Proposed Ontario privacy law could involve millions of corporate fines

Ontario is close to enacting its own provincial privacy law that would include the right to privacy and a corporate obligation to report privacy violations. This week, the province said it was considering steps because the proposed overhaul of the federal privacy law, which Ontario has relied on so far, is flawed.

On Thursday, the province released a white paper calling for public discussion on the "fundamental right to privacy, protecting Ontario from undue surveillance and promoting responsible innovation."

One proposal: an administrative fine of up to $10 million or three percent of an organization's gross global revenue for violating the law. Failure to report a breach of security safeguards, failure to comply with a compliance order, or non-identifying personal information can result in an organization being fined $25 million or up to five percent of its global revenue.

"The vision of the Government of Ontario is to make Ontario the world's most advanced"

digital jurisdiction,” the white paper says. “Paramount to this work is digital privacy, and ensuring that Ontario has the power to control what personal data they share, when they share it, and with whom. This is a priority for the Government of Ontario. is."

Only three provinces – Quebec, British Columbia and Alberta – have their own private-sector privacy laws. Other provinces and territories comply with the federal Personal Information Protection and Electronic Documents Act (PIPEDA). The Liberal government has proposed overhauling PIPEDA with a new law called the Consumer Privacy Protection Act (CPPA, also known as Bill C-11).

However, it is not clear how much of the minority government's heart is behind the law. The bill is still in second read after it was introduced in Parliament seven months ago and has not been referred to the committee for detailed analysis.

Federal Privacy Commissioner Daniel Therian says the proposed legislation doesn't go far enough. In May, he detailed his objections to the House of Commons Information, Ethics and Privacy Committee.

"The bill will give organizations less control and more flexibility in monetizing personal data without increasing their accountability to consumers," he said. "Furthermore, the penalty plan is unreasonably narrow and long."

Explaining why the province is going its own way, Government and Consumer Services Minister Lisa Thompson issued a statement saying that the C-11 "may appear to modernize the old law", adding that "Canadians Removing the key protections expected of us has been recognized and recognized as a 'step back' by the Office of the Privacy Commissioner of Canada."

Thompson said a comprehensive national privacy regime would be ideal, but the federal bill on the table is "fundamentally flawed."

Update: The Ontario Chamber of Commerce opposes Ontario's march for its data privacy law. In an interview this afternoon, the chamber's senior policy manager, Claudia DeSanti, said members reacted with "concern" to the release of the white paper and to hear about the upcoming public consultation.

“Our position is as long as privacy regulation of businesses must remain at the federal level,” she said. “PIPEDA is national for a reason: Businesses operating across Canada can't navigate the different sets of rules. It's a lot of red tape, it's a lot of uncertainty and cost, and it keeps them from investing in Canada. ..

"We would love to see the federal government working with the federal government to make the federally needed changes."

Chris Klein, a privacy attorney at Ottawa law firm Ennovation, said in an email that he was encouraged when Ontario showed interest in passing its own private sector privacy law last year. “It would fill the gap for so many employees who do not have their privacy rights regulated in Ontario. Because PIPEDA only applies to employees of federal functions and undertakings, the lack of provincial law means there is a huge black hole. "

PIPEDA was last revised in 2015. However, after the EU implemented the General Data Protection Regulation (GDPR) in May 2018, PIPEDA needed to be updated to comply with GDPR. With no action from Ottawa, In August 2020 Ontario announced a public consultation to reform provincial privacy laws. This led to the release of the White Paper. White papers are usually an indication that a provincial or federal government is seriously considering legislation.