This week the Ontario Government launched a public consultation and discussion paper to solicit input on a new private sector data protection law for Ontario. To date, BC and Quebec are the only two provinces who have passed their own regional laws, with Quebec looking to further enhance their legislation with Bill 64. Currently, the collection, use and disclosure of personal information in Ontario is governed by PIPEDA, this new legislation will work to provide an additional layer of protection for Ontario citizens.
The main objective is to put in place comprehensive, up-to-date and robust rules that will protect privacy rights and increase confidence in digital services. This will provide Ontarians with more access and control over their own privacy when interacting with businesses and organizations by being better informed about how their personal information is used, what they are agreeing to when providing it, the ability to withdraw consent and retrieve their data more easily, and to feel confident that Ontario businesses will uphold their privacy, even with the use of new technologies and digital business models.
As we are currently working toward launching the Transparency Consent Framework here in Canada, a framework to aid in privacy compliance across all jurisdictions, it is more important than ever that we engage in this consultative process. IAB Canada intends to participate in the online survey, written submission and web conferences that the province is using to seek advice on ways to:
- Increase transparency for individuals, providing Ontarians with more detail about how their information is being used by businesses and organizations.
- Enhance consent provisions allowing individuals to revoke consent at any time and adopting an “opt-in” model for secondary uses of their information.
- Introduce a right for individuals to request information related to them be deleted, subject to limitations (this is otherwise known as “right to erasure” or “the right to be forgotten”).
- Introduce a right for individuals to obtain their data in a standard and portable digital format, giving them greater freedom to change service providers without losing their data (this is known as “data portability”).
- Increase enforcement powers for the Information and Privacy Commissioner to ensure businesses comply with the law, including giving the commissioner the ability to impose penalties.
- Introduce requirements for data that has been de-identified and derived from personal information to provide clarity of applicability of privacy protections.
- Expand the scope and application of the law to include non-commercial organizations, including not-for-profits, charities, trade unions and political parties.
- Create a legislative framework to enable the establishment of data trusts for privacy