In August, the Ontario government began public consultations on strengthening privacy protection in the province. The pandemic has brought home how important privacy protections are, as we live more and more of our lives virtually. Currently, there is no Ontario law applicable to privacy protections in the public sector. Though the federal Personal Information Protection and Electronic Documents Act (PIPEDA) applies, there are still many gaps. PIPEDA regulates how private sector organizations collect, use and disclose personal information when conducting business in Canada. PIPEDA does not provide any privacy protection to, for example, provincially regulated private sector employees in Ontario.
Proposals
In undertaking the public consultation process, the government aims to improve protections for personal information.
Here’s a quote: “Our goal is to help ensure that the public can confidently participate in the digital economy, use the digital platforms they rely on to purchase goods and services, stay connected with their community and do business in Ontario.”
While presumably these may be tweaked based on the outcome of the consultations, the following are some of the provincial government’s proposals:
- Provide individuals with more detail and transparency about how their information is being used by businesses and organizations
- Enhance consent provisions, allowing individuals to revoke consent at any time and adopting an “opt-in” model for secondary uses of their information
- Give individuals the right to request information related to them be deleted
- Give individuals the right to their data in a standard and portable digital format, giving individuals greater freedom to change service providers without losing their data—a.k.a. “Data Portability”
- Increase enforcement powers for the Information and Privacy Commissioner to ensure businesses comply with the law, including the ability to impose penalties
- Introduce requirements for anonymized or de-identified information and derived from personal information
- Provide for greater coverage for privacy legislation
- Create a legislative framework to enable the establishment of data trusts for privacy protective data sharing
Alexa? Can I trust you?
The government aims to address the following list of pretty scary concerns:
- Smart home devices with security vulnerabilities—like Alexa, Google Home—that can capture and transmit audio and video feeds—yikes!
- Facial recognition and cell signal or GPS tracking that will eliminate privacy about where we are
- Privacy breaches and the theft of personal information via:
- cyber attacks
- employees using their own credentials to inappropriately access or steal personal information
- improper administrative, technical and physical safeguards at the organization
Participate!
If you’d like to have your say in the consultations process, you have until October 1, 2020, to take the online survey. Organizations and technical experts are invited to make written submissions and virtual town hall sessions will be held, though have not yet been scheduled.
Changes to Ontario’s privacy laws will likely mean that private sector organizations need to do more with respect to the collection, use and storage of personal information. Penalties for failure to comply with any new law will likely be hefty. Similar proposed legislation in Quebec imposes a maximum fine of $25,000,000 CAD or 4 percent of worldwide turnover from the preceding fiscal year, whichever is greater. Ouch!