Ontario moves forward with privacy legislation initiative

Ontario has taken a significant step towards implementing private sector privacy legislation in the province.

On June 17, it issued a white paper entitled Modernizing Privacy in Ontario that sets out a model for a new statute. The province aims to implement stronger protections than introduced by the federal government in its privacy reform bill, Bill C-11. If the province’s proposed model becomes law, it will bring in a strict new compliance and enforcement regime and entirely new employment privacy regulation. It will also increase the fragmentation of the Canadian private sector privacy law regime.

The context for reform

Federal law currently governs commercial privacy in Ontario. The Personal Information Protection and Electronic Documents Act (PIPEDA) has imposed a broad set of privacy-related requirements that are based on fair information practice principles – a set of fundamental principles for protecting privacy that have become the basis of global privacy laws.

PIPEDA, however, has three fundamental limitations:

• First, it does not yet feature elements now common to stronger privacy laws, such as the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act of 2018 (CCPA).
• Second, enforcement under PIPEDA is based on an Ombudsman model. The regulator, the Office of the Privacy Commissioner of Canada, has no power to make orders or issue fines.
• Third, PIPEDA applies to a small segment of Ontario employers – only banks, airlines and other federally regulated employers. The vast majority of employers in Ontario have no obligations under a plenary privacy statute.

Based on concerns about PIPEDA’s frailties and a need to maintain the “adequacy status” that facilitates the transfer of personal information outside of the European Economic Area under the GDPR, Canada has seen a wave of privacy law reform – indeed, a near competition to establish the new baseline for privacy protection in Canada.

Québec led first, with a stringent set of reforms embodied in Bill 64. Bill 64 is expected to pass by the end of 2021.

The federal government followed with Bill C-11, a bill that would replace PIPEDA with the Consumer Privacy Protection Act. Bill C-11 has faced significant criticism from privacy advocates and the Office of the Privacy Commissioner of Canada, raising significant questions about its future.

Ontario’s new and strict proposed model

Ontario has seized upon the criticism of Bill C-11 in launching its new model. In a letter released at the same time as the Modernizing paper, Minister Lisa Thompson says:

Recently, the federal government tabled Bill C-11, The Digital Charter Implementation Act, to update PIPEDA. While the bill may appear to be modernizing outdated legislation, it has stripped away key protections that Canadians expect to have and has been recognized as a “step back” by the Office of the Privacy Commissioner of Canada.

While a comprehensive, harmonized national privacy regime would be the best outcome for Ontarians, the federal bill is fundamentally flawed and, as it is currently written, will not keep our people safe.

My ministry is therefore considering the possibility of provincial legislation that would govern citizen data, set a national gold standard for privacy protection, and correct the systemic power imbalances that have emerged between individuals and the organizations that collect and use their data.

In Modernizing, the province draws heavily from the Office of the Privacy Commissioner of Canada’s Bill C-11 critique and reform submissions made by the Information and Privacy Commissioner of Ontario. Although the province appears to have borrowed text from Bill C-11, its model has a rigor closer to that embodied in Bill 64.

The following table describes the elements of Ontario’s proposed model.

Element	Features	Short commentary
Scope	Commercial activity Employment in the province Not for profit, charitable activities Unions	Ontario proposes to replace PIPEDA for commercial activity and to broaden the scope of privacy statute application in Ontario to a wide range of currently unregulated activity, including the core activity of not-for-profit organizations and charities. Ontario employers would become subject to privacy legislation.
Purpose	To recognize a "fundamental right to privacy" Three principles: proportionality, fairness and appropriateness	Ontario proposes to alter the balance enshrined in PIPEDA and Bill C-11, which both recognize that privacy is less than absolute and must be balanced against the “need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.”
Processing requirements and limitations	"Fair and appropriate" purposes requirement, with: stipulated factors; a distinct necessity requirement; and certain "no go" purposes, including no go purposes that may be prescribed by regulation	The limitations on processing are a significant feature of any privacy statue. The province’s proposal is strict. Among other things, the province draws from the Office of the Privacy Commissioner of Canada’s advocacy in proposing a prohibition on “no go” purposes. Most significantly, Ontario aims to prohibit purposes that are “known to cause, or likely to cause, significant harm to the individual or groups of individuals.”
De-identified information	Regulated so long as not "anonymized" Requirement to secure with "proportionate" measures Prohibition on re-identification If information has been de-identified, no requirement to respond to an individual's request to access, append, port, or delete personal information	Like Bill 64 and the GDPR, the Ontario approach excludes truly anonymized information from the scope of regulation. Ontario says it aims to incentivize de-identification and anonymization as a means of supporting data-driven innovation. The province recognizes that certain features of a privacy framework are neither desirable nor practicable when dealing with de-identified personal information. For example, Ontario proposes that organizations not be required to respond to an access request if personal information has been de-identified.
Basic data subject rights	Access and correction Right of erasure/disposal Portability rights based on sector-specific frameworks Right to de-indexing of search results (qualified as being under consideration)	Rights to disposal and portability are rights that have the potential to conflict with the operational requirements of business, and must therefore have an appropriate and carefully crafted scope. The province’s proposal contains the same “reasonable terms of a contract” limitation included in Bill C-11, and the province appears to intend to limit the portability right to enable disclosures under a mobility frameworks. Whether Ontario actually pursues right to de-indexation (right to be forgotten) is of major significance.
Automated decision-making	Transparency requirement for automated decision systems Prohibition on decisions that would “significantly affect the individual,” unless necessary for entering or performing a contract or with express consent (unless authorized by law)	Ontario’s proposal is arguably more stringent than that reflected in Bill C-11 and Bill 64 in that Ontario aims to create a limited prohibition on automated decision-making and a true right to contest an automated decision. Given Ontario proposes the same broad “automated decision-making” system as Bill C-11, this proposal is likely to raise concerns.
Consent	Preserves consent as a requirement and provides numerous alternatives to consent to address the acknowledged problem of "consent fatigue"	Ontario has modeled its list of consent exceptions from the Bill C-11 list, though frames them as "alternatives" and does not adopt the exception for indirect collections of personal information in Bill C-11 that has drawn criticism. The province has been express in its proposal to bring trade unions within the scope of privacy regulation, and proposes a consent exception for processing that is "necessary" for various activities related to unions' representational mandates.
Transparency and governance	Privacy management program Robust transparency requirement, via plain language policy requirement and stipulated requirements for valid informed consent Privacy impact assessments (qualified as being under consideration)	Privacy legislation has evolved to require organizations to provide individuals with more information about the processing of personal information. Ontario’s proposal draws heavily from Bill C-11, and the province has signalled openness to a similar privacy impact assessment requirement that is a feature of Bill 64.
Children	No monitoring or profiling an individual under the age of 16 Parent/guardian consent requirement for individuals under the age of 16, with provisions to deal with mature minors who object to parental control	PIPEDA does not include any special provisions meant to protect children’s privacy, nor does it establish an age at which parental consent is required. Guidance is derived from Office of the Privacy Commissioner of Canada policy, which stresses the sensitivity of children’s personal information and the increased burdens in obtaining meaningful consent. The Ontario proposal has the potential to bring clarity to the law. By contrast, Bill 64 provides that consent of a minor under 14 years of age must be given by the person having parental authority and the consent of a minor 14 years of age or over can be given either by the minor or by the person having parental authority.
Enforcement	Certification powers and "codes of practice" Order-making powers Administrative monetary penalties (up to $10 million or three per cent of gross global revenue, whichever is greater) Offences Potential compensatory regime (qualified as being under consideration)	The Ontario proposal is similar to Bill C-11, though would provide the Information and Privacy Commissioner of Ontario with the (direct) power to order administrative monetary penalties. Ontario’s health privacy statute has a compensation mechanism, but requires a court application. A mechanism by which individuals could seek compensation from the IPC itself would be novel, raising a question about whether it should be made an exclusive remedy (i.e., an alternative to court-based privacy claims).

Conclusion

If the Ontario proposal eventually becomes law and supplants federal privacy legislation in Ontario, it will radically change the privacy legislative landscape in Canada. Approximately 87 per cent of the Canadian population would become subject to made-in-the-province commercial privacy legislation, curtailing the relevance of the Office of the Privacy Commissioner of Canada and introducing a new provincial regulator with strong powers and influence. Fragmentation would not benefit business, and entire new areas of activity in Ontario would become regulated – namely, employment and not-for-profit activity.

Even if it does not pass, the Ontario proposal is part of a jockeying for influence that appears to be causing our regulatory model to rise to the highest common denominator. Ontario is promoting its model as a stricter alternative to Bill C-11, which could invite a federal response, not to mention an eventual response from British Columbia and Alberta.

Comments to the province are due by August 3. We would be pleased to help you with considering the proposal and marshalling a response. Please reach out to your BLG lawyer or any of the key contacts below for assistance.