Privacy protections being considered would put Ontario in line with international standards: lawyer
The Ontario government has embarked on a consultation on the possible enactment of a private sector privacy law.
The Ministry of Government and Consumer Services has issued a discussion paper and created a survey for public input. New privacy rights in consideration include the right to be forgotten and data portability, and the province is also looking at giving more teeth to the Information and Privacy Commissioner. The consultation will run until Oct. 1.
Private sector privacy in Ontario is currently governed by the federal Personal Information Protection and Electronic Documents Act, which applies to both a company’s commercial activities and regulates the personal information of its employees. A provincial privacy law would help fill the gap left by PIPEDA, which only governs federally regulated workplaces, such as banks and airlines, says Laila Paszti, counsel at Norton Rose Fulbright Canada LLP. If a provincial privacy law passes, it will likely regulate the employee personal information in all private sector companies in Ontario, says Paszti.
“It will definitely be a significant change, certainly something that employees will welcome, because now they would have access to a whole slew of rights under this privacy legislation that they would not have ordinarily had in Ontario,” says Paszti, who works primarily with companies in the technology and life sciences sectors, providing guidance on privacy and cybersecurity.
The right to be forgotten would allow a person to request online platforms remove their digital presence and de-index them from searches. Data portability allows a person to have the data they have accumulated using a digital service delivered to them in a portable format, to take that data and transfer it to a new service provider.
PIPEDA applies when a province – such as Ontario, currently – lacks their own private sector privacy law. Alberta, B.C. and Quebec are the only provinces with private sector privacy legislation of their own.
But some argue PIPEDA has too limited a scope. A recent article in Lexology, from Borden Ladner Gervais LLP, named its three “fundamental limitations.” The legislation falls short of more strict privacy laws, such as the European Union’s General Data Protection Regulation and the California Consumer Privacy Act of 2018; the Office of the Privacy Commissioner of Canada lacks power to make orders and issue fines; and PIPEDA only applies to “a small segment” of Ontario employers – those which are federally regulated.
The privacy protections being contemplated by government, including enhanced obligations regarding data anonymization and the use of derivative data, would also bring Ontario’s protections in line with the GDPR and CCPA, says Paszti. Under the GDPR, if Canadian businesses want to transfer data in and out of Europe, Canada’s privacy law needs to be considered adequate by the EU, or the company must have complex contractual mechanisms in place. Currently, Canada’s laws are considered adequate, but Paszti says there have been concerns that Canada would lose that adequacy standing because PIPEDA lacks certain rights for data subjects. An Ontario privacy law with bolstered protections would be helpful for the province’s businesses if they want to expand into Europe, she says.
“If Ontario goes ahead with – we are very early stages – but if they go ahead, and they do enact privacy legislation that follows the shape that they have outlined [in the discussion paper], then we'll be in a great position, from the perspective of a company with a global reach in that, we're likely going to be much closer to the GDPR,” she says.
In the Ministry’s discussion paper, new “oversight, compliance and enforcement powers” for the IPC are listed as one of the “key areas that the government is exploring” in the consultation. The powers include the ability to “impose penalties where necessary.”
The federal Office of the Privacy Commissioner as well as Ontario’s privacy watchdog, the IPC, have long been pushing for more investigatory power and the ability to levy audits and fines, says Paszti.
“This is part of a growing trend for privacy to be, both more prescriptive and more protective of data subjects,” she says.
“If we look at comparable privacy legislation around the world – such as GDPR and CCPA – PIPEDA lags in terms of the heft of fines and enforcement power.”