Proposed Ontario Private Sector Privacy Law

On June 17, 2021, the Ontario government has released a white paper with proposals for a new private sector privacy laws. The white papers follows an initial consultation process that began in August 2020. Comments on the white paper are due by August 3, 2021.

The white paper comes on the heels of the Office of the Privacy Commissioner of Canada’s panning of the federal government’s Bill C-11, which was introduced in Parliament in November 2020 but has not yet proceeded to Committee. If there is a fall federal election, it is unlikely that Bill C-11 would be passed. If the federal Liberals are re-elected, we might see the reintroduction of the Bill in the future.

The Ontario white paper puts forward proposals that are frequently copied directly from Bill C-11 (notwithstanding the occasional remarks in the whitepaper about Bill C-11’s “weaknesses”). However, there are a number of departures from Bill C-11 that attempt to tackle matters that are more directly within Ontario’s constitutional purview.

It still remains doubtful whether the Conservative government of Premier Ford will proceed with a privacy law anytime soon. We are less than a year away from an Ontario election. While there is certainly time to develop a Bill in the fall and to enact it before next spring, the more immediate effect will be to consider hos the Ontario white paper might influence a review and amendment of Bill C-11.

Here’s a quick breakdown of some of the more interesting Ontario proposals – at least to me. (Caveat – I don’t deal with the right to be forgotten. I might do so in a future post.)

More than just commercial activities

Consistent with Ontario’s broader constitutional authority, Ontario is proposing that its private sector law would govern charities, unions, associations and other non-profits. This would close a gaps left by federal law. Moreover, the provisions relating to employees would apply to all private sector employees, thereby closing the gap that exists because only federally regulated private sector employers are currently subject to statutory privacy laws in Ontario.

Privacy as a fundamental right

Ontario is considering recognizing privacy as a fundamental right. This is consistent with provincial jurisdiction over civil rights and something that Parliament could not accomplish as directly as the Ontario Legislature. What is interesting about the Ontario proposal, however, is that some deeper thinking has gone into the implications of recognizing such a right. As the whitepaper says, recognizing such a right requires “a clear definition of personal information” and one that will apparently have limits.

Centrality of consent

Canadian governments continue (under the sway of academics and Privacy Commissioners) to cling to the centrality of consent in private sector privacy laws. The merits of this are debatable; however, the Ontario government intends to follow suit. The Ontario proposal would add exceptions for some ordinary business activities (much like Bill C-11). Unfortunately, the Ontario government – no doubt under the influence of Privacy Commissioners – have overly complicated those exceptions by adding provisos that the specified activities can only be conducted if (a) a reasonable person would expect such a collection or use of that activity and (b) the personal information is not collected or used for the purpose of influencing the individual’s behaviour or decisions.

The first criterion is essentially the threshold for implied consent. If that is so, then the exceptions are unnecessary. The second criterion is essentially an anti-targeted advertising provision, although not limited to targeted advertising. This addition seems gratuitous.

So what are the list of activities for which consent is not required (although, illogically, you need to demonstrate you would have implied consent)?

  • An activity that is necessary to provide or deliver a product or service that the individual has requested from the organization (but not a service like a decision or recommendation engine given you can’t influence a person’s decisions)
  • An activity that is carried out in the exercise of due diligence to prevent or reduce the organization’s commercial risk
  • An activity that is necessary for the organization’s information, system or network security
  • An activity that is necessary for the safety of a product or service that the organization provides or delivers
  • Any other prescribed activity

Missing is the exception in Bill C-11 if obtaining is impracticable because the organization does not have a direct relationship with the individual.

De-identified and anonymized personal information

In a not-so-subtle jab at Bill C-11, the Ontario whitepaper tries to untangle the mess that Bill C-11 has introduced when thinking about de-identified and anonymized personal information.

As my colleague, Shaun Brown, at nNovation has pointed out, Bill C-11 makes a mess of de-identified data. Essentially, if data was ever personal information, it remains trapped within privacy laws even when there is no reasonable prospect of it being able to be used to reidentify an individual. Rather than accept that this as a drafting error, the Privacy Commissioner of Canada doubled-down on this as a virtue of Bill C-11, without regard to the practical implications of this approach.

By contrast, the Ontario whitepaper deals with the issue head on with the stated goal of incentivizing the use of de-identified and anonymized personal data.

The white paper recognizes that de-identified information is derived from personal information and there could be a risk relating to re-identification. Accordingly, the Ontario proposal would protect de-identified data through requirements relating to a privacy management program, security safeguards, and the right to complain about compliance. However – and this is very important – organizations could de-identify and use that information without consent and would not be required to respond to an access request, portability request or deletion request for de-identified personal information.

Moreover, the Ontario government proposes to exempt anonymized data from the proposed privacy law. This data would be data that has been altered irreversibly, according to generally accepted best practices, so that an individual can no longer be identified directly or indirectly by any means or any person.

Although the Ontario proposal appears leaps and bounds ahead of the current state of Bill C-11 and the direction that the OPC would like Bill C-11 to take, the story is not all good news. Any conflict between the federal law and an Ontario law would result in the federal law taking precedence. I’m not talking here about constitutional precedence. I’m referring to the practical effect of a federal law given that that that law will govern data when it moves interprovincially and internationally. For most organizations of a size and scope to engaging in de-identification and anonymization, data will undoubtedly move and circulate into and out of Ontario. If the federal regime is regressive in its approach to de-identified and anonymized data, Ontario’s goals to be “the world’s most advanced digital jurisdiction” will be frustrated.

Automated decision-making

Another area of justifiable criticism in Bill C-11 is the overly broad definition of automated decision-making systems, which would capture a number of benign technologies. Unfortunately, Ontario is proposing to adopt the same broad definition of “automated decision system”:

“automated decision system” means any technology that assists or replaces the  judgement of human decision-makers using techniques such as rules-based systems, regression analysis, predictive analytics, machine learning, deep learning and neural nets

While terms such as “rules-based systems” may be terms of art in the field of machine learning, the words of a statute are more usually read in their ordinary and grammatical way. Any formula is a rules-based system. Surely, we don’t mean to capture Excel spreadsheets.

For the most part, Ontario is proposing a regime for automated-decision-making that it is aligned with Bill C-11. There must be transparency and an explanation of how automated decision systems affected a decision. However, Ontario goes further and is proposing to prohibit automated decision-making if the decision would “significantly” affect the individual unless (a) the decision is necessary for entering into or performing a contract, (b) the decision is otherwise authorized by law; or (c) the organization obtains the individual’s express consent.

Again, consistent with Ontario’s constitutional jurisdiction, Ontario is proposing to give individuals a right to contest decisions made through automated decision-making systems and to require human review.

Protections for children and youth

Consistent with Ontario’s constitutional jurisdiction, the Ontario government is able to address privacy interests of children and youth more directly. Some of the more striking proposals are:

  • Prohibiting monitoring or profiling of an individual under the age of 16 for the purposes of influencing the individual’s behaviour or decisions
  • Consent for the collection, use or disclosure of information of a child under 16 years of age would need to be given by a person who has lawful custody of the child;
  • Organizations would have to take reasonable steps to verify the identity of the persona purporting to have lawful custody and to verify that the person does actually have lawful custody
  • The rights conferred on an individual who is under 16 may be exercised by a person who has lawful custody of the child
  • Youth between the ages of 13 and 16 might be able to object to their  parent’s or guardian’s consent or object to their parent’s or guardian’s request to destroy or take down personal information about them

Some of these proposals need further consideration. It is easy to see how some these proposals could be weaponized in family law disputes.

Appropriate purposes

A feature of current privacy laws federally and in BC and Ontario is that the purposes for collection, use and disclosure need to be appropriate from the perspective of a reasonable person. To this, Ontario would add the concept of “fairness”. The factors in considering whether processing is “fair and appropriate” are – with one important exception – essentially lifted from Bill C-11 and include the sensitivity of the information, whether the processing is necessary to achieve a legitimate need, whether there are less intrusive means of achieving those purposes at a comparable cost and with comparable benefits, and whether the loss of privacy is proportionate to the benefits.

However, unlike Bill C-11, in considering fairness and appropriateness, the Ontario proposal injects a risk-based approach to appropriateness. The reasonable person would also take into account the volume and nature of the personal information and whether the organization has taken steps to de-identify the personal information.

The Ontario law would also implement some bright lines. In addition to purposes that breach a law of Ontario or Canada, certain other activities would be off limits. As mentioned above, monitoring or profiling an individual under the age of 16 for the purpose of influencing the individual’s behaviour or decisions would be inappropriate. Purposes that are known or are likely to cause significant harm to an individual or group would be another bright line.

Enforcement

Ontario is proposing mimicking Bill C-11 with the introduction of administrative monetary penalties. Administrative monetary penalties would cap out at $50,000 for an individual and the greater of $10 million and 3% of the organization’s gross global revenue in the organization’s financial year before the one in which the penalty is imposed. Penalties would have to be issued within 2-years of the most recent contravention coming to the attention of the Ontario Commissioner.

Like Bill C-11, the Ontario government proposes statutory offences for certain wrongdoing – notably reporting a breach of security safeguards to the Commissioner, maintaining a record of every breach of security safeguards, retain information subject to a Commissioner inquiry, abiding by a compliance order, or re-identify personal information that has been de-identified or seeking retribution against a whistle-blower. Fines would be capped at the higher of $25 million or 5% of gross global revenue in the organization’s financial year before the one in which the penalty is imposed.

Unlike Bill C-11 which proposes that the Privacy Commissioner of Canada would only be able to recommend a penalty to a tribunal and the tribunal would set that penalty, Ontario is proposing to give its Privacy Commissioner the power to make the penalty order. The Ontario government is proposing that appeals of the Commissioner’s orders, including penalties, can be appealed to the Divisional Court on question of law within 30 days.

Some random thoughts

If Ontario does enact this privacy law, it is hard to understand why taxpayers should continue to fund the federal Privacy Commissioner to the same extent. The vast majority of decisions of the Office of the Privacy Commissioner of Canada are of Ontario-based organizations, who will be subject to this law.

Further, as seen in multiple instances in recent years, the Office of the Privacy Commissioner is frequently riding along with provincial Commissioners who are quite capable of investigating on their own. From a constitutional perspective, the point of the federal law would appear to be to ensure there are minimum requirements that apply across the country. However, there doesn’t seem any purpose or need for multiple jurisdictions within Canada to be jointly investigating the same activity. While the case might be made for two provinces to jointly investigate, the same case cannot be made for federal and provincial investigations of an Ontario based company with respect to an activity that is alleged to be in violation of a substantially similar law.

Worse, there would seem to be the need to address the circumstances in which the federal Commissioner will be permitted to continue to investigate when there is already a provincial investigation. There seems to be an absurd incentive for federal and provincial Commissioners to jockey for position to see who would lead and impose a headline grabbing penalty. There would be an issue of fairness, worthy of judicial review if not outright constitutional challenge, if an organization could end up being at risk of up to two $10 million penalties for the same activity affecting the same individuals under substantially the same laws, with two separate appeal routes, with the potential for different outcomes.



Categories: AI Machine Learning, Privacy

Tags: , , ,

%d bloggers like this: