On June 17, the Ontario Ministry of Government and Consumer Services ("MGCS") released a white paper outlining a series of proposals to modernize privacy protection for Ontarians with respect to the private sector, which is currently governed by the federal Personal Information Protection and Electronic Documents Act (the "PIPEDA").
The MGCS invites organizations, impacted stakeholders and the general public to submit comments on the proposals in the white paper by September 3, 2021.
The proposals are organized around the following seven areas of reform:
1. A rights-based approach to privacy
The first proposal would establish privacy as a fundamental right, as is the case in Europe with the General Data Protection Regulation (GDPR) and in Quebec, where the Act respecting the protection of personal information in the private sector "recognizes and implements the right to privacy explicitly set out in the Quebec Charter of Human Rights and Freedoms and Civil Code" (p. 4).
The proposal would include the adoption of a preamble that could read as follows:
Privacy is a foundational value in society. Every individual is entitled to a fundamental right to privacy and the protection of their personal information.
Changes in technology have allowed organizations to easily collect vast amounts of personal information about individuals, often undermining the control that an individual has over their personal information.
To establish the trust and confidence of individuals, organizations must be subject to rules, guided by principles of proportionality, fairness and appropriateness with respect to the collection, use or disclosure of personal information. (p. 5)
The proposal also suggests redefining personal information to take into account "the highly variable forms in which data is found and used" (p. 4); establishing a "general requirement for organizations to limit their collection, use and disclosure [of personal information]" (p. 6); and recognizing, in addition to the right to access one's personal information and the right to request its correction, the right to mobility/portability of personal information (p. 7) and the right to the erasure/deletion of personal information (p. 8 and 9).
2. The safe use of automated decision-making
The second proposal focuses on profiling, which would be defined as "any form of automated collection, use or disclosure of personal information to evaluate, analyse or predict aspects relating to an individual" (p. 12). It aims to regulate the use of automated decision systems ("ADS"), defined as "any technology that assists or replaces the judgment of human decision-makers using techniques such as rules-based systems, regression analysis, predictive analytics, machine learning, deep learning and neural nets" (p. 12).
The proposal suggests that ADS safeguards be established, similar to those that exist in the GDPR, Bill C-11, An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts, and Quebec's Bill 64, An Act to modernize legislative provisions as regards the protection of personal information.
These safeguards could range from a requirement to inform individuals of the use of an ADS, to a prohibition on the use of such systems "in situations of significant impact" on the lives of Ontarians (p. 13), to the right to ask what personal information was used or the reasons, principal factors and parameters that led to the decision, or to contest the decision and have it reviewed by an individual within the organization with sufficient knowledge to do so (p. 13-14).
3. Enhancing consent and other lawful uses of personal information
While recognizing the importance of consent to the collection, use and disclosure of personal information, the third proposal seeks to provide alternatives to consent to "reduce 'consent fatigue' for Ontarians" (p. 17). The proposed alternatives include implied consent under certain circumstances and relying on various grounds such as "business activities," "business transactions," an "employment relationship," an "emergency", "research in the public interest" and the de-identification of personal information (p. 17 et seq.).
4. Data transparency for Ontarians
The fourth proposal aims to strengthen transparency, "a cornerstone of modern privacy law" (p. 25). To this end, it offers two proposals:
- to "require organizations to implement internal privacy policies, practices and procedures," "to implement a privacy management program [...] and to make that program available for review" (p. 26); or
- to require "organizations to make information available, in plain language, that explains how the organization is using individuals' data, the lawful basis they are relying on, and how Ontarians can follow up to exercise their data rights" (p. 27).
5. Protecting children and youth
The fifth proposal is to provide specific protections for children and youth, such as introducing "an explicit requirement for parental consent on behalf of a 'child' under the age of 16 years" (p. 30). However, "to recognize the capacity of mature minors," one option might be to "[provide] youth between the ages of 13 and 16 with a right to object to their parent's (or guardian's) consent to provide their personal information on their behalf, or conversely, to object to their parent's (or guardian's) request to destroy or take down personal information about them" (p. 31).
Another option under consideration is "explicitly prohibiting organizations from using artificial intelligence technologies to exploit children's data" (p. 31).
6. A fair, proportionate and supportive regulatory regime
The sixth proposal is to give the Office of the Information and Privacy Commissioner of Ontario the following powers (pp. 33-38):
- oversight powers, with the ability to issue orders following an investigation and to impose fines when organizations violate certain provisions of the Act (e.g., failure to report a breach of security, failure to retain information subject to an IPC inquiry, failure to abide by an IPC compliance order, and re-identification of personal information that has been de-identified). In these situations, the organization could be subject, upon conviction, to a fine of not more than the higher of $25,000,000 or an amount equal to 5% of the organization's gross global revenue in its financial year preceding the year in which the organization is sentenced;
- powers to enforce compliance, including the power to order administrative monetary penalties that, in the case of an organization that is not an individual, must not exceed the greater of $10,000,000 or an amount equal to 3% of the organization's gross global revenue in its financial year preceding the year in which the penalty is imposed; and
- powers to support and assist organizations to become compliant.
7. Supporting Ontario innovators
The seventh proposal recognizes the importance of innovation while emphasizing that it must be done in a way that respects the rights of Ontarians. To do this, the proposal suggests the following:
- adopt "rules regarding the use of automated decision systems that have a significant impact on individuals" (p. 39);
- "require organizations to use de-identified information, whenever possible, to reduce the risks of harm to the individual, while also providing clarity on the obligations that organizations would have with respect to de-identified information" (p. 39);
- "[prohibit] the re-identification of personal information, except in accordance with stipulated technical and administrative measures, including privacy protections" (p. 40); and
- encourage "the use of anonymized data by removing it from privacy rules altogether" (p. 41).
As stated at the outset of the white paper, these proposals "are intended to facilitate dialogue" (p. 1) aimed at modernizing privacy protection in Ontario through the passage of a privacy bill in the Ontario legislature.
We will be closely monitoring the outcome of this public consultation as well as any follow-up by the Ontario legislature, and will be sure to keep you informed.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.