Strengthening Ontario’s Privacy and Data Protection Laws

On May 13, 2024, the Government of Ontario introduced Bill 194, the Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024, which, if passed, would see the enactment of the Enhancing Digital Security and Trust Act, 2024 (the “EDSTA”) as well as amend Ontario’s (arguably antiquated) public sector law governing privacy, namely the Freedom of Information and Protection of Privacy Act (“FIPPA”).

The proposed legislation would see a significant modernization of Ontario’s public sector privacy laws to bring them more in line with other Canadian jurisdictions.  

Introduction of EDSTA

The new EDSTA is aimed at provincial and municipal sectors in Ontario, including hospitals, colleges, universities, school boards, school authorities and children’s aid societies, and touches upon three key areas across the sector: (i) regulating cybersecurity programs; (ii) establishing a framework for the permissible use of artificial intelligence (“AI”); and (iii) regulating the use of digital technology as it relates to minors.

Regulating Cybersecurity

The EDSTA is a significant development as it would create a statutory obligation on public sector bodies to develop, implement and govern cyber security programs. Such programs may contain components requiring internal allocation of responsibility for cyber security, reporting obligations on the status of cyber security, educational and awareness obligations, incident response and recovery plans, and oversight measures for the overall implementation of the program.

The law also proposes to provide the Minister of Public and Business Service Delivery with the ability to establish technical standards and issue cyber security directives to regulated entities without notice or consultation.

Use of AI

The EDSTA aims to create a regime in which AI is “used in a responsible, transparent, accountable and secure manner” with AI being defined as:

A machine-based system that, for explicit or implicit objectives, infers from the input it receives in order to generate outputs such as predictions, content, recommendations or decisions that influence physical or virtual environments

The regime proposed is based on three pillars: (i) transparency in the use of AI by regulated entities; (ii) the development of an accountability framework for the use of AI; and (iii) active management of risks associated with the use of AI.

At present, it appears that the details for what will be required of regulated organizations will be left to future regulations.

Digital Technologies and Minors

Finally, the EDSTA proposes to give the government the authority to enact regulations which will govern how school boards and children’s aid societies may use digital technologies in the collection, use, retention, and disclosure of “prescribed digital information” of persons under the age of 18. School boards and children’s aid societies would be required to file reports on these practices and would prohibit the collection, use and disclosure of “prescribed digital information.”

Once again, the Act contemplates that the specifics of this framework will be set out in regulations. 

Amendments to FIPPA

In addition, Bill 194 also contemplates amendments to FIPPA in a number of key respects.
First, the amendments would impose an obligation for regulated entities to prepare privacy impact assessments (“PIAs”) prior to collecting personal information and such PIAs are compellable on request. 

Additionally, the amendments would introduce a mandatory breach reporting obligation to the Information Privacy Commissioner of Ontario (the “IPC”) for public sector entities for the loss or unauthorized use or disclosure of personal information in the custody or control of the regulated entity where it is reasonable to believe that there is a real risk of harm to the impacted individual as a result. This would bring public sector entities in line with those in British Columbia and Quebec, which already have such obligations.

The IPC would also be given the authority to review the information practices of a regulated entity following a complaint if there was reason to believe the entity was not meeting its obligations. Following an investigation, the IPC would have the power to order the entity to discontinue an information practice, change the practice as directed, return, transfer or destroy personal information collected under the practice, implement a different practice, or recommend improvements to the practice.

Notably, there are no proposed amendments to the Municipal Freedom of Information and Protection of Privacy Act.

Consultation on Bill 194

It is a long road to enacting to Bill 194 into law. At present, the Ontario government is accepting comments on the proposed legislation until June 11, 2024. Whether the legislation is further reformed, or ultimately passed, remains to be seen, but it a clear signal that privacy and data protection issues continue to be on the forefront for Canadian legislatures.