• Drawbridge

Is It Finally Happening? A Sneak Peek Into Ontario’s Possible New Private Sector Privacy Law

On August 13, 2020, Ontario’s Ministry of Government and Consumer Services initiated

a public consultation to develop a private sector privacy law for the province. Currently,

Ontario doesn’t have its own privacy law for private sector businesses and

organizations, and is governed by the federal Personal Information Protection and

Electronic Documents Act (PIPEDA). The government’s stated goal is to create “a

unique, made-in-Ontario solution to today’s privacy challenges, one that suits Ontario’s

size and complexion, and will nurture innovation for Ontario businesses, associations

and other organizations.”

Both federal and provincial privacy commissioners have long lamented the gaps in our

legislative privacy frameworks, so this consultation is the beginning of a critical

opportunity for improvement and modernization. But why now? In her blog post entitled

“Has the Time Come for a Private Sector Privacy Law in Ontario?”, the Information and

Privacy Commissioner of Ontario, Patricia Kosseim, cites the wave of privacy legislative

reform both in Canada (e.g. Quebec’s Bill 64) and abroad (e.g. the E.U.’s GDPR), and

the COVID-19 pandemic which has accelerated both the move to virtual work

environments and consumer reliance on digital tools and services. The Commissioner

concludes that “these developments have laid bare significant regulatory gaps in

Ontario that require urgent attention.”

The Ontario government’s consultation process is framed by a discussion paper that

seeks feedback on several key topics which have influenced privacy regulations

globally. These topics offer a glimpse into what we may expect from the new legislation,

and how it may impact Ontario’s private sector:

1. Transparency: Individuals should be provided with more detail about how

businesses and organizations are using their information. Organizations may be

required to share information about the use of personal information in clear, plain


2. Consent: The legislation may consider alternative models to consent as the

government “is now re-imagining consent and transparency requirements, and

considering alternative models which better equip Ontarians to make informed

choices about their service providers, and to exercise greater control over the

collection, use and disclosure of their personal information.” In addition to

considering alternative models, the law would likely clarify rules governing

consent provisions including how individuals may withdraw consent at any time

and adopt an “opt-in” model for secondary uses. The legislation will likely aim to

ensure individuals are empowered to make more informed choices about how

their information is being used, and what exactly they are agreeing to when they

provide consent.

3. Data Erasure: Provide a right to date erasure (i.e. the right to be forgotten). This

means that individuals could request that their information is deleted or de-

indexed (i.e. removed from online search results). In our digital world, this right

has become a crucial way for individuals to directly control their privacy and


4. Data Portability: Provide a right to data portability. This means individuals

would be empowered to receive their information in a standard, portable digital

format so that they may change service providers seamlessly and without losing

their data. Data portability would give individuals more control over their

information, and may create greater competition among service providers since

consumers would be able to switch providers more easily.

5. Enhanced Enforcement: Strengthen the oversight and enforcement powers of

the Information and Privacy Commissioner/Ontario (e.g. ability to impose

penalties) to support compliance with the new law.

6. De-identification Requirements: Currently, there is no clear set of rules on how

organizations must manage de-identified personal information or data derived

from personal information. The new law will likely aim to fill this gap by clearly

defining these concepts, creating rules on how organizations must manage this

type of information, and clarifying how privacy rules apply to it.

7. Expanded Scope: The new law must address the significant gap in Canada’s

privacy framework. Currently, many organizations operating in Ontario (i.e. non-

profits, charities, professional associations, trade unions and political parties) are

not subject to PIPEDA. As such, the new law must govern non-commercial

organizations. Moreover, from an employment perspective, PIPEDA only covers

federally regulated employers. The new law would likely apply to provincially-

regulated employment relationships (e.g. hospitality, retail, professional service


8. Innovative Data Sharing: Consider establishing guidelines, principles or

standards for the use of “data trusts” (i.e. emerging data governance models

where data can be shared in a privacy protective manner among various sectors

or organizations in order to drive innovation and value in the public interest).

As these 8 topics demonstrate, Ontario’s new private sector privacy legislation, if

enacted, will be fundamentally shaped by privacy issues stemming from our digital age

and the government’s desire to address outstanding gaps in the current Canadian

privacy landscape.

Have questions? Reach out!

Email: info@drawbridgeconsulting.com

Phone: 416-558-3657