Organizations operating in Ontario may soon be subject to an entirely new provincial privacy regime that could impose substantial compliance obligations, and establish significant penalties for contravention of those obligations.
On June 17, 2021, the Ontario Ministry of Government and Consumer Services (Ontario) published a white paper titled "Modernizing Privacy in Ontario: Empowering Ontarians and Enabling the Digital Economy." Following a privacy reform consultation process (which we previously reported on in Ontario Promises to Create Canada's First Provincial Data Authority), Ontario has identified several key privacy issues and corresponding draft legislative language to address those issues. Ontario has called for submissions in response to its proposed legislative text.
The key themes in the Ontario white paper are generally aligned with those underlying the federal government's Bill C-11 (C-11), namely:
- requirements for obtaining meaningful consent;
- obligation on organizations to implement a privacy management program which includes their policies and protocols setting out how they comply with regulatory obligations;
- exposure to penalties for contravention of obligations;
- increased individual rights; and
- required transparency in connection with the use of artificial intelligence.
The proposals in the Ontario white paper are summarized as follows:
Proposal 1: Rights-Based Approach to Privacy
Ontario proposes to establish a fundamental right to privacy "as the underpinning principle for a provincial privacy law, ensuring that Ontarians are protected, regardless of commercial interests." In connection with this principle, Ontario proposes the following concepts, which are generally aligned with proposed language in C-11:
- Fair and appropriate purposes: Information should only be collected, used and disclosed for purposes that an individual would reasonably expect, regardless of the lawful grounds that may apply.
- Limitations on collection, use and disclosure of personal information: Organizations should limit their collection, use and disclosure to personal information that is necessary to carry out the intended purpose.
- Data mobility: Individuals should have the right to obtain and transfer their own personal information.
- Right of disposal (or erasure): Individuals should be able to request that an organization dispose of their personal information.
- Right of access and correction: Individuals should have access to, and be able to correct, personal information in the custody of an organization
Proposal 2: Automated Decision-Making
Ontario proposes to regulate the use of automated decision-making by:
- providing individuals with the right to know about the use of automated decision-making in connection with their personal information;
- requiring organizations to answer requests for information regarding decisions made about individuals through the use of automated decision-making;
- empowering individuals with the right to comment on, contest, or request a review of the decision impacting them that is rendered through the use of automated decision-making; and
- prohibiting the use of automated decision-making in situations of significant impact.
Proposal 3: Meaningful Consent
Ontario proposes to combat the effect of "consent fatigue" (whereby individuals will accept any legal notice presented to them without reading or understanding its terms) and provide for meaningful consent by:
- requiring certain information be provided by organizations when seeking consent for the collection, use or disclosure of personal information;
- providing individuals with the right to withdraw consent;
- requiring organizations to consider the sensitivity of the personal information to be collected when formulating the consent process;
- prohibiting organizations from making consent a condition for service or from using deceptive or duplicitous means to obtain consent; and
- allowing for implied consent circumstances where individuals would reasonably expect their information to be collected and used.
Proposal 4: Transparency
Ontario recognizes that "stronger transparency requirements could provide citizens with a right to know when and how their data is used by organizations, allowing them to regain control and participate more meaningfully in the decisions that affect their well-being."
In an effort to enhance individuals' rights to know when and how their data is used, Ontario has put forth two proposals for consideration:
- organizations must implement a privacy management framework (internal privacy policies, practices and procedures) detailing their compliance with regulatory obligations; and
- organizations must make information about their compliance-related policies, practices and procedures available to individuals. Such information, which would have to be provided in plain language, would convey the organization's use of data, the lawful basis relied upon for any such uses and how individuals may exercise their data rights.
Proposal 5: Protecting Children and Youth
Ontario proposes to provide special protections for children to guard by "introducing a minimum age of valid consent and prohibiting organizations from monitoring children for the purpose of influencing their decisions or behaviour."
Proposal 6: Increased Powers for Ontario's Privacy Commissioner and Penalties
Ontario is proposing to extend the mandate of the Information and Privacy Commissioner of Ontario (IPC) to include regulatory oversight, enforcement powers and the provision of support to organizations in connection with the new privacy regime.
Pursuant to the proposed language, the IPC would be empowered to:
- initiate and conduct investigations or audits;
- compel organizations to provide information;
- issue binding orders to non-compliant organizations; and
- impose administrative monetary penalties to a maximum of $10 million or 3 percent of gross global revenue for organizations, and to a maximum of $50,000 for individuals.
Proposal 7: Supporting Ontario Innovators
Ontario proposes to permit the use of de-identified information in specified circumstances to support innovation so that organizations can use this information to improve upon or develop technologies, services or products. Ontario proposes to clarify the meaning of de-identified information, defining it as: "information about an individual that no longer allows the individual to be directly or indirectly identified without the use of additional information.
Ontario has requested feedback in respect of its proposals from organizations, impacted stakeholders and the general public by August 3, 2021.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.