On May 13, 2024, the Government of Ontario tabled Bill 194, also known as the Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024.
Bill 194 develops the landscape of privacy and artificial intelligence (AI) in Ontario. If passed into law, Bill 194 would expand the powers of the Information and Privacy Commissioner of Ontario (IPC), establish requirements regarding the use of AI and enhance protection for children’s privacy. These changes would be implemented through amendments to the Freedom of Information and Protection of Privacy Act (FIPPA), Ontario’s public sector privacy law, and enactment of the Enhancing Digital Security and Trust Act, 2024.
Amendments to FIPPA
Bill 194 proposes changes to FIPPA, which would impact provincial public sector institutions such as government ministries, colleges, universities, and designated agencies, boards and commissions. These changes do not extend to municipal public sector institutions. Key changes are set out below:
- Mandatory Breach Notification: Bill 194 requires institutions to report breaches that meet the threshold of “real risk of significant harm” to affected parties and the IPC. This is the same threshold under Canada’s federal private sector privacy legislation. Additionally, institutions would be required to file an annual report to the IPC regarding the institutions’ yearly breaches. This report captures all breaches, even if they do not meet the threshold of “real risk of significant harm”.
- Safeguards: Bill 194 sets out an explicit requirement for institutions to implement reasonable safeguards to protect personal information from theft, loss and unauthorized use or disclosure, copying, modification or disposal.
- Privacy Impact Assessment: Bill 194 requires institutions to conduct a privacy impact assessment before collecting personal information, unless it is not required by the regulations. Bill 194 sets out a list of items that the assessment must address, including steps taken by the institution to mitigate risks associated with the collection of personal information.
- IPC Powers: Bill 194 allows the IPC to review the information practices of an institution if a complaint has been received and allows the IPC to conduct a review and issue a compliance order resulting from the review. For example, the IPC would have the power to order the institution to discontinue or change its information practices, return or destroy personal information collected, and implement a different information practice.
- Whistleblowing: Bill 194 contains whistleblowing protections that are similar to Canada’s federal private sector privacy legislation.
Proposed Cybersecurity and AI Legislation
Bill 194 seeks to enact new legislation addressing cybersecurity and AI systems in the public sector. This legislation would impact both provincial and municipal public sector institutions, as well as children’s aid societies and school boards. However, the legislation is high level and leaves many specifics to be defined by future regulation and directives.
Below are the key requirements proposed:
- Use of AI systems: The legislation would require public sector entities to provide information to the public about their use of AI systems, develop and implement accountability framework, and take steps towards risk management. Bill 194 would also allow the government to prohibit the use of certain AI systems based on details set out in future regulation.
- Cybersecurity: The legislation would enable the government to create regulations requiring public sector entities to develop and implement cyber security programs. The government may also set technical standards and issue directives related to cyber security.
- Implications for Minors: The legislation would allow the government to regulate the collection, use, retention, and disclosure of digital information about individuals under the age of 18 by children’s aid societies or school boards.
Moving Forward
The changes introduced by Bill 194 would have a significant impact on public sector institutions in Ontario. If passed, it would require updates to privacy policies, procedures and contracting practices. Although it carries significant implications, Bill 194 leaves many details to be addressed through future regulations and directives, which create significant short term uncertainty as to the scope of the impact on public sector institutions and their budgets for technology and cybersecurity.
The Ontario government is currently accepting feedback on Bill 194. The due date for comments is June 11, 2024.
If you have any questions about Bill 194, or need assistance in preparing comments, please contact the authors.
The information and comments herein are for the general information of the reader and are not intended as advice or opinion to be relied upon in relation to any particular circumstances. For particular application of the law to specific situations, the reader should seek professional advice.