The Ontario government recently requested feedback on how to improve the province’s privacy protection laws. It is encouraging to see the provincial government undertake efforts to improve the state of privacy law in Ontario, given the increasingly ubiquitous data commodification and surveillance of our behaviours, bodies, online and offline activities, and lives, for both commercial and non-commercial purposes. To that end, the Citizen Lab submitted a brief which included 21 recommendations for legal and policy reform in Ontario, with a view to strengthening the privacy and data protection rights of individuals in the province. In addition to providing a set of overarching principles to guide privacy reform in Ontario, and providing guidance for establishing clear practices that private organizations should adhere to when interacting with collected personal information, we highlighted in our submission three issue areas that should be the subject of focused privacy reform: consumer spyware and stalkerware apps; data exploitation by foreign platform companies; and algorithmic policing technologies.
1. Overarching Principles to Guide Privacy Reform in Ontario
Recommendation 1: The government should adopt a principles-based approach to privacy legislation, in order to ensure that the law may more easily adapt to future technological advances while providing equivalent levels of privacy protection in Ontario regardless of the specific technical nature of such future technologies. This framework should be supplemented by charging the IPC with an educational mandate to help organizations to comply with their privacy law obligations, which may evolve alongside the world’s evolving technological context. Any such framework should be backstopped by a strong enforcement regime to ensure effectiveness, such as providing the IPC with the ability to issue significant AMPs.
Recommendation 2: The government should ensure that there is consistency in how private organizations are expected to protect personal information in their care and that, to accomplish this, organizations be compelled to apply either the public or private sector regulations that would maximally protect the class(es) of personal information in question. Ensuring consistency may, in addition to reforming private sector privacy legislation, also entail updating or supplanting public sector legislation where private sector regulations are found to be more protective. Such reforms will ensure that the privacy protections that apply to private sector treatment of both private sector and public sector data both are more easily complied with and will provide Ontarians with the highest standard available of privacy protection.
Recommendation 3: Transparency reporting templates should be generated in consultation between government, industry, civil society, and academia.
Recommendation 4: Where information has been disclosed to government agencies, organizations should be required to notify individuals of such disclosures unless pressing public interest reasons militate against such notification. Organizations should additionally be compelled to publish annual reports that disclose the frequency of, and rationales for, any disclosures to government agencies, including law enforcement authorities.
Recommendation 5: In reforming its privacy laws, the province should require private organizations to specifically disclose the information that is being collected (i.e., stating precisely what particular information is in fact collected, as opposed to stating that particular information “may” be collected) and for what specific purpose, and with whom that information has been specifically disclosed to and under what terms.
Recommendation 6: The government of Ontario should include all private organizations—including businesses, charities, non-profit organizations, and political parties—in any new privacy or data protection legislation that emerges from its consultations. However, the law must exercise the utmost care to ensure any such regime applied to non-governmental or non-commercial organizations is contextually appropriate and proportionate to the particular purpose and activity of the regulated organization, especially where public interest activities and purposes are concerned.
Recommendation 7: The creation of any statutory remedy in Ontario in the nature of a “right to be forgotten” should ensure that all requests for removal or de-indexing be subject to rigorous constitutional scrutiny—including the principles of minimal impairment and proportionality—by an independent and impartial court or tribunal.
Recommendation 8: The government should carefully review the GDPR and ensure that any legislation that is passed to protect Ontario residents’ personal information and privacy rights are compliant with the GDPR. Compliance with the GDPR will ensure that the legislation will be deemed adequate by the European Union, so as to provide both Ontarians and Europeans with a commensurate high level of data protection.
Recommendation 9: The government of Ontario should ensure that any proposed legislation facilitates a range of remedial avenues for complainants and litigants to seek recourse for breach of their privacy rights. Recourse should be available both on an individual basis and to those seeking systemic redress for unlawful practices that violate the collective privacy rights of a particular defined group or community. This should include robust investigation and enforcement powers provided to the Ontario IPC, sufficient to deter illegal conduct and to encourage the proactive adoption of best practices.
2. Focused Privacy Reform: Consumer Spyware and Stalkerware Apps
Recommendation 10: In enacting new privacy legislation, the Ontario government should make clear that the individual from whom consent is required, in all cases, is the individual whose personal information is being collected, used, or disclosed, whether or not they are termed the “user” or “customer” of a particular app. To comply with this requirement, companies’ privacy policies must explicitly protect and apply to individuals whose data is being collected, used, or disclosed by their product or service—whether or not that individual is considered the official “user” or “customer”—regardless of app purchase, device ownership, or whether or not the individual is the one who paid for or is controlling the surveillance software in question.
Recommendation 11: The Ontario government should follow the reasoning of the Alberta IPC in Re Engel Brubaker, and include in any new privacy legislation explicit affirmation that companies that sell software which can be (re)purposed as stalkerware are subject to PIPEDA, to an equivalent set of obligations, or to any substantially similar legislation. The law must make clear that commercial organizations writ large cannot be exempt from PIPEDA, or from any substantially similar Ontario legislation, for reasons of being used for “personal or domestic purposes”—an exception meant to exclude private individuals, in their capacity of private individuals, alone.
Recommendation 13: The Ontario government should apply a similar approach as PIPEDA applies for the safeguards requirement, to strengthen consent and notice requirements. Effective mechanisms should make it nearly impossible for a tracked, monitored, or recorded individual to remain unaware of what their device is doing. For mobile apps that allow tracking, monitoring, and surveillance of targeted individuals, provided there is a legitimate or legal purpose, meeting the requirement for meaningful consent should necessitate building in technical features such as persistent notifications and just-in-time alerts.
Recommendation 14: The Ontario government should clarify and reaffirm obligations in law that encourage meaningful implementation of data access and deletion policies for all Ontario residents, and notably for individuals subjected to child or employee surveillance apps or other forms of spyware that can be repurposed as stalkerware. Special attention should be given to enacting laws that require such companies to explicitly provide and communicate remedy processes and avenues of recourse to assist victims of illicit surveillance that is used to facilitate intimate partner abuse, violence, and harassment.
Recommendation 15: Spyware and stalkerware apps vendors’ safeguard obligations should include mandatory notification to impacted individuals whenever there has been a data breach. The app vendor must expressly and directly notify all individuals who were being tracked and monitored prior to and at the time of the breach. Notifying the “user” of the app, when interpreted to exclusively encompass the purchaser or perpetrator of the app-driven surveillance, would not suffice to meet this obligation. Should spyware or stalkerware companies fail to engage in reasonable efforts to notify all affected individuals of data breaches, they should be subjected to significant administrative monetary penalties, at a minimum.
3. Focused Privacy Reform: Data Exploitation by Foreign Platforms
Recommendation 16: The Ontario government should grant powers to the IPC which allow it to levy AMPs in cases of user data being used improperly. For example, an AMP should be issued if Ontario residents’ personal information is used for purposes not made clear in a digital platforms’ publicly available terms of service and privacy policies. Where organizations refuse to respond to, or comply with, a data access request the IPC should similarly be empowered to levy AMPs.
Recommendation 17: The government should establish legislation that is more extensive than PIPEDA, with respect to data access rights. Such legislation should compel both Ontarian and non-Ontarian organizations to disclose to individuals, upon request, information concerning both the specific and actual primary and secondary uses of their personal data, as well as copies of the personal data that the organization in question has collected, processed, retained, or disclosed to third parties. The focus on secondary uses would ensure that Ontarian residents have the opportunity to understand how their information may be used or repurposed—even in an anonymized or pseudonymized format—to engage in business operations (e.g., aggregate statistics of how a given product or service is used) as well as more contentious activities (e.g., using Ontario residents’ personal information, including private communications data, to facilitate censorship practices by repressive governments in other countries).
4. Focused Privacy Reform: Algorithmic Policing Technologies
Recommendation 18: The Ontario government should implement privacy legislation that incorporates the best practices from the OPC’s guidance document regarding PIPEDA section 7(3)(d.1) in the context of disclosing personal information without consent to law enforcement authorities.
Recommendation 19: In enacting new legislation, the Ontario government should consult with a range of independent legal, criminal justice, human rights, and racial justice experts, including members of Black and Indigenous communities, to evaluate whether or not current exceptions that permit collection, use, or disclosure of personal information without consent, for law enforcement purposes, are proportionate and necessary in view of the advanced capabilities of algorithmic policing technologies.
Recommendation 20: The Ontario government, in enacting new legislation, should re-evaluate current PIPEDA exceptions that permit collection, use, or disclosure of personal information from public spaces or public sources, including social media and public demonstrations and protests. Any new Ontarian privacy legislation must ensure that any such exemptions are proportionate and necessary, in view of the advanced capabilities of algorithmic surveillance technologies, and relative to human rights at stake such as the right to liberty, equality, and freedom of expression, in addition to the right to privacy.
Recommendation 21: The Ontario government should enact law with contents similar to Articles 13, 14, and 22 of the GDPR, which provides a level of transparency to individuals with respect to how their data is processed, where algorithmic or automated decision-making is involved. Transparency obligations concerning automated decision-making that affects an individual’s legal or similarly significant interests should apply to both commercial vendors and the government itself, particularly in the context of algorithmic policing technologies.