By Cristina Onosé, Director, Government Relations at CMA
Organizations operating in Ontario may be faced with additional regulatory requirements governing the collection, use and disclosure of personal information under their control. Bill 14, the Personal Information Protection Act (PIPA) would lead to Ontario joining other provinces, namely B.C., Alberta and Quebec, in having its own private-sector privacy legislation.
Current privacy requirements for business
PIPA would largely duplicate the Personal Information Protection and Electronic Documents Act (PIPEDA) which already covers Ontario businesses and consumers. PIPEDA sets out the ground rules for how businesses must handle personal information in the course of commercial activity and provides effective guidance to organizations. The federal law also allows the Office of the Privacy Commissioner of Canada (OPC) to provide further interpretive guidance as social, technological and business developments require.
PIPEDA amendments, introduced in 2015, provide consumers with additional protections - including mandatory breach notification requirements expected to go into force this year. The Act also extended the powers of the Privacy Commissioner to enter into compliance agreements with organizations, which create binding terms the commissioner considers necessary to ensure compliance with PIPEDA.
Current consumer privacy protections
PIPEDA already provides Canadians with a robust privacy regime and guarantees a number of key protections including:
- Organizations must obtain an individual's consent when they collect, use or disclose that individual's personal information.
- Individuals have the right to access their personal information held by an organization and have the right to challenge its accuracy.
- Personal information can only be used for the purposes for which it was collected. If an organization is going to use it for another purpose, they must obtain consent again.
- Organizations must ensure that information will be protected by appropriate safeguards.
- Express/ opt-in consent is needed for the collection, use and disclosure of information deemed sensitive (i.e. health, financial, etc.)
- An individual may complain to the OPC about any alleged breaches of the law. The Commissioner can then investigate, enter into compliance agreements, and if the case is not resolved he/she can take the matter to federal court.
Notable differences between PIPA and PIPEDA
Protection of employee personal information – In Ontario there is currently no privacy statute that applies to employee personal information. PIPA would subject most Ontario organizations to employee privacy requirements, forcing them to review and revise privacy policies and privacy compliance programs.
Enforcement powers for the Information and Privacy Commissioner of Ontario (IPC) – The Ontario PIPA would empower the IPC with new powers to initiate compliance investigations and audits in the private sector, as well as to conduct inquiries and make orders regarding privacy complaints. Failure to comply with an order of the Commissioner would result in a maximum fine of $10,000 to individuals, and a maximum fine of $100,000 to organizations.
The impacts of an Ontario privacy law
The introduction of a privacy law in Ontario poses several challenges. The implications need to be carefully assessed. From a regulatory perspective, Bill 14 does not include breach notification provisions. This is in contrast with PIPEDA whose breach regulations are expected to be finalized and come into force later this year. It’s also important to note that the Canadian government is currently conducting a review of PIPEDA. As part of the review, additional privacy enhancing requirements are being sought which would provide Ontario (and other Canadian) consumers with a strengthened legal regime. Proposed changes are currently being assessed and analyzed by the government, OPC, industry and consumer advocates.
From a business perspective,the need for organizations to collect, use and disclose personal information is key to business growth and success in a data-driven economy. Introducing a duplicate legal privacy regime would create more red tape and potentially introduce confusion in the marketplace. It would also put an unnecessary strain on businesses and not-for-profit organizations and on their ability to be innovative. Organizations would need to dedicate significant resources to ensure compliance, while providing limited additional protections to consumers.
From a consumer perspective, introducing provincial legislation would create limited additional privacy protections (i.e. employment context) and would remove the need for organizations to report breaches as currently required by PIPEDA. As mentioned above, Ontario consumers are currently protected by Canada’s PIPEDA and have a plethora of educational resources at their disposal to inform themselves of privacy rights and protections. It is highly unlikely that if there were an Ontario law, the IPC would develop any material advances to what the federal Commissioner has achieved.
Will PIPA pass scrutiny in the Ontario legislature? It remains to be seen. PIPA is a private member's bill, introduced on the eve of a provincial election and so the likelihood of it passing is uncertain. The CMA sent comments to the committee tasked with reviewing the bill and indicated its intention to appear.