On May 13, 2024, the Ontario Government tabled Bill 194, Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024 (Bill 194) which, if passed, would enact the Enhancing Digital Security and Trust Act, 2024 (EDSTA) and amend Ontario’s public sector privacy legislation, the Freedom of Information and Protection of Privacy Act (FIPPA).

According to the Ontario Government’s news release, Bill 194 is aimed to provide public sector entities with tools to prevent and respond to cyber-attacks and privacy breaches, improve digital delivery of public services, and build a strong foundation for artificial intelligence (AI) governance.

The draft EDSTA establishes regulatory-making power to impose requirements on public sector entities (i.e., institutions covered under FIPPA and the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA)). The key requirements include, among other things:

  • developing and implementing cyber security programs with prescribed elements;
  • reporting cyber security incidents in a prescribed form to the Minister of Public and Business Service Delivery (the Minister) or a specified individual; and
  • conforming with prescribed technical standards respecting cyber security.

With respect to the use of AI in prescribed circumstances, the draft EDSTA requires public sector entities to:

  • develop and implement an accountability framework;
  • manage risks associated with the use of an “artificial intelligence system”;
  • ensure an individual provides oversight of such use; and
  • provide information to the public about the AI use.

The specifics behind these obligations will be prescribed by regulations.

Further, Bill 194 proposes several important amendments to modernize privacy protections applicable to public sector entities governed under FIPPA, including:  

  • requiring completion of a privacy impact assessment before collecting personal information; 
  • imposing mandatory data breach reporting to affected individuals and the Information and Privacy Commissioner of Ontario (IPC) where there is a “real risk of significant harm” to the individual;
  • implementing reasonable measures to protect against theft, loss, unauthorized use or disclosure, copying, modification or disposal of personal information; and
  • empowering the IPC to review the “information practices” of a public sector entity following a complaint and issue orders to ensure compliance.

Public comment period on Bill 194 is open until June 11, 2024.

Summary By: Anna Troshchynsky



24 05 29

Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.

E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.