On August 13, 2020, the Government of Ontario launched a consultation to consider improvements to that province's privacy laws. The focus of the consultation and the accompanying discussion paper (PDF) is the possible creation of a provincial private-sector privacy law. Ontario does not have a general privacy law that applies to private-sector businesses and organizations. For Ontario businesses and consumers, privacy, and the handling of personal information by private sector organizations, is governed by the federal Personal Information Protection and Electronic Documents Act (PIPEDA).
Key Areas of Reform and Discussion
In its news release and discussion paper, the government highlights several key areas for reform on which it is seeking input, specifically:
- Transparency on how personal information is used by businesses and organizations, including "re-imagining consent and transparency requirements, and considering alternative models which better equip Ontarians to make informed choices… and to exercise greater control…";
- Enhanced consent requirement, including "an 'opt-in' model for secondary uses of information" (such as secondary marketing);
- A right for individuals to have their personal information deleted or de-indexed;
- Added powers for the Ontario Information and Privacy Commissioner, including the power to impose penalties;
- Specific restrictions and permitted uses for de-identified data and data derived from personal information, the latter of which is data that "repurposes personal information that has been previously supplied, as well as other recorded behaviour";
- The application of a new law to non-commercial activities (e.g., non-profits, charities, trade unions, political parties); and
- New compliance support mechanisms and the use of "data trusts" to help organizations pool and share personal information.
Many of the above topics are addressed under PIPEDA and related Privacy Commissioner of Canada guidance and decisions, while others echo that Commissioner's complaints about the limitations of PIPEDA and the need for federal reform. Some of these topics cannot be regulated by PIPEDA on account of limitations to federal jurisdiction over "trade and commerce".
The discussion paper points to developments elsewhere, namely the European General Data Protection Regulation (GDPR) and the Quebec government's privacy reform bill (you can read our series of bulletins on the Quebec bill here), as an impetus for a "made-in-Ontario" solution to protect privacy and to align with the "new global standard" set by the GDPR. As a result, Ontario's discussion paper is influenced by the GDPR, and those familiar with the European regulation will likewise be familiar with some of the key areas of reform outlined above.
What Might be Covered by the New Law?
Non-profits, Charities, Trade Unions, Political Parties
A new Ontario law is widely expected to apply to a broader range of organizations than PIPEDA, such as non-profit organizations, charities, trade unions, and political parties. PIPEDA does not apply to charities or political parties, and only applies to the activities of non-profit organizations (other than charities) that have a "commercial character".
A new Ontario law is also expected to encompass provincially-regulated employment relationships. From an employee privacy perspective, PIPEDA only applies to federally-regulated employment relationships. So, provincially-regulated employers in Ontario (such as retail, hospitality, manufacturing, and professional services firms, among many others) are currently not subject to any privacy statutes in relation to employee privacy (aside from narrow protections provided by the Occupational Health and Safety Act).
This would be a considerable change to the compliance landscape for Ontario employers, who (likely along with charities and non-profit organizations) will need to develop new privacy compliance programs (including policies, procedures, consent forms, and training programs) and validate existing safeguards and contractual arrangements. Although many organizations have existing privacy programs in place, these will still need to be assessed against the new law's requirements.
New Oversight Body
For organizations already subject to PIPEDA, a new law will also bring a new oversight body: the Information and Privacy Commissioner of Ontario will join the Privacy Commissioner of Canada in providing guidance and investigating privacy matters and responding to complaints. This means that organizations in Ontario whose privacy-related activities extend outside of Ontario's borders will be subject to oversight by multiple privacy commissioners if a new law is enacted.
It also seems likely that the Information and Privacy Commissioner of Ontario will be granted the power to impose financial penalties. Ontario has already expanded its health privacy law to allow the Commissioner to make an order imposing administrative penalties on any person whose activities the Commissioner has reviewed, if the Commissioner is of the opinion that the person has contravened that law or its regulations. The Commissioner may issue such an order to either encourage compliance with the law or to prevent a person from deriving an economic benefit from contravening it. While the parameters of that regime and levels of penalty will be set out in future regulations, a similar regime could appear in Ontario's general private-sector privacy law.
Alternatives to Consent
The government may also be open to grounding the new law on an authority other than consent.
Some of the more interesting points in the discussion paper go to one of the key differences between Canadian privacy laws, which are consent-based, and the GDPR, which sets out additional bases on which to process personal information (for example as required for the performance of a contract or for the purposes of a legitimate interest). The discussion paper contemplates alternatives to consent. For example, it raises the possibility of requiring organizations to offer clear and plain language information on their handling of personal information, where organizations would then only seek consent for the processing of personal information other than that described in these notices. In practice, however, it does not seem that this proposal would differ significantly from existing consent requirements (e.g., for implied consent), and the discussion paper continued to refer to clarifying "exceptions to consent". It is not obvious from reading the paper how receptive the government is to considering free-standing bases on which to process personal information other than consent. In addition, PIPEDA would also have to be amended along the same lines to avoid many Ontario businesses being tied to PIPEDA's consent regime.
As with the existing provincial privacy laws in Alberta and British Columbia, a new Ontario privacy law would have overlapping application with PIPEDA as PIPEDA would continue to apply to interprovincial and cross-border flows of personal information in the course of commercial activities. As a result, the government will need to consider this overlap to avoid any incompatible standards or burdens from concurrent jurisdiction. Otherwise, the new law may not "nurture innovation for Ontario businesses, associations and other organization" as the government hopes.
Ontario is not the only Canadian jurisdiction revisiting its approach to privacy. As noted above, Quebec has proposed amendments to its private-sector privacy law. Earlier this year, the British Columbia legislature appointed a Special Committee to review that province's private-sector privacy law. Even earlier, the federal government committed to reforming PIPEDA after releasing its Digital Charter in 2019 (which will doubtlessly bring PIPEDA in closer alignment to the GDPR).
Participating in the Consultation
Organizations that collect, use or disclose personal information in Ontario should consider participating in the consultation – such as by making written submissions, or by responding to the Government's online survey prior to October 1, 2020.
In particular, Ontario employers and non-profit organizations that are currently not subject to PIPEDA have the most at stake, as a new Ontario privacy law will likely require them to develop new privacy compliance programs (where they were previously unregulated).