Leave no Ontarian Behind: Why Ontario should move ahead with its own private sector privacy law with or without federal reform Français
07 Sep, 2021, 11:00 ET
Information and Privacy Commissioner of Ontario responds to Ontario government's proposals for a new private sector privacy law
TORONTO, ON, Sept. 7, 2021 /CNW/ - The Office of the Information and Privacy Commissioner of Ontario (IPC) has issued its response to the provincial government's white paper on proposals for a provincial private sector privacy law that could establish Ontario as a leading digital jurisdiction.
Ontario-based companies continue to be governed by Canada's federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA is showing its age, and its proposed replacement, Bill C-11, the Digital Charter Implementation Act, 2020, died on the order paper with the announcement of a September federal election.
But whether or not legislative reform is pursued by the next federal government, Ontarians would be better off with their own private sector privacy law that offers them comprehensive protections entirely beyond the reach of any federal law now or in the future. A provincial statute would expand privacy protection for the millions of Ontarians employed by provincially-regulated companies not covered by federal privacy law. A provincial privacy law could also fill other important constitutional gaps such as charitable organizations, unions, professional associations and political parties in Ontario.
A new law, tailored to Ontario, has other benefits, particularly for the small and medium-sized businesses that are the backbone of economic activity, comprising over 440,000 employers, 86.4 per cent of the private sector workforce and 85.3 per cent of our province's GDP. A made-in-Ontario law could allow for a more agile approach to regulation, one that supports compliance in a manner better suited to the unique experiences and challenges of smaller businesses. With its eyes and ears close to the ground, the IPC is well-equipped to support local organizations by providing practical guidance materials and impactful advisory services that reflect the day-to-day realities of doing business in our province.
Fears about red tape and duplication of privacy laws could be addressed by achieving substantially similar status with the federal law, so that businesses conducting commercial activity within the province would be exempt from PIPEDA, having only to comply with the provincial law in question. For businesses engaged in commercial activity across borders, attention to harmonization could enable interoperability between laws and enforcement cooperation between regulators.
A provincial approach to privacy could also help ensure statutory coordination across multiple sectors, including the private, public, health, and child and youth sectors, providing a more coherent regulatory scheme in which cross-sectoral data initiatives can take hold and flourish for the greater public good. Similarly, a provincial law could be better integrated into Ontario's overall Digital and Data Strategy, furthering the province's open data objectives and enabling equitable data sharing in a manner that is digitally secure and respectful of privacy and other human rights.
"Privacy rights in Ontario could be better served and protected with a provincial private sector privacy law that provides enhanced privacy protections and better aligns with our province's unique values, realities, and culture," said Patricia Kosseim, Information and Privacy Commissioner of Ontario. "Without a provincial approach to privacy, critical constitutional gaps remain that continue to expose millions of Ontarians to privacy and security risks. A new law has the potential to fuel responsible innovation, support the post-pandemic economic recovery, and provide Ontario's businesses with the regulatory certainty and compliance support needed to help them grow and prosper as world leaders in the digital space."
Should Ontario proceed to adopt a provincial privacy sector privacy law, the IPC's priority will be to develop the foundational building blocks and oversight mechanisms for implementing Ontario's private sector privacy law in a manner that protects privacy, supports responsible innovation, and accords with our province's unique circumstances and economic reality.
- Read the IPC's full submission
- Previous IPC submission to the government's first consultation, Improving private sector privacy for Ontarians in a digital age (October 2020)
- Opportunity for a privacy law that works for consumers, businesses (Toronto Star)
- Blogs by Commissioner Kosseim
- IPC Strategic Priorities 2021-2025
Information and Privacy Commissioner of Ontario's comments on key areas
for reform in a made-in-Ontario private sector privacy law
The government's white paper outlines seven key areas for reform in the development of a private sector privacy law for Ontario. Additional commentary on these reforms and other aspects of the proposed legislation is available in the IPC's submission to the Ontario government.
Summary of the IPC's comments on key areas for reform:
1. Rights-based approach
The IPC applauds the government's proposal to affirm privacy as a fundamental right in the preamble of an eventual provincial privacy law. This would anchor human rights values into the very foundation of the law and significantly impact its interpretation and application. We also strongly support the overarching fair and appropriate purpose clause that would set principles-based boundaries around permissible activities.
2. Safe use of automated decision-making
The use of automated decision-making that significantly impacts individuals requires strong governance to manage the heightened risks associated with AI. Organizations should be subject to higher accountability requirements to enhance transparency and explainability of decisions made by automated means, to identify, assess and mitigate potential bias, and to ensure that the potential benefits of making decisions by automated means are not outweighed by negative impacts on individuals or groups.
3. Enhanced consent
An updated consent framework would enable individuals to focus their attention on the most actionable and impactful information influencing their decisions while at the same time providing greater flexibility for organizations. On the whole, we are supportive of the various information elements that must be provided in plain language at or before the time of processing for consent to be considered valid. We recommend several improvements to the proposed alternate grounds for processing, including business activities, data transfers to service providers, disclosures to law enforcement, investigations and legal proceedings, publicly available information, research in the public interest, and employee personal information.
4. Data transparency for Ontarians
Transparency and accountability must play a central role in any modern privacy legislation that shifts away from a fully consent-based model. Enhanced transparency and accountability requirements serve as a critical counterpoint to the increased flexibility organizations are granted to collect, use or disclose personal information without consent in a data-driven economy.
Enhanced accountability measures should require that privacy impact assessments are conducted above a defined risk threshold and that responsibilities are clearly apportioned between organizations and their service providers. Stronger transparency measures should include public reporting requirements for disclosures to law enforcement.
5. Protecting children and youth
We applaud the government's proposal to address important issues such as substitute decision-makers and the minimum age thresholds for valid online consent in an Ontario private sector privacy law. We recommend several further enhancements, including the right for youth to have information they posted about themselves deindexed, removed or deleted altogether, subject to narrow exceptions, and the right for mature minors to object to their parents' consent, access or take-down requests.
6. A fair, proportionate, and supportive regulatory regime
The IPC is broadly supportive of the compliance framework being considered by the government for a made-in-Ontario private sector privacy law. In particular, the agile and flexible tools being proposed to support compliance, with the possible escalation of enforcement options available when necessary, address some of the most significant weaknesses in PIPEDA and Bill C-11 and respond to many of the recommendations made by the IPC in its previous submission on private sector privacy legislation in Ontario.
7. Support for Ontario innovators
We strongly support bringing de-identified information within the scope of a private sector privacy law generally. We recommend fine-tuning key definitions, building in incentives for organizations to de-identify information as a safeguarding measure, and clarifying that key obligations of organizational accountability, fair and appropriate purposes, safeguards, transparency, and challenging compliance continue to apply to de-identified information.
Finally, with respect to promoting more equitable data-sharing, we believe such efforts are certainly laudable and should continue to be encouraged. We recommend, however, that appropriate governance models, with effective, independent oversight mechanisms, be seriously considered, designed, and implemented at the earliest possible time, given all of the important privacy, security, fairness, and equity implications at play.
SOURCE Office of the Information and Privacy Commissioner/Ontario
For further information: Media inquiries: [email protected]
Share this article