Ontario moves towards introducing new privacy law - part 1

Given global trends in the development of privacy laws and enforcement, Canada and several provinces are looking at modernizing their respective privacy regimes. Ontario’s new proposed privacy law, which would govern commercial activities more broadly than current legislation (i.e., our federal legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA), and Ontario’s health privacy legislation, the Personal Health Information Protection Act (PHIPA)), is intended to enhance the public’s confidence in Ontario’s digital economy by recognizing individuals’ fundamental right to privacy and imposing strict compliance obligations and financial penalties on organizations doing business in Ontario. 

On June 17, 2021, the Government of Ontario released a white paper outlining its proposals and requesting public feedback. It suggests that the proposed new legislation would be in addition to PHIPA. This was partially in response to Bill C-11 (the federal government’s new proposed private sector privacy legislation), which even the Privacy Commissioner of Canada described as “a step back overall from our current law” and as requiring “significant changes if confidence in the digital economy is to be restored.” The white paper outlines proposals that aim to:

1. implement a rights-based approach to privacy;
2. ensure safe and transparent use of automated decision-making/AI technologies;
3. enhance the process of obtaining consent; 
4. improve data transparency; 
5. protect children and youth;
6. establish and maintain a more fair, proportionate and supportive regulatory regime; and
7. support innovation in Ontario. 

In this update, we will elaborate on proposals 1 through 3. We will provide more detail on proposals 4 through 7 in a subsequent update.

Summary of proposals (1-3)

Rights-based approach to privacy. The following proposals were put forward with a view to implementing a rights-based approach to privacy laws:

• Explicitly recognizing the fundamental right to privacy in the preamble of the legislation; 
• Prohibiting the collection, use, and disclosure of personal information beyond that which is necessary to carry out the legitimate purpose(s) for which the information is collected; 
• Requiring a rights-oriented interpretation of the concept of “fair and appropriate purposes,” by making it mandatory to consider factors such as the nature and sensitivity of the information at issue; and
• Requiring organizations, on request by an individual, to disclose, correct, and dispose of personal information.

Placing individuals’ fundamental right to privacy at the centre of the discussion encourages organizations to design their privacy policies and practices around this very important concept. By reimaging the definition of “sensitive” personal information, taking a “less is more” approach to collecting data, restricting legitimate purposes of collection to those that are fair and appropriate, and prioritizing individuals’ control over the disposal and movement of their data, the Ontario government appears committed to enshrining the fundamental right to privacy in its proposed legislation.

AI and Automated decision-making technologies. The following proposals were put forward to ensure the safe and transparent use of AI and automated decision-making technologies:

• Defining “profiling” and “automated decision-making” to establish a robust regulatory regime for activities that implicate AI-related rights;
• Requiring organizations, on request by an individual, to explain to that individual the decision or prediction process of the automated system;
• Prohibiting profiling and automated decision-making, subject to certain exceptions, to give individuals control over the use of highly personal and sensitive information generated by AI systems; and
• Allowing individuals subjected to automated decision-making to request or correct the personal information used to arrive at the decision, comment or contest the decision, and have the decision reviewed by an individual within the organization.

The expanded use of AI and automated decision-making technologies constitutes important progress and innovation, but also has a potential dark side – these technologies make it possible to cause significant harm to individuals, because of heightened risks of surveillance and algorithmic bias. With so many diverse and extensive bodies of data available to organizations using these technologies, the Ontario government is aiming to enhance transparency, so that individuals may be empowered to understand and make meaningful decisions about their online profiles. 

Consent and lawful use. The following proposals were put forward to enhance the process of obtaining consent, and restrict uses of personal information to those uses that are lawful:

• Prohibiting organizations from making consent a condition of service, and obtaining consent through deceptive and duplicitous means;
• Requiring organizations to consider the sensitivity of the information and reasonable expectations of individuals when determining an appropriate form of consent; 
• Eliminating the ability of organizations to circumvent obtaining consent because it is “impracticable” where the organization “does not have a direct relationship with the individual,” to avoid organizations collecting personal information without consent as a matter of convenience; and
• Aligning the circumstances under which employers and unions may collect and use personal information from employees without consent, with practical business requirements (e.g. to comply with legal obligations surrounding the employer-employee relationship or to campaign to establish bargaining rights).

Consent fatigue in today’s day and age is very real, therefore the Ontario government is prioritizing the development of new and engaging ways for individuals to provide consent and participate in governing their personal information. A “one size fits all” approach to consent is not practical. Drawing a clear line between what organizations can and cannot do as a matter of convenience is an important first step, but the Ontario government acknowledges much work remains in terms of designing these novel and effective approaches to obtaining meaningful consent. 

Key takeaways

For several years now, Ontario has been a hotbed for innovation, triggering rumblings about Ontario becoming the “Silicon Valley of the North.” To that end, it is critical for Ontario to embrace its responsibility and potential to become a world-class jurisdiction for data protection and the digital economy. 

The authors would like to thank Katie Helou, summer student, for her contribution to this legal update.