The Ontario government's proposed private sector privacy law has the potential to add to regulatory burden and duplication. These were among the themes covered during Osler's AccessPrivacy call hosted by Adam Kardash, Partner, Privacy and Data Management.
Should Ontario pass a new privacy law, there would be 34 federal and provincial privacy statutes in the private, health, and broader public sectors, making compliance for organizations increasingly intense and expensive. In the case of a security incident or a complaint by individuals in several provinces, an organization could be subject to five privacy laws and have to engage with five separate privacy regulatory authorities, each of which could be able to issue considerable monetary penalties under reformed privacy legislation.
The government's Modernizing Privacy in Ontario white paper does not speak expressly about the need for harmonization across Canadian jurisdictions. A private sector privacy law in Ontario will not achieve a "gold standard" seal unless it functions in association with the laws in other provinces and jurisdictions.
A range of factors for the regulatory authority to consider when imposing a fine are identified in the white paper, but a list of both mitigating and aggravating factors as guideposts would be helpful to manage organizations' compliance measures and expectations. This would be a welcome improvement to the current statutory framework.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.