Last Updated on September 4, 2020
Given the recent Coronavirus pandemic, everything has started to move to the digital world, and we’re finding ourselves reliant on policies that aren’t ready to handle this new weight.
A perfect example is the federal Personal Information Protection and Electronic Documents Act or PIPEDA for short. It governs how digital information and other forms of private documentation are handled in the workplace. Unfortunately, the issue is that there are very wide gaps within this law, not only when it comes to individual protections, but also for the industries covered.
Currently PIPEDA only really covers workplaces that are federally regulated, places such as banks, airlines, or hospitals. It similarly only falls into effect when a province lacks any security laws that apply to the private sector. In fact, there are only three provinces that currently do have private sector security law: Alberta, B.C., and Quebec. You may notice that Ontario is not within that list.
New Privacy Law Explained and Discussed
To that end, The Ministry of Government and Consumer Services has recently issued a discussion paper discussing the implementation of a new Private Sector law specifically dealing with privacy for Ontario.
The hope is to fill the gap left by PIPEDA without requiring a multitude of specific laws, or another federal regulation. The invitation is extended so that ideally Ontarians can be part of the discourse and provide their own input and opinions on this proposed law.
To give you a summation of what is included in the discussion paper (although you should certainly read it yourself), it is broken up into three sections. The first section is just a preamble and introduces the invitation to Ontarians, with the second two sections discussing things more at length.
Section 2 looks at what Ontario privacy looks like currently, included PIPEDA, and identifies seven areas that could be improved:
- Transparency for how corporations use individual’s details.
- Bolstering consent, including ‘opt-in’ models.
- Allowing for deletion or de-indexation of information.
- Increasing data portability for individuals when it comes to their information.
- Expanding oversight, compliance, and enforcement powers for the Information and Privacy Commissioner (IPC).
- Clarifying the applicability of privacy protection for de-identified and derived information.
- Allowing for the scope and applications of privacy laws.
Overall, we like what we’re seeing in section 2; not only does it cover some of the most important deficits of PIPEDA, it also looks at privacy in the future. This is especially the case when it comes to things such as oversight, scope, and transparency, all three of which need to be seriously looked at before any specific laws are implemented.
Moving on to section 3, this one gives more specific examples of the sort of reforms they are looking for. These cover seven points and primarily follow the areas discussed in section 2:
- Increased Consent & Transparency: This essentially gives individuals the right to withdraw consent from having their data or any information recorded. It also makes it incumbent on corporations to be clear about how and when they collect any information on their users. There is also an additional portion that adds an ‘opt-in’ model for the use of secondary information that’s been collected.
- Data Erasure: Otherwise known as “the right to be forgotten”, being able to erase your data from the servers of a company is incredibly important when it comes to keeping on top of your privacy. That being said, it would not give a carte blanche to delete all information, especially when that information is required for legal purposes (think “know your client” laws).
- Data Portability: This part covers your right to as a consumer to move your data between providers or companies. At its core, it allows you to ‘vote with your feet’ wherein the service you are being provided is substandard and so you chose to go to another provider. Having Data portability means that a company cannot hold you and your data hostage.
- Oversight, Enforcement, and Fines: This is self-explanatory, but essentially discusses how any new law should be applied. Preference is giving to education and proactive application, especially with companies volunteering. If not, they discuss fines similar to those in Europe, where they can be either €20million or 4% of a company’s annual revenue. Quite steep honestly.
- Application to Non-commercial Organizations: Current regulations, such as PIPEDA, only apply to for-profit organizations. This would extend the laws to cover non-for-profit entities as well, such as charities, trade unions, etc… Essentially, broadening the scope of who and when privacy laws would apply.
- Deidentified Personal Information, Data Derived from Personal Information: De-identified data is essentially data that has been derived from non-direct ways, or that has had personal identifying information removed in some sense. Right now, there are no laws or regulations governing how companies may use this information, even if it’s to ‘re-identify’ somebody. The proposal here is to apply a set of rules to this type of information.
- Enabling Data-sharing for Innovation, while Protecting Privacy: One thing that we don’t want to see happening is the stifling of innovation because of a lack of data sharing. This could be something like sharing medical histories with analysis databases to possibly find patterns for disease and therefore make diagnosis easier. By allowing some government-mandated ‘data trusts’, we can still share that information without individuals feeling like their privacy has been violated.
All things told this a great step when it comes to expanding protections of citizens and their privacy. Not only that, but this will ultimately bring Ontario closer to similar regulations in other places, such as the GDPR in Europe, or CCPA in California. Ultimately this lets Ontarian companies and organizations expand into these markets without the additional hassle of complying to new rulesets.
Either way, we suggest you take part in the public discourse so that you can have your voice heard. You can also fill out a survey on the matter which needs to be done by October 1st.
Hi, I’m Ludovic. I created this site as a consumer resource to help fellow Canadians better understand the changing world of cybersecurity. Before creating this resource I saw two fundamental problems with the B2B consumer privacy industry. First, education – the majority of people don’t realize the importance of their own data. Second, nefarious marketing practices – there are a wide array of self-proclaimed security solutions that are doing nothing other than brokering user data without consent.