In a move of great significance to organizations doing business in Ontario, the province recently opened a consultation on private sector privacy regulation. The consultation, which runs until October 1, shows a strong commitment to moving forward with legislation that will create new and stringent privacy compliance requirements and potentially establish new employee privacy rights and obligations.
The current regulatory landscape
Federal law currently governs commercial privacy in Ontario. The Personal Information Protection and Electronic Documents Act (PIPEDA) has imposed a broad set of privacy-related requirements that are based on fair information practice principles – a set of fundamental principles for protecting privacy that have become the basis of global privacy laws.
PIPEDA, however, has three fundamental limitations.
First, it does not yet feature elements now common to stronger privacy laws such as the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act of 2018 (CCPA).
Second, enforcement under PIPEDA is based on an Ombudsman model. The regulator, the Office of the Privacy Commissioner of Canada has no power to make orders or issue fines.
Third, PIPEDA applies to a small segment of Ontario employers – only banks, airlines and other federally regulated employers. The vast majority of employers in Ontario have no obligations under a plenary privacy statute.
Province shows fairly strong commitment
In mid-August, the province issued a discussion paper, posted an online survey and put out a call for stakeholder input.
The Ministry of Government and Consumer Services says it is “seeking to address the gaps in Ontario’s legislative privacy framework, and to establish comprehensive, up-to-date rules that will protect privacy rights and increase confidence in digital services.” It also says “we are committed to creating a unique, made-in-Ontario solution to today’s privacy challenges.”
This signals a fairly strong commitment to move forward with legislation that supplants PIPEDA. Uniquely, PIPEDA provides for exemption orders that carve out activities from its scope that are governed by “substantially similar” provincial privacy legislation.
What might Ontario legislation look like?
The province has expressed a clear interest in “addressing gaps in existing legislation” and bringing in “up-to-date and robust rules.” It is using the consultation to gather input on a set of proposals for advanced forms of privacy protection that are not yet part of Canadian privacy law – akin to those recently introduced by Québec in Bill 64, An Act to modernize legislative provisions as regards the protection of personal information. The proposals address, for example:
- the potential recognition of data erasure and portability rights, new rights associated closely with online and other digital service provision;
- the power to issue “severe” fines for non-compliance; and
- advanced tools to enable privacy-protective data use (de-identification provisions and “data trusts”).
Data localization and breach notification are not mentioned in the consultation materials, though there is a suggestion that the Information and Privacy Commissioner of Ontario should be advised of “substantial privacy breaches.”
Practical implications today
Although not a given, enacting a made-in-Ontario commercial privacy statute is now a strong possibility. Some organizations have aligned their privacy programs with the GDPR and CCPA, but many have not. Even if Ontario does not follow through with this initiative, the growing pressure to invest in privacy programs and benchmark against practices in leading jurisdictions is clear. In fact, it may be that Québec, by passing Bill 64, precedes Ontario in enacting GDPR-style provincial privacy legislation.
Also, it goes without saying that organizations in Ontario are significant stakeholders, and should consider participating in the consultation. Although much of the material published by the province is focused on individual rights, the Ministry says, “we also want to ensure that any new privacy protections do not pose unnecessary burden to businesses, or inhibit the growth and prosperity of Ontario’s innovation ecosystem.”
Ontario employers may have the most at stake. Although the province’s consultation documents do not speak of employee privacy at all, British Columbia, Alberta and Québec have set a precedent by including employee privacy within the scope of their commercial privacy statues. Ontario may do the same, which would pressure Ontario employers, who have benefited from a lack of regulation and oversight, to develop employee privacy programs.
Reach out to our Cybersecurity, Privacy & Data Protection group to discuss how Ontario commercial privacy legislation may affect your business.