Insights Header image
Insights Header image
Insights Header image

Is Private Sector Privacy Legislation Looming in Ontario?

July 5, 2021 Privacy Law Bulletin 4 minute read

Ontario’s provincial government has released a white paper setting out various privacy policy proposals for input, signalling that Ontario private sector privacy legislation may be on the horizon.

Impetus for Change

Private sector organizations in Ontario that collect, use or disclose personal information in the course of commercial activities are currently subject to federal privacy legislation, the Personal Information Protection and Electronic Documents Act (“PIPEDA”).

Late last year, the federal government tabled Bill C-11 which, if passed, would introduce significant amendments to federal privacy legislation.  However, the Bill has faced criticism from privacy advocates and businesses alike.  Echoing the Privacy Commissioner of Canada’s view that Bill C-11 is a “step back” in protecting personal information, the Ontario government’s white paper suggests that the federal government should consider significant changes to Bill C-11, failing which Ontario will contemplate tabling a “made-in-Ontario” private sector privacy and data protection law.

Though the government has not yet tabled such a provincial law, the white paper provides examples of legislative language to demonstrate how its proposed policies could be reflected in law.

Key Proposed Policies

Some of the proposed policies set out in the white paper are similar to provisions that already exist in PIPEDA and accompanying regulatory guidance, or that have been proposed in Bill C-11.  For example, the paper proposes the following:

  • Fair and Appropriate Purpose.  An organization would only be permitted to collect, use or disclose personal information for purposes that a reasonable person would consider fair and appropriate in the circumstances.  Assessing the reasonableness of the purposes would take into account various factors, including the volume, nature and sensitivity of the personal information and whether there are any less intrusive means of achieving the purposes at a comparable cost and with comparable benefits.
  • Transparency. The government is considering requiring organizations to implement privacy management programs to govern their collection, use and disclosure of personal information, and to provide individuals with certain key information, in plain language, in order to obtain meaningful consent.
  • Right to Data Portability.  Like Bill C-11, Ontario’s white paper contemplates that individuals may have the right to ask for their personal information in a digital format in order to enable them to transfer their information to another organization. The government is grappling with whether these data mobility rights should extend to information inferred from personal information by evidentiary reasoning or other analytical processes, a move that organizations may find impractical or a violation of proprietary information rights.
  • Right to Disposal.  Ontario is also contemplating the introduction of a right to require an organization and its service providers to dispose of the individual’s personal information, subject to certain limitations. The government is considering the scope of this right, including whether organizations should be required to inform individuals of the reasons for refusing such a request and any recourse available to the individual following a refusal.

The Ontario government has also proposed several areas of reform which, if passed into law, would differ significantly from PIPEDA (and, in some cases, existing substantially similar privacy statutes in other provinces), including:

  • Expanded Application.  Unlike PIPEDA (or its successor legislation, if passed), proposed  legislation in Ontario would apply to charities, non-profit organizations, trade unions and other non-commercial organizations that handle personal information. It also appears that, like private sector privacy legislation in Alberta, British Columbia and Quebec, the legislation would apply to the personal information of employees of provincially-regulated businesses operating in Ontario.
  • Rights-Based Approach to Privacy.  The government proposes a fundamental right to privacy and protection of personal information for Ontarians, regardless of commercial interests.  This approach is said to more closely align with Europe’s General Data Protection Regulation (the “GDPR”) and the explicit right to privacy set out in Quebec’s Charter of Human Rights and Freedoms and Civil Code.
  • Other Lawful Uses of Personal Information.  The Ontario government is considering condoning certain circumstances when personal information can be collected, used or disclosed without obtaining consent.  Notably, the government disapproves of Bill C-11’s proposed exception to consent where obtaining such consent would be impracticable because the organization does not have a direct relationship with the individual.
  • Right to be Forgotten.  The Ontario government is considering expanding Bill C-11’s proposed right to deletion, by also introducing the “right to be forgotten” – i.e., the right, in some circumstances, to require an organization to de-index search results that contain personal information about the individual that have been posted by others.
  • Automated Decision-Making.  The Ontario government is contemplating introducing an obligation for organizations to disclose the use of automated decision-making systems to make predictions, recommendations or decisions about an individual and, borrowing from the GDPR, a prohibition on the use of automated decision systems to make decisions that would significantly affect individuals (with limited exceptions, including with the individual’s express consent).
  • Protection of Children.  The Ontario government may also introduce special privacy protections for children, including requiring parental or guardian consent on behalf of a child under the age of sixteen, and prohibiting organizations from monitoring children for the purpose of influencing their decisions or behaviour.
  • Oversight & Enforcement.  Like Bill C-11, the Ontario government proposes stronger oversight and enforcement mechanisms as compared to PIPEDA and current provincial equivalents.  In particular, the government proposes that the Information and Privacy Commissioner of Ontario (“IPC”) would assume oversight of compliance with the legislation, including the development of certification codes of practice to help organizations meet their new obligations. Moreover, the government is considering the adoption of similar enforcement measures as proposed in Bill C-11, including the ability for the IPC to levy monetary penalties of up to $50,000 CAD for individuals and the greater of $10 million CAD or three percent (3%) of gross global revenue in the prior financial year for organizations, subject to judicial oversight.

Next Steps

The provincial government has launched a public consultation to seek feedback on the white paper’s proposals for strengthening privacy protections in Ontario. Comments on the proposals can be submitted online before August 3, 2021.

TRC-Sadovod Vantage, TRC-Sadovod LLP’s public affairs arm, is available to assist organizations that wish to engage with the provincial government by preparing and submitting feedback on the white paper.

Although the Ontario government has indicated that it intends to provide a minimum of two years for businesses to comply with any new privacy statute (if it, indeed, proceeds with tabling its own legislation), organizations should consider reviewing their existing privacy compliance programs in order to determine whether they are well-positioned to adapt if / when any statutory changes occur.  TRC-Sadovod’s Privacy & Data Protection Group is available to help your organization evaluate, develop and implement appropriate privacy and data protection policies and procedures.

By Lyndsay A. Wasser and Kristen Pennington

A Cautionary Note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© TRC-Sadovod LLP 2021

Insights (5 Posts)View More

Featured Insight

Please Pay the Ferryman: OSC Seeks to Levy Additional Fees on Registered and Unregistered Crypto Asset Trading Platforms (CTPs)

The OSC proposed amendments to OSC Rule 13-502 Fees and OSC Rule 13-503 (Commodity Futures Act) Fee and its impact on crypto asset trading platforms.

Read More
Nov 16, 2023
Featured Insight

Canada’s Luxury Tax on Aircraft: A Primer for Non-Canadian Sellers and Brokers

Outlines potential implications for non-Canadian parties to common aircraft transactions under the Canadian federal Luxury Tax.

Read More
Nov 15, 2023
Featured Insight

CETA, TCA, CPTPP and CUKFTA – The Web of Trade Agreements Between Canada and the UK

Canada and the UK will maintain a strong trade relationship and preferential market access through a complex and expansive web of trade agreements.

Read More
Nov 15, 2023
Featured Insight

Ontario Court of Appeal Upholds 30-Month Notice Period

Ontario’s Court of Appeal has upheld an astounding 30-month notice period awarded to a non-managerial employee with almost 40 years of service.

Read More
Nov 13, 2023
Featured Insight

Corporate Counsel CPD Webinar | Essential Leadership Practices: Supporting the resilience, engagement, and impact of your team

Join professional coach and certified stress management educator, Marla Warner, for an engaging program that will help you focus on elevating performance outcomes, while supporting your team’s engagement and wellbeing. You will learn how to foster trust and respect in your team, the benefits of “coaching”, and why gratitude, empathy and compassion are the superpowers for leaders in 2023 and beyond.

Details
Friday,  November 24, 2023