Ontario may join the ranks of Alberta, British Columbia and Quebec, through the introduction of Bill 14, the Personal Information Protection Act ("PIPA") – which had first reading on March 21, 2018 and passed second reading on March 22, 2018. If PIPA is enacted, Ontario would have its own legislation governing the collection, use and disclosure of personal information in the private sector.
Much of PIPA is similar to the regime set out in Canada's federal private sector law, the Personal Information Protection and Electronic Documents Act ("PIPEDA"). Notable aspects of PIPA include:
Protection of employee personal information – At present, in Ontario, no privacy statute applies to employee personal information that is handled by provincially-regulated private sector employers (for employment purposes). If PIPA passes, most Ontario employers would become subject to new employee privacy requirements. This would require them to review and revise their privacy policies and privacy compliance programs.
Enforcement powers for the Information and Privacy Commissioner of Ontario – At present, the Commissioner has sector-specific order-making powers (e.g., regarding the public sector and the health sector). If PIPA passes, the Commissioner will have new powers to initiate compliance investigations and audits in the private sector, as well as to conduct inquiries and make orders regarding privacy complaints. PIPA would make it an offence to fail to comply with an order of the Commissioner. An individual could be liable to a maximum fine of $10,000 and an organization liable to a maximum fine of $100,000. Once a conviction or order is final (i.e. all routes of appeal are exhausted), the person affected by the conduct would have a cause of action for the actual harm suffered. This approach aligns with the views of the House of Commons Standing Committee on Access to Information, Privacy and Ethics, which recently recommended that PIPEDA be amended to give the Privacy Commissioner of Canada broad audit and enforcement powers.
The absence of breach notifications provisions – PIPA contains no breach notification provisions. Breach notification regimes exist under other Canadian privacy laws, notably in Alberta and under provincial health privacy laws. Amendments to PIPEDA that address privacy breach and notification are expected to come into force this year.
PIPA is a private member's bill, introduced on the eve of an election. In prior years, the odds would be against PIPA becoming law. However, with the surge in privacy and data security concerns dominating news coverage and public discussion, PIPA may have greater traction this spring. The lark's on the wing.