On August 13, 2020, the Ontario Government (the “Government”) launched consultations on establishing provincial privacy legislation for the private sector. As one of the stated goals is to expand the scope and application of private sector privacy law to non-commercial organizations such as not-for-profits and charities, any new provincial legislation would lead to a change in how the sector must manage compliance and privacy risk in the area. It could also lead to increased compliance cost. As we will discuss below, increased enforcement, including imposition of penalties, are being considered. Currently, Ontario non-profits would only be subject to penalties in cases where Alberta law or in those limited cases where the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) applied to a data breach scenario. Only in those cases could a maximum penalty of $100,000.00 be imposed on the non-profit.
The private sector collection, use, and disclosure of personal information in Ontario is currently governed by PIPEDA. Ontario has enacted privacy legislation for the health and public sectors but not for private industry and for that reason, federal legislation is filling in the gap. PIPEDA only applies to organizations that collect, use or disclose personal information in the course of “commercial activities.” Accordingly, Ontario not-for-profits and charities are currently only subject to privacy legislation if they process personal information as per the definition of a “commercial activity” or if they have operations or collect information in provinces or other jurisdictions that have legislation applicable to the not-for-profit sector (such as Alberta, British Columbia, and Quebec). The consultations serve as a first step in addressing the gap in the province’s legislative privacy framework.
Not-for-profit and charitable organizations may wish to consider engaging in the Government’s consultation process given the impact new privacy legislation will have on their operations. The Government is seeking advice by way of written submissions or responses to their online survey until October 1, 2020.
In their discussion paper, entitled “Ontario Private Sector Privacy Reform: Improving Private Sector Privacy for Ontarians in a Digital Age,” the Government outlined some of their goals for the new privacy framework:
- Transparency: Greater transparency regarding how an individual’s information is being used by businesses;
- Application to not-for-profits: Expanded scope and application of the law to include non-commercial organizations, including not-for-profits, charities, trade unions and political parties;
- Consent: Revocations of consent at any time and adopting opt-in models for secondary uses of information;
- Right to be forgotten: Requests by an individual for their information to be deleted, providing a right to erasure;
- Data portability: Greater data portability to enable individuals to switch service providers without losses of data;
- Enforcement: Increased enforcement powers for the Information and Privacy Commissioner to ensure businesses comply with the law (penalties are being considered);
- Use of anonymized data: Clarified requirements for the application of privacy protection to de-identified data derived from personal information; and
- Data trusts: Creating the framework for the establishment of so-called “data trusts” to enable sharing data in a “commons” that protects privacy.
A national trend of modernizing privacy law and increasing enforcement powers
These consultations are occurring in the context of increasingly louder calls from Canadian Privacy Commissioners (see our previous article for more information) that the laws must be enhanced. They arise during the context of the COVID-19 pandemic (see our previous article for more information) and the increased and changing context of the online processing of personal information, new legal regimes in the US such as the California Consumer Privacy Act (“CCPA”), as well as the highly influential European General Data Privacy Regulation (“GDPR”), which entered into force in May 2018. As we previously reported, in June, the British Columbia Information and Privacy Commissioner called for changes to the province’s Personal Information Protection Act. Similarly, Quebec engaged in a complete overhaul of their privacy law regime, introducing Bill 64, An Act to Modernize Legislative Provisions Respecting the Protection of Personal Information. Once passed, the Bill seeks to strengthen consent, transparency, and accountability through imposing higher penalties and mandatory breach notification requirements. Together with Ontario’s consultation launch, these efforts demonstrate an increasing importance placed on data privacy by the provinces, inching closer to the strong protections and enforcement mechanisms afforded under GDPR and CCPA.