On November 25, 2024, the Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024 (“Bill 194”) passed Third Reading and received Royal Assent at the Legislative Assembly of Ontario.
Bill 194 (i) enacts the Enhancing Digital Security and Trust Act (“EDSTA”) and (ii) introduces changes to the Freedom of Information and Protection of Privacy Act (“FIPPA”), which together create significant new obligations regarding privacy, cyber security, and the use of artificial intelligence (“AI”) for Ontario’s public sector entities, including provincial and municipal institutions, as well as children’s aid societies and school boards.
Fasken reviewed Bill 194 in detail last August and highlighted the following notable elements:
EDSTA would allow the government, by regulation, to:
- Require public sector entities to develop and implement cyber security programs, and submit reports on cyber security.
- Regulate how public sector entities, identified by regulation, use AI systems.
- Allow the government to make regulations on how children’s aid societies and school boards collect, use, retain or disclose digital information relating to individuals under the age of 18.
The amendments to FIPPA would:
- Require institutions to conduct privacy impact assessments before collecting personal information.
- Mandate that public institutions report privacy breaches to the Information and Privacy Commissioner of Ontario and notify affected individuals.
- Increase the Commissioner’s investigative powers with respect to the information practices of public institutions.
- Create a new whistleblowing framework to report contraventions of FIPPA to the Commissioner, confidentially.
- Expand FIPPA’s offences provisions to include contraventions with respect to the collection and use of personal information, in addition to the disclosure of personal information.
The only significant amendment to Bill 194 since its First Reading was to the definition of “public sector entities,” which now expressly excludes the Legislative Assembly of Ontario from the scope of the legislation.
The provincial government will announce the date on which EDSTA and the amendments to FIPPA will come into force, as well as introducing regulations that will contain specific requirements. Similar changes to the Municipal Freedom of Information and Protection of Privacy Act may follow (although no bill has been introduced yet).
With Bill 194’s Royal Assent, public sector entities in Ontario now face very significant new privacy and cyber security obligations, as well as Canada’s first AI-specific regulatory requirements for public institutions. Public institutions should continue to pay close attention to these developments to ensure compliance. Private sector organizations should consider Bill 194 a bellwether and stay informed about potential regulatory changes that may impact how they do business with provincial and municipal institutions.
