On June 17, 2021, Ontario’s Ministry of Government and Consumer Services announced a public consultation in order to address the gaps in Ontario’s legislative privacy framework. The goal is to establish comprehensive and up-to-date rules, increase confidence in digital services, and support innovation. Stakeholders are invited to provide feedback until August 3, 2021.
The White Paper notes the challenges, makes proposals, and includes discussion questions relating to each of the following key areas of possible reform:
1. A rights-based approach to privacy: Given rapid technological advances, new rights are required for protecting individuals from potential unfair practices and maintaining a high level of trust and confidence in the digital economy. To that end, it is proposed that a fundamental right to privacy be established as the underpinning principle in Ontario privacy law. Feedback is sought regarding the proposed preamble; how personal information and sensitive personal information can be defined in law; whether the proposed “fair and appropriate purposes” provide adequate and clear accountability standards for organizations and service providers; and the extent of the proposed data rights of erasure and mobility.
2. Safe use of automated decision-making: While there are several benefits that come with AI technologies such as automated decision systems (ADS), there are also new risks such as surveillance and algorithmic bias that trigger the need for greater privacy protections. Therefore, it is proposed that Ontario prohibit the use of AI and ADS in situations where they could cause harm to citizens, provide stronger rights to inform Ontarians when and how their data is used by these technologies, and empower individuals with a right to object to these uses (or at least to contest them). Feedback is sought with respect to whether the proposed provisions provide adequate protection for individuals whose information is subject to ADS practices; whether the proposed regulatory approach for ADS strikes the right balance to enhance privacy protections while enabling new forms of socially beneficial innovation in AI; whether there should be additional recordkeeping or traceability requirements to ensure that organizations remain accountable for their ADS practices; and whether there could be additional requirements or protections that Ontario may consider related to the use of profiling.
3. Enhancing consent and other lawful uses of personal information: The modern data landscape is currently too complex to rely solely upon consent, and it also challenges individuals’ understanding of and ability to consent—this often leads to consent fatigue to the point where consent is given but is not well-informed. It is proposed that the meaningfulness of consent be improved by requiring that consent is more informed, while providing alternate authorities for collecting and using personal information to reduce consent fatigue and ensure that organizations cannot use uninformed individual consents as a means to exploit citizens’ data. Feedback is sought concerning whether the proposed list of “permitted categories” provides a sufficient set of authorities for the collection, use and disclosure of personal information; whether the proposed “business activities” are properly balanced to protect personal information while allowing businesses to conduct their operations; and whether there could be any additional protections or requirements that Ontario should consider in respect of service providers.
4. Data-transparency for all Ontarians: Current data practices are opaque and overly complex—this can lead to citizens consenting to practices that create risks of which they are not aware. Another consequence is that individuals could become untrusting of organizations. It is necessary for modern privacy laws to require meaningful transparency from organizations about their data practices. Consequently, it is proposed that there be stronger transparency requirements that provide citizens with a right to know when and how their data is used by organizations, allowing them to regain control and participate more meaningfully in the decisions that affect their well-being. Feedback is sought regarding whether the “privacy management program” requirement is sufficient to ensure that organizations are accountable for the personal information they collect; whether the proposed provisions are sufficient to ensure that Ontarians understand the nature, purpose and consequences when an organization collects or uses their personal information; and whether there should be a mandatory requirement for “privacy by design” practices or “privacy impact assessments” (is this too onerous, or can there be a way to balance the value of these requirements with the potential burden?)
5. Protecting children and youth: Children are among the most vulnerable groups in the digital economy. Their extensive online activity, combined with the increasing obscurity of data practices, makes them easy targets for unjustified surveillance, invasive monitoring and influence by bad actors. It is important to provide special protections for children to guard against these heightened dangers by introducing a minimum age of valid consent and prohibiting organizations from monitoring children for the purpose of influencing their decisions or behaviour. Feedback is sought with respect to whether additional considerations are needed in determining appropriate age of consent for the collection, use and disclosure of personal information; the types of operational challenges that organizations might face by including age of consent requirements for the collection, use and disclosure of personal information; and whether there should be any other requirements to enhance protections for other vulnerable populations such as seniors and people with disabilities.
6. A fair, proportionate and supportive regulatory regime: It is necessary to have an independent oversight body to promote good privacy practices and enforce privacy laws. Accordingly, it is proposed that the mandate of the Ontario Office of the Information and Privacy Commissioner be extended to include oversight of and compliance with the above proposed requirements. And stronger enforcement powers could be established to hold organizations accountable. Furthermore, there could be provisions that provide support and guidance to organizations. Feedback is sought concerning whether certification programs and codes of practices could be effective in proactively and collaboratively encouraging best practices in privacy protection; whether administrative monetary penalties might be effective in encouraging compliance with privacy laws (and are the financial penalties set at an appropriate level?); and whether the ability for the Ontario Office of the Information and Privacy Commissioner to issue orders requiring organizations to offer assistance or compensate individuals can be an effective tool to give individuals quicker resolutions to issues.
7. Supporting Ontario innovators: Organizations may wish to improve their existing technologies, services or products or develop new ones—to accomplish this goal, they may want to use de-identified personal information for research and innovation purposes. But to do this safely, organizations must be confident that they are not using de-identified data in ways that contravene privacy rules. It is therefore proposed that there be clear definitions, requirements, and standards to guide organizations in the use of de-identified data to encourage safe and responsible research and innovation without compromising the privacy of Ontarians. Feedback is sought regarding whether the clearer articulation of which privacy rules apply to de-identified information would encourage organizations to use de-identified information and reduce privacy risk; whether the inclusion of the concept of anonymized information (and clarifying that the privacy law would not apply to this information) would encourage organizations to use anonymized information; and in situations involving sharing information for socially beneficial purposes, the types of additional safeguards or governance that might be needed in addition to de-identification of information, to protect privacy.
It is important to note that Ontario is considering expanding the scope of privacy requirements to include non-commercial organizations in order to ensure that Ontarians’ personal information receives adequate coverage and protection in every aspect of life.
“Public trust and confidence in the digital economy are key to the future prosperity of Ontario and the well-being of Ontarians. Ontario’s proposed approach would lay the groundwork for this by implementing a rights-based approach to privacy to empower Ontarians and give Ontario’s organizations a competitive advantage in a data-driven world.”
For further information, please visit the Ontario Information and Privacy Commissioner’s Privacy Reform Discussion Paper and the Privacy Commissioner of Canada’s Submission on Bill C-11.
Stakeholders can provide feedback here or write to:
Manager of Access and Privacy Strategy and Policy Unit
Ministry of Government and Consumer Services
Enterprise Recordkeeping, Access and Privacy Branch
134 Ian Macdonald Boulevard