The Ontario provincial government recently released a white paper which appears to pave the way for private sector privacy legislation in Canada’s biggest province. This initiative, and the related legislative response which may soon be upon us, may herald substantial changes for organizations doing business in Ontario.

At present, private sector organizations in Ontario are subject to Canada’s federal privacy regime, the Personal Information Protection and Electronic Documents Act (“PIPEDA”), which applies when they collect, use or disclose personal information in the course of commercial activities.

In 2020, the Canadian federal government introduced Bill C-11, which would introduce widespread changes to Canada’s privacy regime at the federal level. This Bill has not yet been passed by the federal parliament, so it is not yet certain if these changes will come into force. In any event, many commentators have noted that updated privacy legislation at both the federal and provincial levels is likely going to be passed in the coming year, in part because of the current legal and social focus on enhancing employee privacy rights.

The Ontario privacy white paper makes a number of critical comments about Bill C-11, advocating for substantial revisions to the new federal regime. As part of this perspective, which includes an emphasis on the interests of business, the Ontario report calls for a so-called “made-in-Ontario” private sector privacy regime. In an effort to advance the adoption of a new private sector privacy law for Ontario, the white paper includes specific legislative proposals and a discussion of related principles. Key points include the following:

Date Use Based on Fair and Appropriate Purposes: Organizations would only be authorized to collect, use or disclose personal information for reasonable purposes, based on what is considered to be fair and appropriate in the circumstance. This would incorporate a “reasonableness” test, which would be driven by a number of actors, including the nature, amount and sensitivity of the relevant personal information. There would also need to be a review of whether or not there are less intrusive means for achieving the relevant purposes, all based on a consideration of comparable costs and benefits.

Transparency: Under this principle, organizations would be required to implement a privacy management program. The features of any such program would cover all manner of dealing with personal information, and details of this program would need to be provided to individuals whose dates is being used, stored and disclosed. The driver for this concept is that individuals would then be in a position to provide informed and meaningful consent.

Data Portability: Ontario’s white paper advocates an approach, reflected in Bill C-11, which would grant individuals a right to request their personal information in a digital format. This process would then allow the data to be ported to another organization. The policy reason for this approach is presumably to allow individuals the freedom to “vote with their feet” about who retains their personal information. There are a number of associated technical and commercial complexities with this concept, so it remains to be seen what this right may mean in practice.

Right to Disposal: The Ontario paper also notes the potential value in allowing individuals to require organizations (and any service providers working on their behalf) to dispose of the individual’s personal information. This would be subject to certain limitations, including where the organization has a proper reason to retain the information. If implemented, this right would also result in the creation of a new process where individuals would have a right to know how any such request was dealt with, together with a requirement to receive reasons if a request for disposal is denied.

The Ontario government has also proposed several areas of law reform which, if passed, would diverge from PIPEDA. These include expanding the scope of the legislation to charities, not-for-profit organizations and trade unions. The white paper also raises the prospect of additional legislation, including an enforcement regime like that contemplated by Bill C-11. There are also a number of specific topics which are flagged for discussion and potential legislation, including how to deal with automated decisions and the personal information of children.

Ontario’s initiative is in part a response to changes to privacy legislation in other jurisdictions, most notably Europe and California. The Ontario paper advocates a “fundamental” privacy right, which is similar to what exists under Europe’s General Data Protection Regulation and the existing privacy regime in the province of Quebec. While the issues are only at the discussion stage at this point, the white paper certainly highlights the prospect of further complexities to the Canadian legislative landscape and the related compliance obligations.

There is now a public consultation process underway in Ontario, with commentary to be submitted before August 3, 2021. All of this suggests the importance of an ongoing review of relevant legislative obligations and the related practices which organizations must commit to following. Even without comprehensive legislation being implemented, Canadian organizations are, much like others around the world, facing increasing scrutiny about their privacy and data protection practices. This scrutiny seems almost certain to be heightened in the coming year.