By Patricia Kosseim
In response to Trevor Neiman’s op-ed from last week, I thought it necessary to dispel some of the myths about an Ontario private-sector privacy law.
As Neiman points out, the federal Personal Information Protection and Electronic Documents Act (PIPEDA) is showing its age, and its proposed replacement, Bill C-11, the Digital Charter Implementation Act, 2020, is now certain to die on the order paper with Sunday’s announcement of a September federal election. But no matter what legislative reform (if any) is re-introduced by the next federal government, it will never be good enough for Ontarians.
The op-ed suggests that an Ontario private-sector privacy law would create “regulatory gaps” for consumers. In fact, a provincial law would actually fill significant regulatory holes that currently exist. Provincially regulated employers are completely beyond the constitutional reach of the federal government. So too are unions, charitable organizations, political parties and professional associations that collectively hold tons of personal information about us. Without a comprehensive private sector law of our own, literally millions of Ontarians are continually being exposed to privacy and security risks without recourse, eating away at the public trust and confidence needed to sustain our increasingly data-driven economy. Knowing this, why would the country’s largest province leave anyone behind?
The op-ed also raises exaggerated fears of “duplication, overlap and confusion.” Based on notions of cooperative federalism, PIPEDA explicitly recognizes provinces’ legislative power to regulate the collection, use and disclosure of personal information within their respective borders. If a province chooses to adopt a substantially similar provincial law — as Quebec, British Columbia and Alberta — have already done, businesses conducting commercial activity within that province are exempted from PIPEDA and have only to comply with the provincial law in question.
Even in the case of businesses that engage in commercial activity across borders, the concept of “substantially similar” ensures harmonization and interoperability between jurisdictions. Existing arrangements between Canadian privacy authorities allow for cooperative enforcement measures that provide enhanced protection for their residents, greater predictability and certainty for businesses, and reduced regulatory burden overall.
A provincial approach to privacy that is aligned with our unique values, realities, and culture is the way forward for Ontario. The opportunity is now for a privacy regime that enables responsible innovation, supports the post-pandemic economic recovery, and provides Ontario’s businesses — particularly small and medium-sized enterprises — with the compliance support they need to continue to grow and prosper.
It’s a critical time to be leading a new privacy legislative initiative in Ontario and my office plans to file a public submission in response to the government’s consultation on this issue. If a new law is passed, our priority will be to develop the foundational building blocks and oversight mechanisms for this new law in a manner that supports both consumers and businesses, in harmony with our unique circumstances and economic reality.
Patricia Kosseim is the Information and Privacy Commissioner of Ontario.