Just over two months after Bill 64, an Act to modernize legislative provisions as regards the protection of personal information, was introduced in the National Assembly of Quebec, the Ontario government launched a consultation on private sector privacy reform in the province.
To guide the consultation, the government published a discussion paper that outlines a series of privacy discussion topics, reflecting key areas that the government is considering for a new Ontario private sector privacy law:
- Increased transparency for individuals, providing individuals with more detail about how their information is being used by businesses
- Clear consent provisions allowing individuals to revoke consent at any time, and adopting an "opt in" model for secondary uses of their information
- Right for individuals to request that information about them be deleted or de-indexed, subject to limitations
- Right for individuals to obtain their data in a standard and portable digital format, giving individuals greater freedom to change service providers without losing their data
- Oversight, compliance and enforcement powers for the Information and Privacy Commissioner of Ontario (IPC) to support compliance with the law, including the ability to impose penalties where necessary
- Introducing requirements and opportunities to use data that has been de-identified and derived from personal information, to provide clarity of applicability of privacy protections
- Expanded scope and application of the law to include non-commercial organizations, including not-for-profits, charities, trade unions and political parties
- A legislative framework to enable a more modern privacy regime that would allow for a spectrum of compliance support mechanisms, such as the establishment of data trusts for privacy protective data sharing
Further details on each of these topics are outlined in the discussion paper.
In light of the advice being sought, it appears that the Ontario government is looking to implement a General Data Protection Regulation (GDPR)-like statute for the province of Ontario, which is consistent with the approach taken by the Quebec government in respect of Bill 64.
Interestingly, unlike the province of Quebec, Ontario does not currently have a private sector privacy statute of general application. Rather, private sector organizations in Ontario — outside of the health sector — are governed by the federal Personal Information Protection and Electronic Documents Act (PIPEDA), but only in respect of personal information collected in the course of commercial activities. Provincially regulated employers in Ontario, for example, are not subject to any privacy legislation in respect of their processing of employee personal information for employment-related purposes. The Ontario government is looking to not only enhance privacy protections in Ontario, but also to create an entirely new statute and entirely new obligations, which will no doubt lead to increased costs for businesses.
The government is accepting comments from impacted businesses and the general public through written submissions or an online survey until October 1, 2020.
Originally published August 13, 2020.
For permission to reprint articles, please contact the Blakes Marketing Department.
© 2020 Blake, Cassels & Graydon LLP.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.