Privacy Law Update
Sept 2021 Charity & NFP Law Update
Published on September 29, 2021

By Martin U. Wissmath and Adriel N. Clayton


Ontario’s Privacy Commissioner Praises Ontario Government Vision for Enhancing Privacy Rights

The Office of the Information and Privacy Commissioner of Ontario (“IPCO”) is urging the provincial government to “press forward with its plans of enhancing Ontarians’ privacy rights” despite a federal privacy bill dying on the order paper due to the calling of the federal election. Dated September 2021, the IPCO published a 41-page commentary “on the Ontario Government’s White Paper on Modernizing Privacy in Ontario” (the “Commentary”). The Ministry of Government and Consumer Services published the White Paper on June 17, 2021 (the “White Paper”), announcing a vision to “make Ontario the world’s most advanced digital jurisdiction.” The White Paper noted “several points of weakness” in the federal Bill C-11, Digital Charter Implementation Act, 2020, which is now dead on the order paper after the federal election ended the 43rd Parliament. The Commentary commends the White Paper as a “critical step in the journey of building a modern, privacy protective environment in Ontario that will give the public the confidence it needs to embrace innovation rather than shy away from it.” Whether or not the same federal bill will be reintroduced, or a modified version, the Commentary notes, it is “incumbent upon the Government of Ontario” to forge ahead with “concrete provisions consistent with the principles-based, fair, well-balanced, pragmatic, flexible and proportionate approach” for provincial privacy law.

According to the Commentary, Ontarians’ privacy rights would be better protected with provincial legislation that is “substantially similar” but “goes beyond the limits” of the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) or the future reform bill which may be introduced to replace Bill C-11. IPCO approved of the White Paper’s proposal for a provincial privacy law that would cover “unions, charitable organizations, and professional associations whose non-commercial activities” have gone unregulated by PIPEDA. A “made-in-Ontario private sector privacy law could offer more comprehensive protections” beyond the reach of federal law “now or in the future,” the Commentary states.

There are “significant volumes of data held by the not-for-profit sector in Ontario” that are “not immune from privacy and security vulnerabilities,” the Commentary states, “yet they remain largely unprotected by federal privacy law, which is constitutionally constrained in this space.” The COVID-19 pandemic has only exacerbated the cyber-security threats to the non-commercial sector. Non-profit organizations “have increasingly moved to remote work, resulting in greater exposure to privacy and security risks,” the Commentary asserts. With fewer resources to support privacy compliance activities, non-profits may be at a greater risk for security or privacy breaches. IPCO describes the example of a charity providing meal services that experienced a breach and took five months to (voluntarily) notify the affected individuals because of the substantial amount of resources that were required from the charity’s small team to assess the breach and respond accordingly. There is currently no privacy law that applies generally to Ontario’s not-for-profit and registered charity organizations “and no regulator has been given responsibility for this sector,” the Commentary points out. A provincial private sector privacy law would provide IPCO with an expanded mandate to support not-for-profits with advice and education about the challenges, risks and protections involved in privacy and security issues.

Quebec Passes New Privacy Bill Enacts Sweeping Reforms to Modernize Legislation

Quebec’s National Assembly has taken a major step forward in the development of privacy laws in the province with the enactment of amending legislation this month. Bill 64, An Act to modernize legislative provisions as regards the protection of personal information received Royal Assent September 22, 2021 (“Bill 64”). Bill 64 amends 21 pieces of existing legislation in Quebec including the Act respecting Access to documents held by public bodies and the Protection of personal information, the Financial Administration Act, Tax Administration Act, Health Insurance Act, the Act to establish a legal framework for information technology, the Election Act, the Act respecting the protection of personal information in the private sector, and the Act respecting health services and social services for Cree Native persons, among others.

Bill 64’s “Explanatory Notes” detail the effect of the new legislation, which “modernizes the framework applicable to the protection of personal information” in the various amended Acts. Among the amendments are updates to the rules “governing the use of personal information for commercial or philanthropic prospection purposes.” New provisions require public bodies and private enterprises to publish governance rules regarding personal information. Additionally, those that collect personal information through technological means must publish and share a confidentiality policy. There are requirements to conduct assessments of privacy-related factors for “information system” or “electronic service delivery” projects that involve the collection, use, release, keeping or destruction of personal information. Express and informed consent rules govern the collection of personal information, and private enterprises must create “the function of person in charge of the protection of personal information.” Technological products or services used to collect personal information must “provide the highest level of confidentiality by default, without any intervention by the person concerned.” Bill 64 also raises the amount of fines for contravention of the law, and provides for the imposition of monetary administrative penalties.

Canada’s Privacy Commissioner Meets with G7 to Discuss Global Data Protection Challenges

Artificial intelligence in line with data protection, pandemic-driven tech innovation and cross-border data flows are a few of the topics addressed during a roundtable discussion that the Office of the Privacy Commissioner of Canada (“OPC”) attended with G7 data protection and privacy authorities (the “Roundtable”). The OPC published an Announcement and Communique: “Data Free Flow with Trust” summarizing the topics of the Roundtable, which included guests from the Organisation for Economic Cooperation and Development and the World Economic Forum, held September 7–8, 2021.

According to the summary of topics in the Communique, data protection and privacy authorities “should constructively influence the developments of AI systems and create a framework that safeguards human rights, democracy, the common good, and individual freedoms while creating room for innovation and progress.” Regulators like the OPC must ensure that privacy rights are not violated by AI as technology progresses. Measures that governments have undertaken in response to the COVID-19 pandemic have “put stress on many of the fundamental rights and freedoms that are [the] cornerstone of modern democracies, including the right to respect for private life.” The Roundtable called for the development of a framework for “cross-border transfer of personal data,” which “presents a challenge to data protection and privacy enforcement authorities.” The extent of internet tracking technologies, such as “cookies” should be reduced, according to the Roundtable summary, and “users should have the choice of not being tracked at all.”


Read the September 2021 Charity & NFP Law Update