Is It Finally Happening? A Sneak Peek Into Ontario’s Possible New Private Sector Privacy Law

August 2020

On August 13, 2020, Ontario’s Ministry of Government and Consumer Services initiated a public consultation to develop a private sector privacy law for the province. Currently, Ontario doesn’t have its own privacy law for private sector businesses and organizations, and is governed by the federal Personal Information Protection andElectronic Documents Act (PIPEDA). The government’s stated goal is to create “a unique, made-in-Ontario solution to today’s privacy challenges, one that suits Ontario’s size and complexion, and will nurture innovation for Ontario businesses, associations and other organizations.”

Both federal and provincial privacy commissioners have long lamented the gaps in our legislative privacy frameworks, so this consultation is the beginning of a critical opportunity for improvement and modernization. But why now? In her blog post entitled “Has the Time Come for a Private Sector Privacy Law in Ontario?”, the Information and Privacy Commissioner of Ontario, Patricia Kosseim, cites the wave of privacy legislative reform both in Canada (e.g. Quebec’s Bill 64) and abroad (e.g. the E.U.’s GDPR), and the COVID-19 pandemic which has accelerated both the move to virtual work environments and consumer reliance on digital tools and services. The Commissioner concludes that “these developments have laid bare significant regulatory gaps inOntario that require urgent attention.”

The Ontario government’s consultation process is framed by a discussion paper that seeks feedback on several key topics which have influenced privacy regulations globally. These topics offer a glimpse into what we may expect from the new legislation, and how it may impact Ontario’s private sector:

1. Transparency: Individuals should be provided with more detail about how

businesses and organizations are using their information. Organizations may be

required to share information about the use of personal information in clear, plain

language.

2. Consent: The legislation may consider alternative models to consent as the

government “is now re-imagining consent and transparency requirements, and

considering alternative models which better equip Ontarians to make informed

choices about their service providers, and to exercise greater control over the

collection, use and disclosure of their personal information.” In addition to

considering alternative models, the law would likely clarify rules governing

consent provisions including how individuals may withdraw consent at any time

and adopt an “opt-in” model for secondary uses. The legislation will likely aim to

ensure individuals are empowered to make more informed choices about how

their information is being used, and what exactly they are agreeing to when they

provide consent.

3. Data Erasure: Provide a right to date erasure (i.e. the right to be forgotten). This

means that individuals could request that their information is deleted or de-

indexed (i.e. removed from online search results). In our digital world, this right

has become a crucial way for individuals to directly control their privacy and

reputation.

4. Data Portability: Provide a right to data portability. This means individuals

would be empowered to receive their information in a standard, portable digital

format so that they may change service providers seamlessly and without losing

their data. Data portability would give individuals more control over their

information, and may create greater competition among service providers since

consumers would be able to switch providers more easily.

5. Enhanced Enforcement: Strengthen the oversight and enforcement powers of

the Information and Privacy Commissioner/Ontario (e.g. ability to impose

penalties) to support compliance with the new law.

6. De-identification Requirements: Currently, there is no clear set of rules on how

organizations must manage de-identified personal information or data derived

from personal information. The new law will likely aim to fill this gap by clearly

defining these concepts, creating rules on how organizations must manage this

type of information, and clarifying how privacy rules apply to it.

7. Expanded Scope: The new law must address the significant gap in Canada’s

privacy framework. Currently, many organizations operating in Ontario (i.e. non-

profits, charities, professional associations, trade unions and political parties) are

not subject to PIPEDA. As such, the new law must govern non-commercial

organizations. Moreover, from an employment perspective, PIPEDA only covers

federally regulated employers. The new law would likely apply to provincially-

regulated employment relationships (e.g. hospitality, retail, professional service

firms).

8. Innovative Data Sharing: Consider establishing guidelines, principles or

standards for the use of “data trusts” (i.e. emerging data governance models

where data can be shared in a privacy protective manner among various sectors

or organizations in order to drive innovation and value in the public interest).

As these 8 topics demonstrate, Ontario’s new private sector privacy legislation, if enacted, will be fundamentally shaped by privacy issues stemming from our digital age and the government’s desire to address outstanding gaps in the current Canadian privacy landscape.