Proposed Ontario privacy law could involve millions of corporate fines
Proposed Ontario privacy law could involve millions of corporate fines
Ontario is close to creating its own provincial privacy law that would include the right to privacy and a corporate obligation to report privacy violations. This week, the province said it was considering moves because the proposed overhaul of the federal privacy law, which Ontario has relied on so far, is flawed.
On Thursday, the province released a white paper for public discussion to address a "fundamental right to privacy, protect Ontarians from undue surveillance, and promote responsible innovation."
One proposal: an administrative fine of up to $10 million or three percent of an organization's gross global revenue for violating the law. Failure to report a breach of security safeguards, failure to comply with a compliance order, or non-identifying personal information that was de-identified could cost an organization $25 million, or five percent of its global revenue may be punished.
"The Government of Ontario's vision is to make Ontario the world's most advanced"
digital jurisdiction,” the white paper says. “Paramount to this work is digital privacy, and ensuring that Ontario has the power to control what personal data they share, when they share it, and with whom. This Ontario Government's priority."
Only three provinces – Quebec, British Columbia and Alberta – have their own private-sector privacy laws. Other provinces and territories comply with the federal Personal Information Protection and Electronic Documents Act (PIPEDA). The Liberal government has proposed overhauling PIPEDA with a new law called the Consumer Privacy Protection Act (CPPA, also known as Bill C-11).
However, it is not clear how much of the minority government's heart is behind the law. The bill is still in second read after it was introduced in Parliament seven months ago and has not been referred to the committee for detailed analysis.
Federal Privacy Commissioner Daniel Therian says the proposed legislation doesn't go far enough. In May, he detailed his objections to the House of Commons Information, Ethics and Privacy Committee.
"The bill will give less control and more flexibility to organizations in monetizing personal data without increasing their accountability to consumers," he said. "Furthermore, the penalty plan is unreasonably narrow and long."
Explaining why the province is looking to go its own way, Government and Consumer Services Minister Lisa Thompson issued a statement saying that the C-11 "may appear to modernize the old law, adding that it has " Taking away the critical protections that Canadians expect has been recognized and recognized as a 'step back' by the Office of the Privacy Commissioner of Canada."
Thompson said a comprehensive national privacy regime would be ideal, but the federal bill on the table is "fundamentally flawed."
Update: The Ontario Chamber of Commerce opposes Ontario's march for its own data privacy law. In an interview this afternoon, the chamber's senior policy manager, Claudia DeSanti, said members reacted with "concern" to the release of the white paper and hearing about the upcoming public consultation.
“Our position is long as the privacy regulation of businesses should remain at the federal level,” she said. “PIPEDA is national for a reason: Businesses operating across Canada can’t navigate the different sets of rules. It’s too much red tape, it’s too much uncertainty and cost, and it prevents them from investing in Canada. "
“We would love to see the federal government working with the federal government to make the federally needed changes.”
Chris Klein, a privacy attorney at Ottawa law firm Ennovation, said in an email that he was encouraged when Ontario showed interest in passing its own private sector privacy law last year. “This would fill the gap for so many employees who do not have their privacy rights regulated in Ontario. Because PIPEDA only applies to employees of federal functions and undertakings, the lack of provincial legislation means there is a huge black hole. "
PIPEDA was last revised in 2015. However, after the EU implemented the General Data Protection Regulation (GDPR) in May 2018, PIPEDA needs to be updated to comply with the GDPR. With no action from Ottawa, In August 2020 Ontario announced a public consultation to reform provincial privacy laws. This led to the release of the White Paper. White papers are usually an indication that a provincial or federal government is seriously considering legislation.
The white paper follows the release of Ontario's digital and data strategy in April.
No comments