On June 17, Ontario released a consultation paper describing a newly proposed consumer privacy law. While the intention is to strengthen consumer protection, the legislation — should it go ahead — would in fact put consumers at risk.
Ontario, like most provinces, does not currently have its own consumer privacy legislation. Instead, organizations engaged in commercial activities are subject to the federal Personal Information Protection and Electronic Documents Act (PIPEDA).
Enacted prior to the advent of smartphones, social media, and e-commerce, PIPEDA is showing its age. PIPEDA contains weaker enforcement measures and offers fewer consumer protections compared to the consumer privacy laws of Canada’s major trading partners.
That’s why the federal government introduced Bill C-11, the Digital Charter Implementation Act, 2020. The bill isn’t perfect, but overall it represents a smart and responsible approach to privacy regulation. It strikes an appropriate balance between market forces and regulation, aligns with the policies adopted by our international peers, and would enable the private sector to innovate in ways that benefit both consumers and society.
Unfortunately, Bill C-11 will die on the order paper if, as expected, Prime Minister Justin Trudeau calls a general election and Parliament is dissolved.
In the absence of timely federal reform, Ontario looks ready to proceed with its own privacy legislation — hence the recent consultation paper.
To be sure, the intent behind Ontario’s proposed law is laudable. The province will not develop a healthy and innovative data-driven economy without a solid foundation of consumer trust.
The problem is that the enactment of provincial privacy rules alongside federal legislation would result in duplication, overlap and confusion. Organizations could be regulated provincially, federally, or by both orders of government simultaneously.
A patchwork of privacy rules would be a regulatory nightmare for consumers. To assert their privacy rights, consumers would be required to familiarize themselves with not one, but two distinct privacy regimes. Differences between these regimes could put Ontarians’ privacy, financial security, and even personal safety at risk by creating regulatory gaps for malicious actors to exploit.
To make matters worse, consumers would be required to bring many privacy complaints to two different regulators: one in Toronto, the other in Ottawa. This disjointed oversight and enforcement regime could weaken consumer protection by making it harder to obtain relief.
Ontarians deserve better. They need a consistent set of rules so that they can understand exactly how their privacy is protected no matter who they deal with.
To this end, Ontario should refocus its efforts on advancing federal privacy reform. By pushing the federal government to make PIPEDA reform a legislative priority once Parliament is back in session, the province could avoid the pitfalls of overlapping legislation while ensuring that consumers are protected by a modern and comprehensive privacy framework.
Trevor Neiman is director of digital data and skills and legal counsel for the Business Council of Canada.