The Province of Ontario intends to strengthen private sector privacy protections through dedicated new legislation.
Ontario is now in the midst of public consultations towards a made-in-Ontario privacy law.
Specifically, the provincial government is exploring the following potential changes for inclusion in new privacy legislation:
- Increased transparency for individuals, providing Ontarians with more detail about how their information is being used by businesses and organizations;
- Clear consent provisions allowing individuals to revoke consent at any time, and adopting an "opt-in" model for secondary uses of their information;
- Right for individuals to request information related to them be deleted or de-indexed, subject to limitations (this is otherwise known as "erasure" or "the right to be forgotten");
- Right for individuals to obtain their data in a standard and portable digital format, giving individuals greater freedom to change service providers without losing their data (this is known as "Data Portability");
- Oversight, compliance and enforcement powers for the Information and Privacy Commissioner (IPC) to support compliance with the law, including the ability to impose penalties where necessary;
- Introducing requirements and opportunities to use data that has been de-identified and derived from personal information, to provide clarity of applicability of privacy protections;
- Expand the scope and application of the law to include non-commercial organizations, including not-for-profits, charities, trade unions and political parties; and
- Create a legislative framework to enable a more modern privacy regime that would allow for a spectrum of compliance support mechanisms such as the establishment of data trusts for privacy protective data sharing.
Ontario's chief objectives in moving forward with a new privacy law are to "address gaps in the existing legislation" and "put in place comprehensive, up-to-date and robust rules that will protect privacy rights and increase confidence in digital services."
In order to understand the proposed changes to Ontario's privacy laws, it helps to understand the current status of privacy protections in Canada and internationally. In addition to gaps in the scope and coverage of privacy regulations within and between Canadian provinces, Canadian privacy rules increasingly lag behind international standards and best practices.
Fixing Gaps in the Existing Legislation
Ontario currently lacks a comprehensive privacy statute which is generally applicable to the private sector. Unlike British Columbia and Alberta, which have passed general privacy legislation provincially, Ontario has opted to rely on the federal Personal Information Protection and Electronic Documents Act (PIPEDA) for regulation of privacy in the private sector. Ontario also has a patchwork of sector-specific information and privacy statutes applicable to health care organizations, municipal public sector entities, and provincial public sector organizations.
Ontario's decentralized system of privacy regulation has often resulted in confusion about the scope and application of privacy protections in Ontario. For example, while PIPEDA currently applies to private sector organizations in Ontario, PIPEDA only covers employee information in organizations engaged in federal works, undertakings or businesses. In effect, this means that a majority of employers and employees in the province are not covered directly by privacy laws.
Privacy requirements may still arise from contractual or common law principles. Indeed, in the absence of dedicated provincial privacy legislation and policy development, much of the recent development of privacy law in Ontario has been at common law, through the decisions of judges, labour arbitrators, and tribunals. A milestone in this development was the Ontario Court of Appeal's 2012 decision in Jones v. Tsige, in which the Court recognized the privacy tort of "intrusion upon seclusion," a claim capable of redressing privacy breaches even in the absence of specific statutory duties.
More Robust Legislated Privacy Protections
Ontario's focus on enacting provincial privacy legislation is also responsive to the fast pace of technological change, consumer and employee expectations, and international privacy developments.
One landmark international development was the recent implementation of the European Union General Data Protection Regulation (GDPR) in 2018. GDPR set progressive new benchmarks in global privacy protections (such as "the right to be forgotten") backed by robust compliance and enforcement mechanisms, including data breach notification requirements and substantial penalties for contraventions. Notably, GDPR applies not only to businesses established in the EU, but also ex-territorially to companies that offer goods or services to EU residents, even if they are based in Canada or in other non-EU member states.
In Canada, Ontario is not alone in playing catch-up on emerging best practices and international privacy developments. Canada's federal government has also signalled its intention to overhaul PIPEDA to provide stronger protections across the federal sector. In a June 2018 Government Response to recommendations made in a Parliamentary report on PIPEDA, the federal government committed to reforming the Act. The federal government has also outlined its plans in a 10-point Digital Charter which will guide future privacy reforms at the federal level.
Meanwhile, Quebec recently tabled its own privacy legislation on June 12, 2020. The proposed Quebec law, Bill 64, An Act to modernize legislative provisions as regards the protection of personal information reflects many of GDPR's lofty standards and would follow GDPR's veer away from the status quo of "toothless" Canadian privacy regulations.
Time will tell the precise shape of the forthcoming made-in-Ontario approach. The privacy changes the province is currently exploring in consultations appear to be less onerous than requirements proposed under Quebec's Bill 64 and under the EU GDPR regime, but would still be significant and overdue improvements from Ontario's current privacy patchwork.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.