On June 17, 2021, the Ontario government released a white paper that outlines proposals for standalone private sector privacy legislation in the province. The proposals, if ultimately introduced as law, would represent a significant change to the privacy obligations of businesses that collect, use and disclose personal information in Ontario.
Ontario does not currently have a private sector privacy statute of general application. Currently, private sector organizations in Ontario (outside of the health sector) are governed by the federal Personal Information Protection and Electronic Documents Act (PIPEDA), but only in respect of personal information collected in the course of commercial activities. Provincially regulated employers in Ontario, for example, are not subject to any privacy legislation in respect of their processing of employee personal information for employment-related purposes. Similarly, non-commercial organizations in Ontario such as charities, union, associations and other non-profits are generally not subject to any privacy legislation. An Ontario private sector privacy statute would likely regulate all non-government organizations in the province, including in respect of employee information.
In its white paper, the Ontario government cites many perceived shortcomings of Bill C-11 – the federal government's proposed update to Canada's private sector privacy law. Many of the reforms proposed in the white paper are intended to directly address these shortcomings. Please consult our previous bulletin for a summary of obligations contemplated by Bill C-11.
Among other reforms, Ontario's proposals would enhance obligations for private-sector organizations in line with the EU's General Data Protection Regulation, add special obligations when organizations use artificial intelligence (AI) technology and empower the Information and Privacy Commissioner (IPC) to issue binding orders and fines for non-compliance.
More specifically, the white paper considers several enhanced requirements for businesses operating in Ontario, including:
Changes to consent requirements
- Implementing specific requirements for express consent to be valid, including plain language privacy policies, identification of the legal basis for collection and clear processes for exercising individual rights
- Allowing organizations to collect or use personal information without consent where certain requirements are met, including for business activities that do not use the information to influence individual decisions or behaviour
New limits on data collection, use and disclosure
- Expanding the limit on collection and use of personal information to purposes that are fair and appropriate under the circumstances by requiring organizations to consider whether the use is necessary for the organization's legitimate needs
- Prohibiting the collection and use of personal information of individuals under the age of 16 for the purpose of influencing their behaviour, or for purposes that are likely to cause significant harm
- Implementing processes that facilitate a "rights-based approach" to privacy, including rights of access, correction, disposal and mobility for all personal information, including information inferred about an individual
Special obligations for AI systems
- Prohibiting the use of children's data for AI
- Requiring organizations that use AI systems to profile or make decisions about individuals to provide clear explanation of the decision and of how personal information was used to make the decision
- Implementing processes that allow individuals to correct, comment, contest and have a human being within the organization review the decision
- Enhancing record-keeping obligations related to the use of AI systems proportionate to the size and scale of the organization or the sensitivity of the personal information processed
New approach to data use in research
- Implementing a risk-based approach to the use of de-identified information. This would require organizations to employ de-identification protocols that are proportional to the sensitivity of personal information
- Exempting anonymized information from the province's private sector privacy law
In addition to these new obligations, the white paper considers expanding the role of the IPC. According to the proposals, the IPC would be able to establish binding codes of practice and administer certification programs. In the event of a violation, the IPC would have the power to initiate investigations, compel production of documents and issue binding orders as well as monetary penalties of up to C$10-million or 3 per cent of the organization's gross global revenue. The proposal also contemplates a statutory offence provision for certain contraventions including, failure to report a breach of security safeguards to the IPC or to maintain a record of every breach of security safeguards, subject to a fine of C$25-million or 5 per cent of the organization's gross global revenue.
The Ontario government is accepting feedback from organizations, impacted stakeholders and the general public on these proposals via e-mail until August 3, 2021.
For permission to reprint articles, please contact the Blakes Marketing Department.
© 2020 Blake, Cassels & Graydon LLP.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.