In May, the Government of Ontario tabled Bill 194, the Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024 (the "Bill"), which introduces the Enhancing Digital Security and Trust Act ("EDST") and significantly reforms the Freedom of Information and Protection of Privacy Act ("FIPPA") and the Municipal Freedom of Information and Protection of Privacy Act ("MFIPPA"). While much of the legislation is mostly left to yet-to-be released regulations, this blog post highlights the key impacts the Bill would have, if passed, on the Ontario government and its prescribed entities' management of cybersecurity, artificial intelligence, and personal information protection.
The Enhancing Digital Security Act
In its first schedule, the Bill addresses artificial intelligence ("AI"), cybersecurity, and technology affecting minors. The EDST applies to public sector entities within the meaning of FIPPA and MFIPPA, children's aid societies and school boards.
Responsible AI
It seems the Ontario government has taken heed of the Information and Privacy Commissioner of Ontario's (the "IPC") repeated calls to action (see its 2022 Annual Report to the Commissioner's blog from earlier this year) which urged the Ontario Government to implement a framework and effective guardrails to govern the use of AI in the public sector.
It is noteworthy that the scope of this section of the EDST is potentially narrower than the rest of the Bill, as it only applies to the entities if they use – or intend to – AI in prescribed circumstances, which have yet to be determined by regulations.
Unlike the Working for Workers Four Act (2024), a recent Ontarian labour law that requires employers to disclose the use of AI in the hiring process, and which delegates the definition of AI to regulations, the EDST has settled on a legal definition. It defines AI systems as:
"a machine-based system that, for explicit or implicit objectives, infers from the input it receives in order to generate outputs such as predictions, content, recommendations or decisions that can influence physical or virtual environments, and such other systems as may be prescribed".
Ontario thus joins the EU AI Act and a proposed amendment to the federal Artificial Intelligence and Data Act ("AIDA") in adopting the OECD definition of AI systems, more than likely with a view to harmonization.
The EDST also provides that the AI system definition includes the use of a system that is publicly available, developed or procured by the public sector or that is developed by a third party on behalf of the public sector. The latter provision means the definition even covers general-purpose AI that is integrated within software used by government employees, making it truly all-encompassing.
The EDST creates many requirements for the use of AI systems that will fall under the prescribed circumstances, but their specificities all depend on yet-to-be released regulations. In doing so, the EDST follows in the much-criticized path of the federal AIDA by deferring key requirements for AI systems to regulations rather than adopting a hub and spoke model that uses existing regulatory agencies and tools.
What we know as of now is that, in accordance with details to be fleshed out in regulations, the use of AI systems are intended to trigger the following obligations for public sector entities:
- An obligation to inform the public about the use of AI;
- An obligation to develop and implement an accountability framework;
- An obligation to manage risk associated with the use of AI; and
- An obligation to provide certain human oversight.
The EDST reserves the right for the government to prohibit certain types of use of AI, the wording of which seems to indicate that no type of AI (e.g. generative AI or facial-recognition technology) will be completely prohibited. However, allowing their uses in certain scenarios would allow the government to maintain a flexible approach in mirroring the risks of harm for each individual use.
The legislative scheme creates significant regulatory powers for the government, but, notably, it does not account for a complaint mechanism for the public if they encounter concerns with the use of an AI system by the public sector, nor are any remedies included or mentioned in the scheme To the contrary, the EDST creates requirements to comply but rules out the establishment of a private law duty of care and specifically provides that a failure to comply with the EDST or its regulations or directives has no impact on the validity of any other policy, Act, regulation, instrument or decision. Additionally, conflict resolution clauses render the EDST subordinate even to regulations promulgated under other Acts. These clauses suggest that the law is, at least at second reading, more aspirational than real.
Technology Affecting Individuals under the Age of 18
The EDST also enables the government to make regulations regarding prescribed "digital information relating to individuals under 18" – but does not yet define digital information. Without a clear definition of what "prescribed digital information" covers, we can only assume it will serve as a subset of personal information. The EDST applies to "public sector entities within the meaning of FIPPA and MFIPPA, children's aid societies and school boards". As most school boards are already governed by MFIPPA (with the exception of private schools), the EDST runs the risk of creating a parallel (but similar) regime to MFIPPA and FIPPA for the vast majority of the entities it applies to. In any case, the EDST stipulates that, should a conflict of laws occur, the other law would prevail (i.e. FIPPA, MFIPPA, or even the Child, Youth and Family Services Act regarding children aid societies).
The EDST notably adds a reporting requirement for the Minister in the case of a breach, as well as the possibility to prohibit certain collection, use and disclosure of certain digital information, in certain activities in certain circumstances, all prescribed by forthcoming regulations, which will – once again – determine the actual impact of the provisions.
Cybersecurity
The first part of the ESDA creates a framework for cybersecurity obligations. It provides that the government can make regulations requiring entities to implement cybersecurity programs, which may have to include elements such as response, recovery and oversight measures, reporting timelines as well as specific roles and responsibilities for certain individuals – which will be discussed in respective regulations. The legislation also provides that the Minister can set cyber security technical standards by regulations as well as incident reporting requirements – which differ from a privacy breach reporting requirement and is most likely to be triggered by a cyberattack. Once again, the legislation heavily relies on regulation, which is contingent on the technical and rapidly evolving nature of cybersecurity.
In some ways, it appears that this part of the EDST is inspired the federal government's Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts ("Bill C-26"), which is now in third reading. However, while Bill C-26 delegates operational decisions to specialized regulators who are already familiar with the vital services and systems they already oversee, the first part of the EDST delegates powers to Cabinet, a political body with no particular expertise over cybersecurity.
To view the original article click here
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.