Ontario has taken a significant step towards implementing private sector privacy legislation in the province.
On June 17, it issued a white paper entitled Modernizing Privacy in Ontario that sets out a model for a new statute. The province aims to implement stronger protections than introduced by the federal government in its privacy reform bill, Bill C-11. If the province's proposed model becomes law, it will bring in a strict new compliance and enforcement regime and entirely new employment privacy regulation. It will also increase the fragmentation of the Canadian private sector privacy law regime.
The context for reform
Federal law currently governs commercial privacy in Ontario. The Personal Information Protection and Electronic Documents Act (PIPEDA) has imposed a broad set of privacy-related requirements that are based on fair information practice principles - a set of fundamental principles for protecting privacy that have become the basis of global privacy laws.
PIPEDA, however, has three fundamental limitations:
- First, it does not yet feature elements now common to stronger privacy laws, such as the European Union's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act of 2018 (CCPA).
- Second, enforcement under PIPEDA is based on an Ombudsman model. The regulator, the Office of the Privacy Commissioner of Canada, has no power to make orders or issue fines.
- Third, PIPEDA applies to a small segment of Ontario employers - only banks, airlines and other federally regulated employers. The vast majority of employers in Ontario have no obligations under a plenary privacy statute.
Based on concerns about PIPEDA's frailties and a need to maintain the "adequacy status" that facilitates the transfer of personal information outside of the European Economic Area under the GDPR, Canada has seen a wave of privacy law reform - indeed, a near competition to establish the new baseline for privacy protection in Canada.
Québec led first, with a stringent set of reforms embodied in Bill 64. Bill 64 is expected to pass by the end of 2021.
The federal government followed with Bill C-11, a bill that would replace PIPEDA with the Consumer Privacy Protection Act. Bill C-11 has faced significant criticism from privacy advocates and the Office of the Privacy Commissioner of Canada, raising significant questions about its future.
Ontario's new and strict proposed model
Ontario has seized upon the criticism of Bill C-11 in launching its new model. In a letter released at the same time as the Modernizing paper, Minister Lisa Thompson says:
Recently, the Government of Canada introduced Bill C-11 to update the federal privacy regime. While this was an important step, the protections of this proposed law do not address many of the needs we heard from respondents in our consultations.
My ministry is therefore considering the possibility of provincial legislation that would govern citizen data and set a national gold standard for privacy protection.
In Modernizing, the province draws heavily from the Office of the Privacy Commissioner of Canada's Bill C-11 critique and reform submissions made by the Information and Privacy Commissioner of Ontario. Although the province appears to have borrowed text from Bill C-11, its model has a rigor closer to that embodied in Bill 64.
The following table describes the elements of Ontario's proposed model.
||Ontario proposes to replace PIPEDA for commercial activity and to broaden the scope of privacy statute application in Ontario to a wide range of currently unregulated activity, including the core activity of not-for-profit organizations and charities. Ontario employers would become subject to privacy legislation.|
||Ontario proposes to alter the balance enshrined in PIPEDA and Bill C-11, which both recognize that privacy is less than absolute and must be balanced against the "need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances."|
|Processing requirements and limitations||
||The limitations on processing are a significant feature of any privacy statue. The province's proposal is strict. Among other things, the province draws from the Office of the Privacy Commissioner of Canada's advocacy in proposing a prohibition on "no go" purposes. Most significantly, Ontario aims to prohibit purposes that are "known to cause, or likely to cause, significant harm to the individual or groups of individuals."|
||Like Bill 64 and the GDPR, the Ontario approach excludes truly anonymized information from the scope of regulation. Ontario says it aims to incentivize de-identification and anonymization as a means of supporting data-driven innovation. The province recognizes that certain features of a privacy framework are neither desirable nor practicable when dealing with de-identified personal information. For example, Ontario proposes that organizations not be required to respond to an access request if personal information has been de-identified.|
|Basic data subject rights||
Rights to disposal and portability are rights that have the potential to conflict with the operational requirements of business, and must therefore have an appropriate and carefully crafted scope. The province's proposal contains the same "reasonable terms of a contract" limitation included in Bill C-11, and the province appears to intend to limit the portability right to enable disclosures under a mobility frameworks. Whether Ontario actually pursues right to de-indexation (right to be forgotten) is of major significance.
||Ontario's proposal is arguably more stringent than that reflected in Bill C-11 and Bill 64 in that Ontario aims to create a limited prohibition on automated decision-making and a true right to contest an automated decision. Given Ontario proposes the same broad "automated decision-making" system as Bill C-11, this proposal is likely to raise concerns.|
Ontario has modeled its list of consent exceptions from the Bill C-11 list, though frames them as "alternatives" and does not adopt the exception for indirect collections of personal information in Bill C-11 that has drawn criticism. The province has been express in its proposal to bring trade unions within the scope of privacy regulation, and proposes a consent exception for processing that is "necessary" for various activities related to unions' representational mandates.
|Transparency and governance||
||Privacy legislation has evolved to require organizations to provide individuals with more information about the processing of personal information. Ontario's proposal draws heavily from Bill C-11, and the province has signalled openness to a similar privacy impact assessment requirement that is a feature of Bill 64.|
PIPEDA does not include any special provisions meant to protect children's privacy, nor does it establish an age at which parental consent is required. Guidance is derived from Office of the Privacy Commissioner of Canada policy, which stresses the sensitivity of children's personal information and the increased burdens in obtaining meaningful consent. The Ontario proposal has the potential to bring clarity to the law. By contrast, Bill 64 provides that consent of a minor under 14 years of age must be given by the person having parental authority and the consent of a minor 14 years of age or over can be given either by the minor or by the person having parental authority.
||The Ontario proposal is similar to Bill C-11, though would provide the Information and Privacy Commissioner of Ontario with the (direct) power to order administrative monetary penalties. Ontario's health privacy statute has a compensation mechanism, but requires a court application. A mechanism by which individuals could seek compensation from the IPC itself would be novel, raising a question about whether it should be made an exclusive remedy (i.e., an alternative to court-based privacy claims).|
If the Ontario proposal eventually becomes law and supplants federal privacy legislation in Ontario, it will radically change the privacy legislative landscape in Canada. Approximately 87 per cent of the Canadian population would become subject to made-in-the-province commercial privacy legislation, curtailing the relevance of the Office of the Privacy Commissioner of Canada and introducing a new provincial regulator with strong powers and influence. Fragmentation would not benefit business, and entire new areas of activity in Ontario would become regulated - namely, employment and not-for-profit activity.
Even if it does not pass, the Ontario proposal is part of a jockeying for influence that appears to be causing our regulatory model to rise to the highest common denominator. Ontario is promoting its model as a stricter alternative to Bill C-11, which could invite a federal response, not to mention an eventual response from British Columbia and Alberta.
Comments to the province are due by August 3. We would be pleased to help you with considering the proposal and marshalling a response. Please reach out to your BLG lawyer or any of the key contacts below for assistance.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.