With its announcement last week about a public consultation to “improving provincial privacy laws,” Ontario is signalling it’s willing to pass its own private sector privacy law, joining Quebec, B.C. and Alberta.
Other than those three, the other provinces and territories accept the federal Personal Information Privacy and Electronic Documents Act (PIPEDA), which covers federally-registered businesses, as their law for overseeing data privacy in provincially-registered businesses. However, non-profits and charities aren’t covered, nor are Ontario provincial political parties.
Ontario’s existing privacy laws only cover the health, municipal and provincial public sectors (including universities and colleges).
Ontario says that among the proposals to be discussed in the public consultation are:
- The right for Ontario residents to request private sector organizations to delete the personal information they hold be deleted (the so-called “the right to be forgotten’”).
- The right to move their personal data from one organization to another (known as data portability).
- Enhancing the ability of residents to revoke their consent of organizations to collect private data at any time, and adopting an “opt-in” model for secondary uses of their information.
Former Ontario privacy commissioner Ann Cavoukian and Toronto privacy lawyer Barry Sookman of the McCarthy Tetrault law firm agreed in interviews if the province wants to achieve those goals, a new provincial privacy law that covers the provincially-registered private sector firms and bypasses PIPEDA is the answer.
Sookman said that while he isn’t opposed to Ontario having its private sector privacy law, he would be concerned if the legislation is inconsistent with PIPEDA “and created more compliance burdens on organizations for no good reasons.”
“It is much easier for organizations to have one regular set of laws. Constitutionally there may be an inability to cover everything, but it would be much preferable to have one set of laws, or at the very least the laws should be consistent from jurisdiction to jurisdiction to make compliance more efficient.”
Cavoukian, who is now the executive director of the Global Privacy & Security by Design Centre, said she is “absolutely delighted” with the decision to have a public consultation and its terms of reference. “I’m hoping whatever we get has real teeth, and is also practical and makes sense.”
That would include giving Ontario residents more power to refuse consent to have the private sector sell personal data it collects to third parties and advertisers, she explained.
The Ontario Chamber of Commerce quickly issued a statement urging the province not to go that route. “It is important that the Government of Ontario avoids duplicating federal government laws pertaining to the collection, use, and disclosure of personal information by private sector organizations. A patchwork of privacy rules would add additional costs, complicate the business environment, and act as an unnecessary barrier to interprovincial trade.”
In a recent report on creating an Ontario data strategy, the Chamber said updating privacy practices should be done in a way that retains legislative flexibility and allows for innovation largely by strengthening industry standards or codes of practice.
The report noted the Chief Information Officers (CIO) Strategy Council of Canada is reviewing data privacy standards around the collection, maintenance, sharing, and use of big data in different sectors of the economy as part of an update of the National Standard of Canada (NSC)’s Model Code for the Protection of Personal Information.
Sookman said that while he isn’t opposed to Ontario having its own private sector privacy law he would be concerned if the legislation is inconsistent with PIPEDA “and created more compliance burdens on organizations for no good reasons.”
“It is much easier for organizations to have one regular set of laws. Constitutionally there may be an inability to cover everything, but it would be much preferable to have one set of laws, or at the very least, the laws should be consistent from jurisdiction to jurisdiction to make compliance more efficient.”
The private sector in Ontario will likely make the same argument, Sookman predicted. Organizations will particularly worry that different privacy commissioners across the country will have the power to issue different fines or penalties over the same infractions.
Data privacy took a major change two years ago when the European Union passed the General Data Protection Regulation (GDPR) and strengthened the privacy rights of residents there, particularly through the right to be forgotten and data portability.
The Ontario consultation also comes two months after Quebec introduced legislation to update its privacy law and bring it closer to the GDPR. Ottawa has been warned by the federal privacy commissioner that PIPEDA probably needs to be updated as well or risk the EU declaring PIPEDA not equivalent legislation and forbidding companies here from holding or transferring data on EU residents.
Before the last federal election, the Liberal government made creating a Digital Charter one of its prime planks, including updating PIPEDA. It was a promise the new Liberal government vowed to keep. However, since it was returned as a minority government in October 2019 the Liberals haven’t introduced new privacy legislation.
One question raised about the Ontario consultation is whether the province is hinting it will move if the federal government is dragging its feet.
On Friday, IT World Canada asked to interview Government and Consumer Services Minister Lisa Thompson for more details about the consultation. As of press time, we have received no response. UPDATE. This morning the government said Thompson is at the annual meeting of the Association of Municipalities of Ontario and unavailable.
In addition to the three proposals listed above, the consultation paper says the government also wants to hear from residents on possibly increasing enforcement powers of the Information and Privacy Commissioner to ensure businesses comply with the law. These powers could include the ability to impose penalties, introducing requirements for data that has been de-identified and derived from personal information to provide clarity of applicability of privacy protections, or enabling the private sector to create data trusts for sharing data it collects in a privacy-protective way.
The possibility of creating data trusts in Ontario was first raised in 2018 by Sidewalk Labs for its proposed controversial Quayside Toronto waterfront high-tech community. The idea of creating an independent data trust to oversee personal data captured by Quayside was criticized by Cavoukian. What she saw as vague oversight of the proposed trust led in part led to her resignation as an advisor. With the advent of the COVID-19 pandemic and the stalling of construction projects, Sidewalk Labs walked away from the project.
Ontario residents can participate in the consultation in several ways: Industries, technical experts and impacted stakeholders can submit written responses, and residents can fill out an online survey by October 1st. Dates for the virtual town halls, which people will also have a chance to tune into, have not yet been announced.