Canada’s two largest provinces are focusing on strengthening privacy protections, signalling material changes to Canada’s privacy landscape may be afoot.
On August 13, 2020, the Ontario government launched consultations aimed at strengthening the province’s privacy protection laws. The province is using an online survey, has called for written submissions, and will be conducting web conferences to seek input on this new legislative framework.
The province’s call for consultations signals an entirely new legislative regime for the private sector in Ontario may be on the horizon. If Ontario legislates, it could mean new statutory privacy protections for private sector employees and regulation of non-commercial organizations in the province. In Ontario, private sector employees do not benefit from statutory privacy protections. Likewise, not-for-profits, charities, professional associations, trade unions and political parties, for example, are currently not subject to statutory privacy laws in Ontario. Privacy in the private sector in Ontario is currently governed by the Personal Information Protection and Electronic Documents Act (PIPEDA), federal legislation which regulates how private sector organisations collect, use, and disclose personal information while conducting business in Canada. This legislation governs both federally regulated organisations and organisations which are not subject to provincial privacy laws that are substantively similar to PIPEDA. The provinces of Alberta, British Columbia, and Quebec are the only provinces with such laws at this time.
The online survey asks Ontarians whether it is important for Ontario to create its own laws. The focus of the survey is generally on whether privacy laws need to be updated to deal with new technologies. It seeks to gather general information related to how Ontarians interact online and in the digital world, and how Ontarians approach and to what extent Ontarians are concerned with their privacy. For example, questions include whether Ontarians read privacy statements, whether they change default privacy settings, whether they are concerned with ancillary uses of their information, and whether they believe they have a right to be informed and consent before an organization buys or sells personal information. It also inquires about whether there should be stricter rules for genetic and biometric data, and whether there should be different treatment of de-identified information. The questions give a good idea of issues, policies and options being considered. It also generally appears aimed at inquiring about the impact privacy laws have on businesses and innovation in Ontario. The survey asks, for example, whether privacy laws make it more difficult for businesses to innovate, whether organizations should be able to share de-identified and aggregate data through a public data trust to encourage innovation, and if it is important that businesses face fines for not complying with privacy laws.
Generally, the government is asking for advice on ways to:
- Increase transparency for individuals, providing Ontarians with more detail about how their information is being used by businesses and organizations.
- Enhance consent provisions allowing individuals to revoke consent at any time, and adopting an "opt-in" model for secondary uses of their information.
- Introduce a right for individuals to request information related to them be deleted, subject to limitations (this is otherwise known as "right to erasure" or "the right to be forgotten").
- Introduce a right for individuals to obtain their data in a standard and portable digital format, giving them greater freedom to change service providers without losing their data (this is known as "data portability").
- Increase enforcement powers for the Information and Privacy Commissioner to ensure businesses comply with the law, including giving the commissioner the ability to impose penalties.
- Introduce requirements for data that has been de-identified and derived from personal information to provide clarity of applicability of privacy protections.
- Expand the scope and application of the law to include non-commercial organizations, including not-for-profits, charities, trade unions and political parties.
- Create a legislative framework to enable the establishment of data trusts for privacy protective data sharing.
This initiative comes on the heels of the introduction of new legislation by the government of Quebec which would strengthen the existing privacy laws in that province. Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, has been introduced to modernise “the framework applicable to the protection of personal information” in various provincial acts.
The proposed legislation appears to be influenced by the European Union’s General Data Protection Regulation (GDPR) and includes new requirements for companies to have data protection officers, mandatory reporting of data security breaches, more robust consent requirements, and a right to be forgotten, similar to some of the stated objectives of the Ontario government. It also creates a private right of action which would permit individuals to bring a claim for damages for an unlawful infringement of a right conferred by the Act or the Civil Code of Quebec.
If passed, the legislation in Quebec will contain some of the most punitive privacy laws in the country, with fines ranging from $15,000 to $25,000,000 CAD or 4% of worldwide turnover from the preceding fiscal year, whichever is greater. Fines will be doubled in the case of subsequent offences. This is significantly higher than the current maximum of $50,000 CAD and is greater than the maximum penalties which can be levied under Canada’s Anti-Spam Legislation.
The Covid-19 pandemic has highlighted our reliance on information technology platforms and it remains to be seen what will transpire in Ontario and Quebec, and whether other provinces will also take steps to enhance the privacy protections for Canadians.