In Canada, the federal Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5, as amended) (“PIPEDA“) applies to the collection, use or disclosure of personal information in the course of commercial activities. A commercial activity is defined as, essentially, any transaction, act or conduct that has a “commercial character.” To the extent that organizations engage in the sale of goods or services, or otherwise engage in commercial activities, any personal information collected, used or disclosed in the context of that activity will generally be subject to PIPEDA.
PIPEDA also applies to all interprovincial and international transactions conducted by organizations subject to PIPEDA in the course of their commercial activities. Additionally, PIPEDA applies to federally regulated organizations (called “federal works, undertakings or businesses”). These include banks, transportation companies, and telecommunications providers and resellers.
In provinces where a law has been passed that is substantially similar to PIPEDA, organizations and their collection, use, or disclosure activities within the province that are covered by the provincial law are exempted from the application of PIPEDA. Provincial private sector privacy legislation has been deemed substantially similar to PIPEDA in British Columbia, Alberta, Quebec, and, in relation to personal health information, Ontario, New Brunswick and Newfoundland and Labrador.
To the surprise of many Canadians, a member of the province of Ontario’s Legislative Assembly introduced a private members’ bill on March 21, 2018 titled the “Personal Information Protection Act” (“Bill 14“), and, on March 22, 2018, Bill 14 passed second reading and was referred to the Standing Committee on Justice Policy.
Bill 14 is similar to other privacy regimes in Canada, including the regime established under PIPEDA. If Bill 14 were to become law in the province of Ontario, it is anticipated that efforts would be made to have the new law declared (deemed) substantially similar to PIPEDA, and the new law would govern the collection, use and disclosure of personal information in the private sector in Ontario.
The Information and Privacy Commissioner of Ontario (“IPC/O“) would be responsible for enforcing the new law Under the new law, the IPC/O would have the authority to make orders against provincially-regulated private sector organizations. In addition, the IPC/O could conduct investigations, audits and inquiries concerning the private sector’s collection, use and disclosure of personal information.
Obstructing the work of the IPC/O, misleading or knowingly providing false information to the IPC/O, and/or not complying with an order made by the IPC/O could result in a fine of not more than $10,000 per offence for individuals and a fine of not more than $100,000 per offence for persons who are not individuals.
If Bill 14 becomes law, provincially-regulated private sector organizations in Ontario would be required to comply with new requirements applicable to employee personal information. This would be a new requirement for these private sector organizations because PIPEDA does not apply to employee personal information collected, used or disclosed by provincially-regulated private sectors organizations in Ontario.
Under Bill 14, “employee personal information” is being defined to mean “personal information about an individual that is collected, used or disclosed solely for the purposes reasonably required to establish, manage or terminate an employment relationship between the organization and that individual, but does not include personal information that is not about an individual’s employment.“
New security breach notification requirements under PIPEDA are coming into force later this year, and Ontario’s Personal Health Information Protection Act, 2004 contains breach notification obligations.
Interestingly, Bill 14 does not contain any breach notification requirements. In this current era of regular data breaches, and an increased expectation by the public that they will be notified in the event unlawful access to, or collection, use or disclosure of, their personal information takes place, it is very surprising that Bill 14 does not impose breach notification obligations on provincially-regulated private sector organizations.
In order for Bill 14 to become law, it will have to overcome some significant hurdles.
First, under Ontario law, as well as the federal Constitution Act, 1867, a private members’ bill may not impose a tax or specifically direct the allocation of public funds. The establishment of a new privacy law regime for provincially-regulated private sector organizations, which will be overseen by the IPC/O, will require the allocation of public funds because the IPC/O will require resources to enforce the new law. It is unclear how the member of Ontario’s Legislative Assembly who introduced Bill 14 envisions that his Bill will overcome this obstacle.
If Bill 14 can overcome the allocation of public funds issue, it will have to be enacted by mid-May.
On June 7, 2018, Ontarians will be electing a new provincial government. Bill 14 must be enacted before the Government prorogues the Legislature next month in advance of the June 7th provincial election or else the Bill will die on the Order Paper, and it will need to be re-introduced once a new government is formed.
The Standing Committee on Justice Policy, which is now tasked with reviewing Bill 14, has not scheduled any hearing dates for Bill 14, and a request for public comments has not yet been issued.
It is noteworthy that the IPC/O has not issued any public statements regarding Bill 14.
With the Writs of Election being expected to drop by no later than 28 days before June 7th, the clock is ticking on Bill 14.