making systems to make predictions, recommendations or decisions about an individual and, borrowing from the GDPR, a prohibition on the use of automated decision systems to make decisions that would significantly affect individuals (with limited exceptions, including with the individual’s express consent).
  • Protection of Children.  The Ontario government may also introduce special privacy protections for children, including requiring parental or guardian consent on behalf of a child under the age of sixteen, and prohibiting organizations from monitoring children for the purpose of influencing their decisions or behaviour.
  • Oversight & Enforcement.  Like Bill C-11, the Ontario government proposes stronger oversight and enforcement mechanisms as compared to PIPEDA and current provincial equivalents.  In particular, the government proposes that the Information and Privacy Commissioner of Ontario (“IPC”) would assume oversight of compliance with the legislation, including the development of certification codes of practice to help organizations meet their new obligations. Moreover, the government is considering the adoption of similar enforcement measures as proposed in Bill C-11, including the ability for the IPC to levy monetary penalties of up to $50,000 CAD for individuals and the greater of $10 million CAD or three percent (3%) of gross global revenue in the prior financial year for organizations, subject to judicial oversight.

Next Steps

The provincial government has launched a public consultation to seek feedback on the white paper’s proposals for strengthening privacy protections in Ontario. Comments on the proposals can be submitted online before August 3, 2021.

McMillan Vantage, McMillan LLP’s public affairs arm, is available to assist organizations that wish to engage with the provincial government by preparing and submitting feedback on the white paper.

Although the Ontario government has indicated that it intends to provide a minimum of two years for businesses to comply with any new privacy statute (if it, indeed, proceeds with tabling its own legislation), organizations should consider reviewing their existing privacy compliance programs in order to determine whether they are well-positioned to adapt if / when any statutory changes occur.  McMillan’s Privacy & Data Protection Group is available to help your organization evaluate, develop and implement appropriate privacy and data protection policies and procedures.

By Lyndsay A. Wasser and Kristen Pennington

A Cautionary Note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2021

Insights (5 Posts)

Featured Insight

The Bureau Issues Final Enforcement Guidance on the New Criminal Prohibition on Wage-Fixing and No-Poaching Agreements

Providing insights on the Competition Bureau’s 2023 Guidelines describing the Bureau’s approach to wage-fixing and no-poaching agreements.

Read More
Jun 5, 2023
Featured Insight

The EU’s New Carbon Border Adjustment Mechanism in Action: Impacts on Canada and Beyond

The EU's new Carbon Border Adjustment Mechanism will take effect on October 1, 2023. McMillan explores the CBAM and its implications for Canadian trade.

Read More
Jun 5, 2023
Featured Insight

Competition Bureau Challenges Alleged Drip Pricing by Cineplex

The Competition Bureau commenced a proceeding against Cineplex for allegedly engaging in misleading advertising in the form of "drip pricing".

Read More
Jun 2, 2023
Featured Insight

The Present and Future of A.I. Regulation

Join us for a session with industry experts who will share valuable insights into the latest trends and developments in artificial intelligence with a particular focus on regulation.

Tuesday, June 20, 2023
Featured Insight

Secured Lending in Canada: A Guide for U.S. Lenders

A guide to secured lending in Canada; summarizes regulatory matters, tax, security, insolvency and restructuring issues in Canada.

Read More
Jun 1, 2023