Ontario is closer to creating its own provincial privacy law that would include a right to privacy and a corporate obligation to report privacy breaches. This week, the province said it’s considering these moves in part because the proposed overhaul of federal privacy legislation, which Ontario has relied on so far, is flawed.
On Thursday the province released a white paper for public discussion to create “a fundamental right to privacy, protect Ontarians from unjustified surveillance, and promote responsible innovation.”
One proposal: A maximum administrative penalty of $10 million or three per cent of an organization’s gross global revenue for violating the law. For failing to report a breach of security safeguards, failing to abide by a compliance order or de-identifying personal information that had been de-identified, an organization might be penalized up to $25 million or five per cent of its global revenue.
“The Government of Ontario’s vision is to make Ontario the world’s most advanced
digital jurisdiction,” the white paper says. “Paramount to this work is digital privacy, and ensuring Ontarians have the power to control what personal data they share, when they share it, and with whom they share it. This is a priority of the Ontario government.”
Only three provinces — Quebec, British Columbia and Alberta — have their own private sector privacy laws. The other provinces and territories follow the federal Personal Information Protection and Electronic Documents Act (PIPEDA). The Liberal government has proposed overhauling PIPEDA with a new law to be called the Consumer Privacy Protection Act (CPPA, also known as Bill C-11).
However, it isn’t clear how much heart the minority government has behind the legislation. After being introduced in Parliament seven months ago the bill is still in second reading and hasn’t been referred to a committee for detailed analysis.
“The bill would give consumers less control and organizations more flexibility in monetizing personal data, without increasing their accountability,” he said. “Furthermore, the penalty scheme is unjustifiably narrow and protracted.”
In explaining why the province is thinking of going its own way, Government and Consumer Services Minister Lisa Thompson issued a statement saying that while C-11 “may appear to be modernizing outdated legislation,” it has “stripped away key protections that Canadians expect to have and has been recognized as a ‘step back’ by the Office of the Privacy Commissioner of Canada.”
Thompson said a comprehensive national privacy regime would be ideal, but the federal bill on the table is “fundamentally flawed.”
UPDATE: The Ontario Chamber of Commerce opposes Ontario’s march to its own data privacy law. In an interview this afternoon, Claudia Dessanti, the chamber’s senior policy manager, said members reacted with “anxiety” on hearing about the release of the white paper and the upcoming public consultation.
“Our position has long been privacy regulation of businesses should remain at the federal level,” she said. “PIPEDA is national for a reason: Businesses that operate across Canada cannot navigate different sets of rules. It’s a lot of red tape, it’s a lot of uncertainty and cost, and it deters them from investing in Canada.”
“We would love to see the province work with the federal government to make necessary changes federally.”
Kris Klein, a privacy lawyer with the Ottawa law firm nNovation, said in an email he was encouraged when Ontario showed an interest in passing its own private sector privacy law last year. “It would fill the gap for so many employees that don’t have their privacy rights regulated in Ontario. Because PIPEDA only applies employees of federal works and undertakings, the lack of provincial legislation means there’s a big black hole.”
PIPEDA was last amended in 2015. However, after the European Union implemented the General Data Protection Regulation (GDPR) in May 2018, PIPEDA needs updating to be in compliance with GDPR. With no action from Ottawa, in August 2020 Ontario announced a public consultation on improving provincial privacy laws. That led to the release of the white paper. White papers are usually a sign a provincial or federal government is seriously considering legislation.
The white paper follows the release in April of Ontario’s digital and data strategy.
Briefly, the white paper suggests passing a law that checks the following boxes:
- Creating a rights-based approach to privacy. This could include giving individuals more control over their personal information, including the right to ask for their personal data in a digital format. Collected personal information by organizations can be asked to be deleted (the so-called right to be forgotten).
- Creating a safe use of automated decision-making (otherwise known as artificial intelligence (AI) or machine learning).
- Enhancing individual consent and lawful uses of personal data by organizations that collect it.
- Mandating data transparency for all Ontarians so they are aware of how their data is used, collected and disclosed and can exercise their right to privacy.
- Giving ways of protecting children and youth from threats such as cyber bullying.
- Creating “a fair, proportionate and supportive regulatory regime.”
- All while at the same time supporting Ontario innovators.
No need for a separate tribunal for approving fines
The proposals would also expand the scope of provincial privacy law to include non-commercial organizations such as charities, not-for-profit organizations, trade unions and non-commercial activities. These groups wouldn’t be covered under the CPPA.
In terms of regulating a new privacy act, the white paper notes Ontario already has an information and privacy commissioner who oversees the provincial and municipal access to information legislation and a law that protects personal health information. The white paper says the commissioner’s mandate could be extended to cover the new privacy law.
The province suggests its privacy law would have some similarities to the proposed CPPA, including giving the privacy commissioner the authority to initiate and conduct investigations and audits, compel organizations to provide relevant information on how to manage personal information and issue binding orders to organizations found to be in non-compliance with the law. However, unlike the proposed federal law, the provincial privacy commissioner wouldn’t have to deal with a separate tribunal for approving fines.
The white paper suggests the provincial law would say an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider fair and appropriate in the circumstances. That’s similar wording to C-11 and other provincial privacy laws.
“Fair and appropriate,” white paper described, covers a lot. This includes the volume, nature and sensitivity of the personal information, including whether the organization has taken steps to de-identify the personal information; whether the collection, use or disclosure is necessary to achieve the legitimate needs of the organization; whether there are less intrusive means of achieving those purposes at a comparable cost and with comparable benefits; and whether the individual’s loss of privacy is proportionate to the benefits in light of any measures, technical or otherwise, implemented by the organization to mitigate the impacts of the loss of privacy on the individual.
The overall right to privacy is supported by affirming important data rights that allow Ontarians to access, correct, transfer and dispose of their own personal information. The right to access one’s own personal information and to request its correction is already in PIPEDA, the white paper adds. The right of individuals to obtain and transfer their own information, known as “data mobility” or “data portability,” is in the proposed CPPA.
“Ontario may also consider the possibility of exceeding the federal right of disposal, enshrining a requirement for organizations to de-index search results that contain personal information about an individual that has been posted by others,” the provincial document read. “This ‘right to be forgotten,’ if introduced, would be subject to countervailing freedom of expression concerns and considerations.
As for artificial intelligence, the white paper says the privacy law could give a person a right to an explanation of how an automated decision system made a prediction, recommendation or decision about the individual. It could also forbid an organization from using an automated decision system to make a decision about an individual, including profiling, if the decision would significantly affect the individual except under certain circumstances. For example, an automated decision could be necessary for a contract between an individual and an organization.