Modernizing privacy in Ontario - the potential upcoming shift
2020 brought the winds of change to the Canadian private-sector privacy landscape. The federal government introduced Bill C-11, which overhauls the long-standing federal Personal Information Protection and Electronic Documents Act, and Quebec introduced Bill 64, which proposes significant changes to Quebec’s own private-sector privacy regime. Now the same winds are blowing in Ontario. On June 17, 2021, the Ontario Ministry of Government and Consumer Services released a white paper entitled "Modernizing Privacy in Ontario: Empowering Ontarians and Enabling the Digital Economy”. The white paper outlines Ontario’s proposal to address some of the weaknesses and gaps in the federal bill by identifying several key privacy issues and providing draft legislative language to address those issues.
The current privacy regime
Commercial privacy law in Ontario is currently governed by federal PIPEDA, which came into force in 2004. There are a number of requirements to comply with PIPEDA. Generally, organizations must follow the 10 fair information principles to protect personal information, including informed consent, limiting collection, use, disclosure and retention, and keeping information secure. In addition, there is an overarching reasonableness requirement that applies to the type and amount of personal information collected and the purposes for which it is collected, used or disclosed.
Three provinces -- BC, Alberta, and Quebec -- introduced their own substantially similar legislation that applies to privacy practices within those provinces. PIPEDA applies within the other provinces (including Ontario), and to cross-border data activities.
Recent legislative developments
As mentioned, the federal government has proposed overhauling PIPEDA to bring it in line with the new standards established by the European General Data Protection Regulation and the California Consumer Privacy Act. If passed in its current form, Bill C-11 will replace PIPEDA’s privacy provisions with a new Consumer Privacy Protection Act and establish a new privacy tribunal. For more information, see DLA Piper Canada’s update here.
Similarly, Quebec has introduced its own proposed legislation, Bill 64, to overhaul and modernize Quebec’s privacy laws. Bill 64 is intended to promote transparency, enhance data privacy and strengthen user consent by increasing the responsibility of departments and agencies, private companies and, political parties. For more information, see DLA Piper Canada’s update here.
In Ontario, the government began public consultations in 2020 around potential changes to address gaps in Ontario’s legislative privacy framework, to replace PIPEDA for commercial activity, and to broaden the scope of privacy statute application in Ontario to a wide range of currently unregulated activity including not for profit organizations, charities and Ontario employers which culminated in the release of the white paper this June.
The white paper outlines several proposals to broaden the scope of privacy protection in Ontario and to, in the words of Ontario’s press release, set “a national gold standard for privacy protection.” The white paper’s proposals are summarized below.
- A Rights-Based approach to privacy Ontario proposes establishing a fundamental right to privacy (as opposed to a balance of competing interests) as “the underpinning principle for a provincial privacy law, to ensure that Ontarians are protected regardless of commercial interests”. An important element of this right is requiring that organizations only collect, use and disclose personal information for purposes that are objectively “fair and appropriate” -- in other words, for purposes that an individual would reasonably expect.
- Safe use of automated decision-making Ontario proposes regulating the use of automated decision-making by imposing a transparency requirement and prohibiting decisions that would significantly affect individuals, in order to create greater accountability and transparency around the use of artificial intelligence.
- Enhanced consent and lawful uses of personal data The federal and Quebec privacy changes recognize that while individual consent is still fundamental to privacy laws, modern data practices are too complex for consent to be the only basis of authority. Similarly, Ontario proposes strengthening the authority of consent to build out the new privacy framework. To counteract the risks of misusing consent, Ontario proposes that organizations (i) provide certain baseline information when seeking consent so that the consent is meaningful and valid, (ii) provide individuals with the right to withdraw consent, (iii) require organizations to consider the sensitivity of the personal information when determining the form of consent, and (iv) prohibit organizations from making consent a condition for service, or obtaining it by deceptive or duplicitous means.
- Data transparency for Ontarians On a related issue, Ontario recognizes that many modern data practices are too opaque and complex for average citizens to follow and understand, and that this creates risks for both individuals and organizations. Ontario has therefore set forth two proposals to enhance transparency: • Organizations would be required to implement internal privacy policies, practices and procedures, i.e., a privacy management program to govern their collection, use and disclosure of personal information and to make their program available for review. The privacy management program would be scalable to the organization’s size. • Organizations would be required to make information available, in plain language, explaining how the organization is using individuals’ data, the lawful basis relied upon for data activities, and how individuals can follow up to exercise their data rights.
- Protecting children and youth Ontario proposes implementing special protections for children by introducing a minimum age of valid consent and prohibiting organizations from monitoring children under the age of 16 for the purpose of influencing their decisions or behaviour. And explicit parental consent would be required for data activities relating to children younger than 16.
- A fair, proportionate and supportive regulatory regime Ontario proposes extending the Information and Privacy Commissioner of Ontario’s mandate to include regulatory oversight and enhanced enforcement powers.
- Support for Ontario innovators Ontario proposes supporting innovation by allowing organizations to use “de-identified personal information” for research and innovation purposes, to encourage safe and responsible research and innovation.