Written by Stephen Burns, Michael Whitt, Ruth Promislow and Kees de Ridder
Ontario's Ministry of Government and Consumer Services recently announced that it is contemplating new private sector privacy legislation (PSPL) to govern how businesses collect, use and disclose customers' data. The Ministry is seeking feedback from Ontarians to address key issues in this new privacy framework. The deadline for public commentary is October 1, 2020.
Ontario already has privacy legislation that applies to government institutions and specific health care providers. Currently, Ontario does not have its own PSPL applicable to commercial organizations. For the time being, Ontario relies on the federal Personal Information Protection and Electronic Documents Act, which applies provincially where there is no substantially similar provincial PSPL. Alberta, Quebec and British Columbia have their own PSPLs. In addition to these provincial and federal counterparts, Ontario will be looking to the European Union's General Data Protection Regulation (GDPR) for guidance.
The Ministry has identified eight key areas for the new legislation to address:
- Transparency: How much detail organizations must provide to individuals about how their information is being used.
- Consent: How individuals can give and revoke consent for the handling of their data.
- Right to be forgotten: How individuals can request for their information to be deleted or de-indexed.
- Portability: How individuals can migrate their data between organizations.
- Enforcement: How the new PSPL can be enforced, such as by orders and fines.
- De-identification: How personal information can be de-identified, and how such de-identified data may be used.
- Scope: Whether, in addition to commercial organizations, the new PSPL should apply to non-commercial organizations, such as not-for-profits, charities, trade unions and political parties.
- Data trusts: How data can be shared between organizations, unlocking the value of such data for new purposes in the public interest.
What We Know So Far
Ontario's new PSPL will not be a one-size-fits-all solution. The Ministry has suggested that it will develop different strategies for small, medium and large organizations. In other words, tech industry giants may be subject to different rules than a small local business with an online shop. This is good news for small- and medium-sized enterprises, many of which were forced by COVID-19 to offer services online for the first time.
Ontario's Information and Privacy Commissioner will likely be responsible for administering the new PSPL, as it already does for other privacy legislation in Ontario. This is consistent with the approach taken in other provinces.
The Ministry's request for feedback emphasizes that the new PSPL is to be a "made-in-Ontario solution for today's privacy challenges, one that suits Ontario's size and complexion, and will nurture innovation for Ontario businesses, associations and other organizations." This suggests that the new PSPL may depart from similar legislation in Alberta, B.C. and Quebec. Entities operating in multiple jurisdictions should carefully consider how they can concurrently abide by all applicable PSPL.
Bennett Jones would be pleased to help you navigate Canada's complex framework of privacy legislation. If you would like to learn more, please contact the authors of this post.