3 min read

Privacy in Ontario?

MyData Canada recently submitted a report to the Government of Ontario in response to its consultation for strengthening privacy protections in Ontario.
Privacy in Ontario?

MyData Canada Privacy Law Reform Submission

MyData Canada recently submitted a report to the Government of Ontario in response to its consultation for strengthening privacy protections in Ontario. You can download the submission from the MyData Canada site. I am a board member of MyData Global and a member of the MyData Canada hub. This is a brief summary of some of the recommendations in that report.

Part of what MyData Canada would like the province of Ontario to address is the current ‘gatekeeper model’ where each of us cede control to information about us under terms or privacy policies based on a flawed consent model. As the report puts it,

Behind each of the gate-keepers (“data controllers” in GDPR terms) in the centralized model are thousands of intermediaries and data brokers invisible to the individuals whose data they process. Individuals’ personal data is used in ways they could not anticipate, and often without their awareness or even the opportunity to meaningfully consent.

This needs to be fixed.

Background

Canada has a multi-jurisdictional privacy environment. That means that both levels of government have privacy commissioners and privacy laws. Ontario, Canada’s most populous province, does not have a private sector privacy law. This leaves a number of categories of persons and organizations uncovered; don’t ask why, it’s a constitutional jurisdictional thing. Thus the consultation and submission. MyData Canada believes that,

…our proposed approach will help accelerate the development and uptake of privacy- focused, human-centric innovation and ultimately serve to regain public trust and confidence in the digital economy.

2-Branch Privacy Reform

MyData Canada proposes a two branch approach to privacy law reform; a harmonization branch, and a transformation branch.

  • The harmonization branch proposes an incremental approach to enable any new Ontario law to work harmoniously with other regimes, both in Canada and in the rest of the world. This branch is intended to ensure that Ontario is a low friction end point for cross border data flows with other data protection data. At the same time this branch will introduce a regulatory framework with a functional equivalency to the CCPA in the US and to the GDPR in the EU. In essence, this broad framework skates to where the puck will be with respect to global data protection laws.
  • The digital transformation branch proposes to simultaneously create a ‘next-generation’ regulatory space within Ontario. This space will allow Ontario based companies or organization to create new forward looking and individually centred solutions. To continue the metaphor, this branch will allow breakaway solutions that will disrupt the current platform information gatekeepers and return autonomy to individuals.

Harmonize Up

Rather than seeking a lowest common denominator or participating in a race to the bottom, MyData recommends harmonizing ‘up’ including the following:

  1. Adopting a principled and risk based approach to privacy regulation;
  2. Coordinating with other provinces and the federal government, perhaps including a pan-Canadian council of information and privacy commissioners;
  3. Aligning with Convention 108 and 108+;
  4. Increased enforcement powers; and
  5. Implementation support for businesses and organizations for compliance.

Digital Transformation

Create a regulatory environment to reward first movers with privacy enhancing technologies that put people at the centre of their own data. Recommendations include:

  1. Creating a privacy technology incubator;
  2. Host regulatory sandboxes and hackathons;
  3. Grants and other incentives for privacy ‘retrofits’;
  4. Create and support a regime for seals, badges, and privacy trust marks;
  5. Foster interoperability by requiring api or similar means to prevent or counter ‘platform dominance’ and network affects; and
  6. Create up-skilling programs for a multi-disciplinary privacy engineering centre of excellence in Ontario.

Summing up

The above is just a summary of the first recommendations of the report. It includes further recommendations on:

  • Taking a comprehensive approach to move beyond compliance;
  • Adopting a Consumer Protection and Human Rights oriented regulatory enforcement model
  • Adopting a multi-stakeholder and inclusive model to spur innovation and open data

If you find this interesting please download and share the report.