Monday, 23 November 2020 13:42

With a New Federal Bill Before Parliament, Is There Still a Case for Ontario to Enact its Own Private Sector Data Protection Law?

Written by  Teresa Scassa
Rate this item
(1 Vote)

 

The federal government’s new Bill C-11 to reform its antiquated private sector data protection law has landed on Parliament’s Order Paper at an interesting moment for Ontario. Earlier this year, Canada’s largest province launched a consultation on whether it should enact its own private sector data protection law that would apply instead of the federal law to intraprovincial activities.

The federal Personal Information Protection and Electronic Documents Act was enacted in 2000, a time when electronic commerce was on the rise, public trust was weak, and transborder flows of data were of growing economic importance. Canada faced an adequacy assessment under the European Union’s Data Protection Directive, in order to keep data flowing to Canada from the EU. At the time, only Quebec had its own private sector data protection law. Because a federal law in this area was on a somewhat shaky constitutional footing, PIPEDA’s compromise was that it would apply nationally to private sector data collection, use or disclosure in the course of commercial activity, unless a province had enacted “substantially similar” legislation. In such a case, the provincial statute would apply within the province, although not to federally-regulated industries or where data flowed across provincial or national borders. British Columbia and Alberta enacted their own statutes in 2004. Along with Quebec’s law, these were declared substantially similar to PIPEDA. The result is a somewhat complicated private sector data protection framework made workable by co-operation between federal and provincial privacy commissioners. Those provinces without their own private sector laws have seemed content with PIPEDA – and with allowing Ottawa picking up the tab for its oversight and enforcement.

Twenty years after PIPEDA’s enactment, data thirsty technologies such as artificial intelligence are on the ascendance, public trust has been undermined by rampant overcollection, breaches and scandals, and transborder data flows are ubiquitous. The EU’s 2018 General Data Protection Regulation (GDPR) has set a new and higher standard for data protection and Canada must act to satisfy a new adequacy assessment. Bill C-11 is the federal response.

There are provisions in Bill C-11 that tackle the challenges posed by the contemporary data environment. For example, organizations will have to provide upfront a “general account” of their use of automated decision systems that “make predictions, recommendations or decisions about individuals that could have significant impacts on them” (s. 62(1)(c)). The right of access to one’s personal information will include a right to an explanation of any prediction, recommendation or decision made using an automated decision system (s. 63(3)). There are also new exceptions to consent requirements for businesses that seek to use their existing stores of personal information for new internal purposes. C-11 will facilitate some sharing of de-identified data for “socially beneficial purposes”. These are among the Bill’s innovations.

There are, however, things that the Bill does not do. Absent from Bill C-11 is anything specifically addressing the privacy of children or youth. In fact, the Bill reworks the meaning of “valid consent”, such that it is no longer assessed in terms of the ability of those targeted for the product or service to understand the consequences of their consent. This undermines privacy, particularly for youth. Ontario could set its own course in this area.

More importantly, perhaps, there are some things that a federal law simply cannot do. It cannot tread on provincial jurisdiction, which leaves important data protection gaps. These include employee privacy in provincially regulated sectors, the non-commercial activities of provincial organizations, and provincial political parties. The federal government clearly has no stomach for including federal political parties under the CPPA. Yet the province could act – as BC has done – to impose data protection rules on provincial parties. There is also the potential to build more consistent norms, as well as some interoperability where necessary, across the provincial public, health and private sectors under a single regulator.

The federal bill may also not be best suited to meet the spectrum of needs of Ontario’s provincially regulated private sector. Many of the bill’s reforms target the data practices of large corporations, including those that operate transnationally. The enhanced penalties and enforcement mechanisms in Bill C-11 are much needed, but are oriented towards penalizing bad actors whose large-scale data abuses cause significant harm. Make no mistake – we need C-11 to firmly regulate the major data players. And, while a provincial data protection law must also have teeth, it would be easier to scale such a law to the broad diversity of small and medium-sized enterprises in the Ontario market. This is not just in terms of penalties but also in terms of the compliance burden. Ontario’s Information and Privacy Commissioner could play an important role here as a conduit for information and education and as a point of contact for guidance.

Further, as the failed Sidewalk Toronto project demonstrated, the province is ripe with opportunities for public-private technology partnerships. Having a single regulator and an interoperable set of public and private sector data protection laws could offer real advantages in simplifying compliance and making the environment more attractive to innovators, while at the same time providing clear norms and a single point of contact for affected individuals.

In theory as well, the provincial government would be able to move quickly if need be to update or amend the law. The wait for PIPEDA reform has been excruciating. It it is not over yet, either. Bill C-11 may not be passed before we have to go to the polls again. That said, timely updating has not been a hallmark of either BC or Alberta’s regimes. Drawbacks of a new Ontario private sector data protection law would include further multiplication of the number of data protection laws in Canada, and the regulatory complexity this can create. A separate provincial law will also mean that Ontario will assume the costs of administering a private sector data protection regime. This entails the further risk that budget measures could be used by future governments to undermine data protection in Ontario. Still, the same risks – combined with considerably less control – exist with federal regulation. There remains a strong and interesting case for Ontario to move forward with its own legislation.

Teresa Scassa

Latest from Teresa Scassa

Related items (by tag)

back to top