Ontario enters the private sector privacy realm: what the new privacy law consultation means for business

On August 13, the Ontario Ministry of Government and Consumer Services launched a public consultation process and published a discussion paper about new private sector privacy legislation. The public consultation process will remain open until October 1, 2020. The discussion paper has been published in the wake of the Québec government’s decision to introduce Bill 64 (An Act to modernize legislative provisions as regards the protection of personal information)¹ this June, which proposes sweeping reform to Québec’s existing private and public sector privacy legislation. These two proposals, along with the pending review of federal PIPEDA, provide insight into how Canadian governments are approaching privacy law reform in the era of GDPR, data analytics and artificial intelligence.

What you need to know

• Unlike Québec, British Columbia, and Alberta, Ontario does not currently have private-sector privacy legislation. Organizations in Ontario are governed by Federal PIPEDA when they collect, use, or disclose personal information in the course of commercial activities.
• The discussion paper does not envision a radical departure from other Canadian privacy laws. Rather, the proposed model tracks PIPEDA’s informed consent model, with some discussion of enhanced consumer rights and regulatory enforcement powers.
• At this stage, the discussion paper notably discusses the following proposals:
  • enhancing transparency and consent requirements (including an opt-in consent model for secondary uses of data such as for marketing);
  • adopting data portability and erasure rights;
  • empowering the Ontario Information Privacy Commissioner to impose penalties for non-compliance; and
  • regulating non-commercial organizations such as charities and non-profits.
• Some of these proposals align with Québec’s Bill 64, which would substantially broaden the Québec Commission d’accès à l’information’s enforcement powers, adopt data portability rights, and impose more onerous consent requirements. That said, while Bill 64 appears to be a push toward the EU GDPR approach, the discussion paper more closely resembles the PIPEDA modernization framework being considered by the federal government.

Enhanced transparency and consent requirements

The discussion paper notes that under PIPEDA, organizations are required to publish policies regarding their practices for collecting and using consumer personal information but posits that they are typically written in inaccessible language. In a nod to commercial reality, the discussion paper notes that personal information is now so frequently collected that consumers cannot be expected to provide direct consent each time an organization collects their personal information.

To address these issues, the discussion paper proposes requiring organizations to offer “clear and plain language information” about what personal information is collected, how it is collected and used, and to which third parties it would be shared and to list exceptional situations in which they are not required to obtain consent. Consumers would only be required to provide separate consent to practices that are not in line with these descriptions. The discussion paper suggests introducing a rule that organizations must obtain opt-in consent from consumers for the collection, use, or disclosure of personal information for secondary purposes: those that are not central to the service being provided to the consumer or those that are not described in the privacy policy.

This approach largely aligns with PIPEDA and the OPC’s interpretation of the federal law, despite the suggestion in the discussion paper that enhanced transparency is needed. Plain language privacy policies that allow for meaningful consent are a key implementation mechanism for PIPEDA transparency, consent and openness requirements. As such, the Ontario proposal if adopted would not be a significant departure from the current federal approach.

In Québec, Bill 64 also proposes new transparency requirements such as mandatory governance policies to protect personal information and confidentiality policies which must both be published on an organization’s website. Under Bill 64, Organizations would also be required to obtain express consent when using sensitive personal information for purposes other than those for which it was collected and would also be required to do so before communicating “sensitive” personal information to a third party. Unlike the Ontario discussion paper proposal, however, under Bill 64 organizations would be required to request consent “for each [specific] purpose, in clear and simple language and separately from any other information provided to the person concerned”².

The discussion paper acknowledges that there may be exceptional circumstances in which obtaining consent is not practicable or appropriate such as instances in which data has been deidentified or derived or where the information is used to benefit the individual or the overall public good (such as when it is used for research or innovation purposes). Bill 64 also introduces new exceptions to obtaining consent, namely a service provider exception where the information is necessary to perform a service contract or complete a commercial transaction.

Data subject rights

Both the discussion paper and Bill 64 propose introducing data subject rights that resemble the rights set forth in the European Union General Data Protection Regulation (GDPR).

The right to erasure

The discussion paper discusses introducing data erasure rights (also referred to as the “right to be forgotten”), enabling individuals to request that organizations permanently de-index or delete their personal information when it is no longer required to deliver a service, or the individual has withdrawn their consent. The discussion paper notes that this right is not unlimited and that an Ontario solution would be careful not to become impractical for organizations to follow. Referring to the GDPR, the discussion paper notes that this right does not apply when exercising the right to free expression, complying with a legal obligation, acting in the public interest, exercising official authority, or to pursue or defend legal claims.

Bill 64 would introduce a similar right to erasure in Québec by requiring organizations to destroy or anonymize personal information when the purposes for which it was collected or used are achieved. Bill 64 further proposes providing individuals with the right to require organizations to cease disseminating personal information or to de-index any hyperlink attached to their name where continued dissemination of the personal information would injure their reputation or privacy rights, that injury is “clearly greater” than the public interest in knowing the information or to free expression and ending the dissemination would “not exceed what is necessary” to prevent the injury.

In contrast, the federal government’s proposed approach to modernizing PIPEDA explicitly excludes the right to be forgotten because the matter is before the Federal Court of Canada. 

Data portability

The discussion paper also proposes introducing a right to data portability, permitting individuals to request personal information collected about them in an open and accessible format.

Québec’s current private-sector privacy legislation requires every organization that holds a file on another person to, at their request, confirm its existence and communicate to them any personal information that concerns them. That said, Bill 64 would broaden this right by allowing the person to obtain a copy of the information in a written and intelligible transcript.

The scope of rights of erasure and data portability have been discussed at the federal level in recent consultations as well. A key distinction for business will be whether these rights are limited to information the individual provided to the organization originally, or whether it extends to records the organization generated internally or assembled from various sources about the individual. The narrower the data subject to portability and erasure is, the less risk such consumer rights pose to legitimate business initiatives such as product development and proprietary assessment tools.

Oversight, enforcement and fines

To ensure compliance, the discussion paper proposes allowing the Ontario IPC to issue orders and fines for non-compliance with the law. In this vein, Bill 64 would provide the Québec Commission with two new enforcement powers:

1. administrative monetary penalties of up to $10 million³ (subject to an internal review process and to judicial review before the Court of Québec); and
2. prosecutions seeking fines of up to $25 million⁴.

Under Québec’s current private-sector privacy legislation, organizations and their directors may be liable for fines of up to $20,000 for most first offences, following prosecution by the Attorney General of Québec. Under the new proposals of Bill 64, directors of an organization may be liable for the substantially increased penalties. It remains to be seen if Ontario privacy legislation will contemplate the potential for executive liability.

Bill 64 took a further step by proposing a civil cause of action for statutory damages where an organization or individual breaches the privacy provisions set forth in the amended Privacy Act or the Civil code of Québec and a right to claim punitive damages of at least $1,000 where the breach is intentional or results from gross fault⁵.

Application to non-commercial organizations

Given that PIPEDA applies only to organizations that collect, use, and disclose personal information in the course of commercial activities, the discussion paper proposes filling this gap by regulating non-commercial organizations such as not-for-profits, charities, professional associations, and trade unions. The discussion paper also notes that PIPEDA does not apply to the personal information of employees of most organizations or data collected outside of an organization’s commercial activities. Accordingly, the Ontario Government may be contemplating legislation to protect the privacy of this personal information as well. At a minimum, businesses should expect that any new Ontario legislation will regulate employee personal information, just as the private sector laws in BC, Alberta and Québec do.

Conclusion

The discussion paper is a preliminary stage of the legislative process and it may be several years before new Ontario private-sector privacy legislation enters into force. Proposed amendments to modernize PIPEDA have not yet been introduced, but the consultation process is further along than in Ontario. Conversely, Bill 64 has been referred to the consultation stage at the Québec National Assembly and the transitional provisions provide that Bill 64 will come into force one year after the date of its assent.

All of these developments should serve to focus businesses’ attention on their current privacy practices, internal and external resources available to monitor and adapt to legislative change, and whether the organization can smoothly integrate changes in various jurisdictions. A significant focus for many organizations and industries will be to urge the federal and Ontario governments to substantively align PIPEDA amendments with any new provincial legislation to avoid unnecessary disconnection between compliance regimes.

_________________________

¹ Bill 64 proposes amendments to Québec’s existing private-sector privacy legislation: the Act respecting the protection of personal information in the private sector, CQLR c P-39.1.

² Under Bill 64, personal information is deemed to be sensitive if it entails a high level of reasonable expectation of privacy because of its nature or the context of its use or communication.

³ Or, if greater, 2% of the organization’s worldwide turnover in the preceding year.

⁴ Or, if greater, 4% of the organization’s worldwide turnover in the preceding year.

⁵ Currently, in Québec it is only possible to obtain punitive damages for a privacy breach under the Québec Charter where the breach is both unlawful and intentional.

To discuss these issues, please contact the author(s).

This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.

For permission to republish this or any other publication, contact Janelle Weed.

© 2024 by Torys LLP.

All rights reserved.