I mentioned a few weeks ago that the Ontario government was soliciting feedback on the idea of passing its own private sector privacy law. Here are some of my thoughts on this (I’ll limit myself to five points).

  1. Make sure the law fits nicely with other privacy regimes. The last thing we need is a patchwork of laws that impose different standards and obligations making it hard and costly to comply. In Europe, they replaced the Directive (which resulted in a patchwork of laws) with the General Data Protection Regulation, partly for this reason. In PIPEDA, the provinces are invited to pass “substantially similar” laws, and to date, there are seven such laws. If you look at them, I think you’d conclude their similarities are only at a high level. To comply with all of them, it’s actually a difficult task. If Ontario gets into the private sector game, I hope it’s done in conjunction with what is happening elsewhere.
  2. Get going with this idea if only for the reason that millions of employees in Ontario don’t have a legislative framework to protect their personal information. This is a glaring hole that needs to be fixed.
  3. Make sure the law does not unnecessarily impose restrictive data localization requirements. There’s already too much uncertainty in Canada about when transborder data flows are allowed and when they aren’t. Please, whatever is done, don’t add to the confusion.
  4. Recognize that consent is important in any law, but the way we constructed it in PIPEDA does not work today. While we ask that consent be meaningful, this is a sham in many instances, and it cannot be the sole basis on which organizations should be able to legitimately process personal information.
  5. Provide meaningful remedies and an enforcement mechanism that does not unduly punish, but at the same time provides an incentive to take privacy seriously. I think we would all agree the PIPEDA model does not work in 2020.

Top of mind for me this week is the bit on data localization. Please remember that in the public sector, only British Columbia and Nova Scotia have legal restrictions (and exceptions). The remaining provinces deal with it, if at all, through policy, and this includes what the federal government must follow.

And, speaking of the federal government, read below for the story of how the Office of the Privacy Commissioner is investigating government institutions that have recently experienced cyberattacks. Ostensibly, the OPC says it is ensuring all Privacy Act obligations were met. My question is, and this goes back to the theme of privacy law reform, what Privacy Act obligations are they referring to? The last time I checked that law, having been written in the 1970s, it was pretty silent on technical safeguards. Just saying.