Privacy Law Update
Jun 2021 Charity & NFP Law Update
Published on June 24, 2021
Ontario Gov’t Publishes Paper, Hosts Public Consultations for Privacy Law ReformOntario’s Ministry of Government and Consumer Services (MCGS) wants to improve privacy law in the province and provide better legislative coverage to charities and not-for-profits. In a White Paper, published on June 17, 2021, titled “Modernizing Privacy: Empowering Ontarians and Enabling the Digital Economy”, the provincial government describes its vision to “make Ontario the world’s most advanced digital jurisdiction” (the “Paper”). The Paper notes “several points of weakness” in the federal Bill C-11, Digital Charter Implementation Act, 2020, introduced into the House of Commons on November 17, although it has yet to pass first reading. Bill C-11 would replace the current federal privacy regime under the Personal Information Protection and Electronic Documents Act (PIPEDA). Coinciding with the White Paper’s publication the province announced a Public Consultation on Modernizing Privacy in Ontario, from June 17 to August 3 (the “Public Consultation”). While accepting that Bill C-11 “includes some welcomed new developments”, the Paper criticizes how the federal bill’s “consent framework could allow organizations to collect and use citizens’ data for commercial interests without their knowledge; it does not provide special protections for children and youth; and its digital rights do not go far enough to protect individuals from new risks such as surveillance.” After considering feedback from a 2020 privacy consultation, the Paper states the provincial government’s commitment to a “fundamental right to privacy for Ontarians”. This would involve introducing additional safeguards for artificial intelligence, “dedicated protections for children, update consent rules to reflect the modern data economy, promote responsible innovation and correct the systemic power imbalances that have emerged between individuals and organizations that collect and use their data.” The Paper discusses seven thematic areas for privacy legislation reform in Ontario:
According to the Paper, there are significant gaps in the federal privacy regime, which is limited to commercial activities. Many private sector organizations, including charities, unions, associations and other non-profits, would not be covered under the proposed Bill C-11, “despite the collection and use of Ontarians’ personal information by these organizations,” the Paper states. The province is considering expanding the scope of privacy requirements under each of the seven themes discussed in the Paper, “to include non-commercial organizations, ensuring that Ontarians’ personal information receives adequate coverage and protection in every aspect of life.” The webpage for the Public Consultation states “MCGS is seeking feedback from organizations, impacted stakeholders and the general public on these proposals for improving privacy protections in Ontario.” A public information webpage on the Ontario government website: “Strengthening privacy protection in Ontario” offers a summary of the Paper’s proposed legislative reforms and themes for public feedback. Privacy Commissioners of Canada Comment on Vaccine Passports in Joint StatementVaccine passports are “an encroachment on civil liberties that should be taken only after careful consideration”, according to a statement from Canada’s Privacy Commissioners. The Office of the Privacy Commissioner of Canada published the “Joint Statement by Federal, Provincial and Territorial Privacy Commissioners” on May 19, 2021, titled Privacy and COVID-19 Vaccine Passports (the “Joint Statement”). In response to some “governments and businesses” considering vaccine passports “as a means of allowing a return to something more closely resembling normal life” amidst the COVID-19 pandemic, the Joint Statement was issued “in an effort to ensure that privacy is considered at the earliest opportunity as part of any discussions about vaccine passport development.” The Joint Statement describes vaccine passports as a verified means of proving that an individual has been vaccinated, and may take different forms, “such as a digital certificate presented on a smart phone app or a paper certificate”. Their use is justified based on the idea that individuals who have been vaccinated are at a “significantly decreased risk” of becoming infected or infecting others, according to the Joint Statement, and may provide a “substantial public health benefit.” However, the vaccine passport “presumes that individuals will be required or requested to disclose personal health information– their vaccine/immunity status – in exchange for goods, services and/or access to certain premises or locations” and raises a number of privacy considerations. The Joint Statements states that vaccine passports must comply with applicable privacy laws, incorporate “privacy best practices” and “the necessity, effectiveness and proportionality of vaccine passports must be established for each specific context in which they will be used.” The Joint Statement describes these three criteria: Necessity: vaccine passports must be necessary to achieve each intended public health purpose. Their necessity must be evidence-based and there must be no other less privacy-intrusive measures available and equally effective in achieving the specified purposes. Effectiveness: vaccine passports must be likely to be effective at achieving each of their defined purposes at the outset and must continue to be effective throughout their lifecycle. Proportionality: the privacy risks associated with vaccine passports must be proportionate to each of the public health purposes they are intended to address. Data minimization should be applied so that the least amount of personal health information is collected, used or disclosed. These criteria must be continually monitored, the Joint Statement notes, and vaccine passports must be decommissioned if, “at any time, it is determined that they are not a necessary, effective or proportionate response to address their public health purposes.” The Joint Statement provides that organizations using vaccine passports should limit the collection, use, disclosure and retention of personal health information to that which is necessary for the purpose, and the active tracking or logging of an individual’s activities should not be permitted. Additional consideration must be given to other privacy principles such as transparency, accountability, safeguards, independent oversight as well as limiting the time and scope for the use of information obtained by vaccine passports. Charitable and not-for-profit organizations considering utilizing vaccine passports are encouraged to read the full statement. Regulators Issue Joint Resolution on Privacy and Access to Information During PandemicCanada’s Information and Privacy regulators called on the federal and provincial governments to show leadership by implementing 11 access to information and privacy principles. The 11 principles were adopted as part of a joint resolution published June 2, 2021 by the federal, provincial and territorial information and privacy commissioners and ombudsman (the “Joint Resolution”). In the Joint Resolution, “regulators took note of the serious impact of the COVID-19 pandemic” on Canadians’ quasi-constitutional privacy rights as well as the right of access to information. The global pandemic accelerated concerning trends, already ongoing prior to March 2020, about “increasing surveillance by public bodies and private corporations and the slowing down of processing access requests,” according to the Joint Resolution. The COVID-19 pandemic also “highlighted the need to modernize the access to information system by leveraging technology and innovation to advance transparency.” The 11 principles are divided into two categories. “In terms of Access” sets out five access- related principles, including calling for federal provincial and territorial institutions to recognize the importance of transparency and ensuring that business continuity plans include measures for processing access requests during emergencies, providing clear guidance on information management, and emphasizing proactive and voluntary disclosure of government information. Six privacy-related principles are set out “In terms of Privacy”, including calling for a recognition of the “fundamental nature of the right to privacy” to address “digital transformation”, not using privacy laws as a barrier to appropriate collection use and sharing of information but rather, ensuring responsible data use that “supports public health and promotes trust in our healthcare system”, incorporating “privacy by design” to ensure transparency and accountability in the collection and disclosure of personal information for emergency measures, restricting measures that allow collection, use and disclosure of personal information without consent in emergencies to those that are evidence-based, necessary, not overbroad and time limited, destruction of personal information records collected during an emergency after the crisis ends, and respect for the “principles of data minimization and use limitation”. The full Joint Resolution is available on the website of the Information and Privacy Commissioner of Ontario. |