There has never been a more pressing time to prioritize improving our privacy law. In just a matter of weeks, COVID-19 pushed entire communities online, making things like telehealth, teleworking, and virtual learning household names and propelling recent digital trends years into the future. Among other things, the pandemic has prompted the adoption of new digital tools in all areas of our lives — for our business meetings, social gatherings, doctors visits, etc. — all of which have clear privacy implications. It is in this context that the Information and Communications Technology Council welcomes the Government of Ontario’s consultation on privacy law.
Currently, public sector activity in Ontario is governed by the Ontario Freedom of Information and Privacy Act (FIPPA) and the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA). Healthcare activity is governed by the Personal Health Information Protection Act (PHIPA); while private sector activity falls under the scope of Canada’s federal privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA).
Non-commercial activity by non-profits and charities in Ontario is not covered, nor are unions or provincial political parties. Expanding the scope and application of the legislative framework beyond the private sector and commercial organizations is a welcome goal, however, it will be important to stay mindful of the varied needs and abilities of the different types of organizations involved. A tiered system where the regulatory requirements and penalties are based on the resources and abilities of different types of organizations could help address these challenges.
Additionally, as the Ontario government considers whether to establish its own provincial privacy legislation to replace PIPEDA, and establish new provincial rules governing things like the right to erasure and competition and data portability, it will be important to maintain clear and effective coordination between the relevant parties. Clear and effective coordination between the federal and provincial governments and between the relevant privacy and commissioners, for example, can prevent conflicting or overlapping regulation, which should be avoided.
Finally, on the more specific questions and proposals, ICTC notes the following:
- For individuals to be able to make the complex assessments required to opt-in to secondary uses of their information, they need to be privacy literate. Emphasis must be placed on ensuring that individuals fully understand their rights and that companies understand their obligations (the same can be said for any changes to those rights and obligations that stem from privacy reform).
- Increased transparency on the part of organizations is needed to provide individuals more detailed, clear, and consistent information with respect to how their data is being used. For example, individuals should know when their personal information is crossing international borders and when their information is being used for AI and automated decision making.
- Policy and regulation are only as effective as their enforcement strategies. In contexts where other things like time, money, or engagement metrics are the top priority, optional and/or poorly enforced policy and regulation is easily set aside.
- Enforceable penalties must also be significant enough to act as a deterrent against non-compliance with the law. When penalties are not significant enough, some organizations may wilfully ignore compliance with the law, managing symbolic sanctions as a cost of doing business.