With its announcement last week about a public consultation to “improving provincial privacy laws,” Ontario is signalling it’s willing to pass its own private sector privacy law, joining Quebec, B.C. and Alberta.
Other than those three, the other provinces and territories accept the federal Personal Information Privacy and Electronic Documents Act (PIPEDA), which covers federally-registered businesses, as their law for overseeing data privacy in provincially-registered businesses. However, non-profits and charities aren’t covered, nor are Ontario provincial political parties.
Ontario’s existing privacy laws only cover the health, municipal and provincial public sectors (including universities and colleges).
Ontario says that among the proposals to be discussed in the public consultation are:
- The right for Ontario residents to request private sector organizations to delete the personal information they hold be deleted (the so-called “the right to be forgotten’”).
- The right to move their personal data from one organization to another (known as data portability).
- Enhancing the ability of residents to revoke their consent of organizations to collect private data at any time, and adopting an “opt-in” model for secondary uses of their information.
Former Ontario privacy commissioner Ann Cavoukian and Toronto privacy lawyer Barry Sookman of the McCarthy Tetrault law firm agreed in interviews if the province wants to achieve those goals, a new provincial privacy law that covers the provincially-registered private sector firms and bypasses PIPEDA is the answer.
Sookman said that while he isn’t opposed to Ontario having its private sector privacy law, he would be concerned if the legislation is inconsistent with PIPEDA “and created more compliance burdens on organizations for no good reasons.”
“It is much easier for organizations to have one regular set of laws. Constitutionally there may be an inability to cover everything, but it would be much preferable to have one set of laws, or at the very least the laws should be consistent from jurisdiction to jurisdiction to make compliance more efficient.”
Cavoukian, who is now the executive director of the Global Privacy & Security by Design Centre, said she is “absolutely delighted” with the decision to have a public consultation and its terms of reference. “I’m hoping whatever we get has real teeth, and is also practical and makes sense.”
That would include giving Ontario residents more power to refuse consent to have the private sector sell personal data it collects to third parties and advertisers, she explained.
The Ontario Chamber of Commerce quickly issued a statement urging the province not to go that route. “It is important that the Government of Ontario avoids duplicating federal government laws pertaining to the collection, use, and disclosure of personal information by private sector organizations. A patchwork of privacy rules would add additional costs, complicate the business environment, and act as an unnecessary barrier to interprovincial trade.”
Canada, U.S. sign international guidelines for safe AI development
Eighteen countries, including Canada, the U.S. and the U.K., today agreed on recommended g…
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
