On August 13, 2020, the Ontario Government (the “Government”) launched consultations on establishing provincial privacy legislation for the private sector, likely including not-for-profits and charities.
The collection, use, and disclosure of personal information is currently governed by federal legislation, the Personal Information Protection and Electronic Documents Act (“PIPEDA”). Accordingly, Ontario does not have its own provincial privacy legislation governing private sector actors. The consultations serve as a first step in addressing the gap in the province’s legislative privacy framework.
In their discussion paper, entitled “Ontario Private Sector Privacy Reform: Improving Private Sector Privacy for Ontarians in a Digital Age,” the Government outlined some of their goals for the new privacy framework:
- Transparency: Greater transparency regarding how an individual’s information is being used by businesses;
- Application to Not-for-profits: Expanded scope and application of the law to include non-commercial organizations, including not-for-profits, charities, trade unions and political parties;
- Consent: Revocations of consent at any time and adopting opt-in models for secondary uses of information;
- Right to be forgotten: Requests by an individual for their information to be deleted, providing a right to erasure;
- Data Portability: Greater data portability to enable individuals to switch service providers without losses of data;
- Enforcement: Increased enforcement powers for the Information and Privacy Commissioner to ensure businesses comply with the law (penalties are being considered);
- Use of anonymized data: Clarified requirements for the application of privacy protection to de-identified data derived from personal information; and
- Data Trusts: Creating the framework for the establishment of so-called “data trusts” to enable sharing data in a “commons” that protects privacy.
A National Trend of Modernizing Privacy Law and Increasing Enforcement Powers
These consultations are occurring in the context of increasingly louder calls from Canadian Privacy Commissioners that the laws must be enhanced. They arise during the context of the COVID-19 pandemic and the increased and changing context of the online processing of personal information, new legal regimes in the US such as the California Consumer Privacy Act (“CCPA”), as well as the highly influential European General Data Privacy Regulation (“GDPR”), which entered into force in May 2018. As we previously reported, in June, the British Columbia Information and Privacy Commissioner called for changes to the province’s Personal Information Protection Act. Similarly, Quebec engaged in a complete overhaul of their privacy law regime, introducing Bill 64, An Act to Modernize Legislative Provisions Respecting the Protection of Personal Information. Once passed, the Bill seeks to strengthen consent, transparency, and accountability through imposing higher penalties and mandatory breach notification requirements. Together with Ontario’s consultation launch, these efforts demonstrate an increasing importance placed on data privacy by the provinces, inching closer to the strong protections and enforcement mechanisms afforded under GDPR and CCPA.
Impact on Not-for-profits and Charities
As one of the stated goals is to expand the scope and application of private sector privacy law to non-commercial organizations such as not-for-profits and charities, both the consultations and the new privacy legislation that arises from them will likely lead to a change in how privacy law applies to the not-for-profit sector.
PIPEDA is only applied to organizations that collect, use or disclose personal information in the course of “commercial activities.” Accordingly, Ontario not-for-profits and charities are currently only subject to privacy legislation if they process personal information as per the definition of a “commercial activity” or if they have operations or collect information in provinces or other jurisdictions that have legislation applicable to the not-for-profit sector.
All “substantially similar” provincial laws either specifically exempt certain not-for-profits or explicitly include all organizations irrespective of charitable status. Similarly, the GDPR applies to for-profit and charitable sectors and it is likely that any proposed legislative framework in Ontario will follow suit.
Not-for-profit and charitable organizations may wish to consider engaging in the Government’s consultation process given the impact new privacy legislation will have on their operations. The Government is seeking advice by way of written submissions or responses to their online survey until October 1, 2020.