Ontario moves towards introducing new privacy law – part 2

This is the second in our series of updates about Ontario’s new proposed privacy laws. The Government of Ontario’s June 17, 2021, white paper outlined proposals that aim to:

1. implement a rights-based approach to privacy;
2. ensure safe and transparent use of automated decision-making/AI technologies;
3. enhance the process of obtaining consent; 
4. improve data transparency; 
5. protect children and youth;
6. establish and maintain a more fair, proportionate and supportive regulatory regime; and
7. support innovation in Ontario. 

In this update, we will elaborate on proposals 4 through 7. To read more about proposals 1 through 3, please refer to last week’s update.

Summary of proposals (4-7)

Data transparency. The following proposals were put forward to enhance data transparency, which in turn would both protect and empower individuals whose data is at issue:

• Requiring organizations to implement privacy management programs consisting of internal policies, practices and procedures to govern the collection, use, and disclosure of personal information, with the help of resources developed by the Information and Privacy Commissioner of Ontario (IPC) (which would take into consideration the size of organizations and nature of the information they collect);
• Requiring organizations to notify individuals who are being asked to consent to the collection of their information, which notices would include information about privacy policies and practices and individuals’ legal rights relating to consent and control over information; and
• Requiring organizations to conduct privacy impact assessments on high-risk activities.

Data transparency is critical in both empowering and protecting individuals exercising their right to know when and how their data is being used. Only by arming individuals with this knowledge will they be empowered to exercise their rights and make informed decisions about their data. In other words, the Ontario government is seeking to level the playing field as between organizations and individuals, because the complexities of our digital world currently obstruct individuals from having a fair say in how their data is used. This approach is in line with global trends toward giving individuals the tools needed to protect their personal information.

Children and youth. The following proposals were put forward to protect children and youth, some of the most vulnerable stakeholders in Ontario’s digital economy:

• Requiring organizations to introduce a minimum age of valid consent and an explicit requirement for parental consent on behalf of a minor; and
• Prohibiting organizations from monitoring or profiling minors in order to influence their decisions or behavior.

There may very well be operational roadblocks to implementing consent mechanisms for minors, but the Ontario government seems of the view that greater regulation is needed, and that organizations should be restricted from profiling these vulnerable individuals (especially over long periods). Absent these restrictions, organizations could exercise what some perceive as too much control over minors’ digital footprints, both today and later in their lives.

Regulatory regime. The following proposals were put forward to establish a more fair, proportionate and supportive regulatory regime:

• Empowering the IPC to develop compliance guidelines, issue certifications to compliant organizations, conduct discretionary investigations, issue binding orders for non-compliance, and impose monetary penalties of up to $10 million (or 3% of global revenue);
• Giving consideration to the extent of harm, organizations’ mitigation efforts, the number of individuals impacted, and the size/global revenue of organizations in assessing penalty amounts; and
• Creating statutory offences for failure to report or maintain a record of a security breach, failure to retain information subject to an IPC investigation, and failure to abide by an IPC compliance order or prohibition against re-identification, with monetary penalties of up to $25 million (or 5% of global revenue).

A more robust regulatory regime is certainly a prerequisite to ensuring adequate oversight and enforcement of the legislative changes proposed. The updated regime hinges on providing the IPC with a more meaningful mandate and stronger enforcement powers, subject to judicial oversight under certain circumstances. Implementing a well-designed certification program could contribute to greater public confidence in the digital economy, but it remains to be seen whether the monetary penalties contemplated will be any more or less effective than current penalties.

Supporting innovation. The following proposals were put forward with a view to supporting innovation:

• Defining and distinguishing between “de-identified information” and “anonymized information,” such that the former would be brought under the scope of privacy regulation (in recognition of the residual risk of re-identification), and the latter would be excluded (thereby incentivizing the use of anonymized data);
• Prohibiting the re-identification of de-identified information, subject to prescribed exceptions including for research and innovation purposes; and
• Requiring organizations to implement de-identification practices proportional to the purpose for de-identification and the sensitivity of the information. 

Throughout this update, we referred to the various ways in which Ontario’s proposed privacy law reform supports innovation. The proposals referenced above are more directly intended to encourage innovators, by providing much-needed clarity and guidance around the use of de-identified and anonymized information. This clarity would not only support innovation, but also be in the best interests of all stakeholders – being the innovators themselves, the individual data subjects, and our regulators.

Key takeaways

Ontario’s proposals appear to be a step in this direction with individuals benefiting from greater transparency and the opportunity to play a more meaningful role in protecting their data, private-sector innovators thriving under a more clearly articulated regime and benefiting from increased consumer confidence, and regulators being empowered by a hardier regulatory regime.

There is still work to be done but we are cautiously optimistic about the quantity and quality of the feedback that the Ontario government has solicited on its white paper, and Ontario innovators’ ability to step up and contribute to developing effective legislation that will serve both private and public interests.

Once the legislation comes into effect, there will likely be a two-year transitional period intended to give organizations time and flexibility to become compliant with the new regime. We encourage readers to get a head start on assessing their privacy policies and procedures, and identifying the gaps they’ll need to address when the changes take effect. 

The authors would like to thank Katie Helou, summer student, for her contribution to this legal update.