Bill 194 to Reform Cybersecurity and Privacy Rights in Ontario’s Public Service

As part of the new bill, the provincial government is seeking to enact the Enhancing Digital Security and Trust Act, 2024 (“EDSTA”) and make amendments to the Freedom of Information and Protection of Privacy Act (“FIPPA”).

New Enhancing Digital Security and Trust Act, 2024

EDSTA sets out a framework to regulate cybersecurity and AI systems within the public sector. The proposed scope of EDSTA includes:

• Institutions under FIPPA, such as ministries, universities and other government agencies;
• Institutions under the Municipal Freedom of Information and Protection of Privacy Act;
• Societies under the Child, Youth and Family Services Act; and
• Boards under the Education Act.

With the implementation of EDSTA, Ontario hopes to strengthen cybersecurity within the province by requiring that public service providers take measures to prevent and respond to cyber threats. The details of EDSTA have yet to be set out, but regulations are anticipated requiring that public sector entities develop and implement robust cybersecurity programs, as well as submit reports related to cybersecurity incidents.

Additionally, EDSTA places a heavy emphasis on the regulation of AI within the public sector. As uses of AI become more prevalent, Ontario will be demanding that public sector entities develop and implement transparency and accountability frameworks for their use of AI and take steps to mitigate any associated risks, including human oversight, when using AI-based programs. EDSTA also sets out the possibility of regulations that prohibit prescribed uses of AI by all mandated entities.

Changes to Freedom of Information and Protection of Privacy Act

The proposed amendments to FIPPA similarly focus on aligning Ontario’s public sector with private sector requirements in the context of an evolving digital landscape. If passed in its current form, institutions governed by FIPPA would be required to report to the regulator and notify individuals upon certain breaches of security safeguards, conduct privacy assessments when collecting personal information, and mitigate the risks of privacy breaches. The amendments also increase the Privacy Commissioner of Ontario’s powers to review information practices of public service entities.

Another Step in Canada’s Broader Cybersecurity Regime

Ontario’s move to regulate the use of personal information and technology comes on the heels of the federal government’s proposed Critical Cyber Systems Protection Act (“CCSPA”). The CCSPA similarly establishes a framework for the protection of critical cybersecurity systems within federally regulated sectors in an effort to establish a more resilient cyber network.

The CCSPA’s scope is notably far-reaching as it puts supply chain actors and third-party service providers, who themselves are not federally regulated, under the government’s regulation. The EDSTA is more narrow in its approach, but does include hospitals, universities and most Crown corporations. Nevertheless, CCSPA and EDSTA will have a large impact on the way services are provided to the public in Ontario and Canada more widely.

These legislations are some of the steps that Canada has taken to strengthen its cybersecurity regime. As online threats, both internal and external, continue to have serious impacts on Canadians, a resilient and transparent cyber network, together with a more unified approach to protecting individuals’ privacy, will be critical for a well-functioning society. This means that private sector entities, as well as private entities providing public services, can anticipate more stringent regulations in the future.

The trouble lies in that many organizations, including public sector entities who are materially responsible for our safety, are trailing behind as technology and risks rapidly advance. This gap prompts organizations to eagerly adopt technologies without understanding their inner workings and the role they play in the organization’s security and privacy rights. The results could lead to increasing the risks to the security of the government, the entity, whether public or private sector, and the impacted individuals. It is this outcome that the federal and provincial governments aim to mitigate with the proposed legislation.

The Privacy and Data Security Group and National Security Group at Aird & Berlis LLP are continuously monitoring Canada’s evolving cybersecurity and privacy landscape. Our team is well-equipped to help you prepare for Bill 194 and any emerging threats impacting your organization. If you have any questions, please do not hesitate to contact Paige Backman or any other member of the groups.