Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Québec: Privacy reform - what to know and how to prepare

On 22 September 2021, Quebec adopted and gave royal assent to An Act to modernize legislative provisions as regards the protection of personal information ('the Act'). The Act significantly overhauls Quebec's privacy framework, as outlined in various acts, and makes Québec the leading province in Canada for the protection of personal information, once again. This piece of legislation modifies and adds several rights and obligations with respect to the protection of personal information, and will impact both businesses and public bodies. The focus of this piece is on the amendments to the Act Respecting the Protection of Personal Information in the Private Sector, CQLR P-39.1 ('the Private Sector Act').

Instants / Signature collection / istockphoto.com

Before diving into the impact the Act will have on businesses, it is useful to determine first which businesses are concerned by this legislative reform.

Scope of the Private Sector Act

The scope of the Private Sector Act will remain unchanged: it applies to the collection, use, or disclosure of personal information within the province of Québec by 'any person carrying on an enterprise', which means an organised economic activity, whether or not it is commercial in nature, consisting of producing, administering or alienating property, or providing a service.

Unlike the EU's General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and the California Consumer Protection Act of 2018 ('CCPA'), the Private Sector Act will remain silent with respect to its extraterritorial application.

However, in a joint investigation issued by four privacy commissioners in the case of the Clearview AI Report 2021- 001, it was held that Private Sector Act applies to any private sector organisations that collects, uses, and discloses information of individuals within the province, irrespective of where the company is located. Therefore, foreign businesses operating in the province and/or collecting personal information from Québec residents should carefully consider whether they are subject to the Private Sector Act.

Overview of what businesses operating in Québec need to know and prepare for

Enforcement

Québec's regulatory authority, the Québec Commission on Access to Information ('CAI'), will now have the power to impose new monetary administrative penalties ('MAPs') for a variety of reasons, including the unlawful collection, use, disclosure, keeping, or destruction of personal information. MAPs may be up to a maximum amount of CAD 10,000,000 (approx. €6,660,398) or, if greater, 2% of worldwide turnover for the preceding year.

The Act also provides for an increase in penalties for violations of the Private Sector Act, which may now be up to an amount of CAD 25,000,000 (approx. €16,667,130), or, if greater, the amount corresponding to 4% of worldwide turnover for the preceding fiscal year. In the event of a subsequent offence, the fines will be doubled. Finally, where a lawsuit for damages is introduced further to the infringement of a right conferred by the Private Sector Act or a right relating to privacy protections set out in sections 35 to 40 of the Quebec Civil Code, the Act now provides that courts must award punitive damages of at least CAD 1,000 (approx. €670) where the infringement is intentional or results from a gross fault.

Accountability and governance

Organisations are required to appoint a 'Privacy Officer' who is tasked with ensuring accountability with respect to the implementation of and compliance with the Private Sector Act. This Privacy Officer role rests by default with the highestranking officer of the organisation, but may be delegated in writing in whole or in part.

Organisations must publish and implement privacy governance policies and practices. Such policies and practices must provide a framework for the keeping and destruction of the information, define the roles and responsibilities of the staff members throughout the life cycle of the information, and provide a process for dealing with complaints regarding the protection of information.

Mandatory 'assessment of privacyrelated factors', commonly known as a Privacy Impact Assessment ('PIA') must be conducted in a few circumstances, such as:

  • with respect to the acquisition, development, and redesign of any information system project or electronic service delivery project involving the collection, use, disclosure, keeping, or destruction of personal information;
  • before disclosing personal information outside of Quebec; and
  • before disclosing personal information without consent to a person or body wishing to use the information for study or research purposes or for the production of statistics.

The Act also incorporates a new Privacy by Default requirement, pursuant to which organisations that collect personal information when offering a technological product or service to the public must ensure that the parameters of the product or service provide the highest level of confidentiality by default, without any intervention by the person concerned. This obligation does not however include the privacy settings of a cookie.

Transparency

The Act provides for additional transparency obligations under the Private Sector Act. A new provision outlines specific information that must be provided to the person concerned at the time of collection and at any time on request, including namely: the purposes for which the information is collected; the means by which it is collected; the rights of access and rectification provided by law; the right to withdraw consent; the name of third parties or categories of third parties to which it is necessary to communicate the information (if applicable); and the possibility that the information could be communicated outside Quebec (if applicable).

Moreover, the Act adds a transparency obligation with respect to the use of certain technologies. Thus, organisations will have to inform individuals of:

  • their use of technology that can identify, locate, or profile users, as well as provide users with the means available to deactivate the identification, location, or profiling functions; and
  • their use of personal information to render decisions based exclusively on an automated processing of such information.

Mandatory breach reporting

The Act introduces a mandatory reporting regime in relation to 'confidentiality incidents' (defined as unauthorised access, use, disclosure, loss or any other breach of personal information). When there is risk of serious harm, the organisation must notify the CAI and any person whose personal information is concerned by the incident. Moreover, the organisation may also notify any person or body that could reduce the risk, by disclosing to the person or body only the personal information necessary for that purpose without the consent of the person concerned. Organisations are required to keep a record of confidentiality incidents that must be sent to the CAI upon request.

Consent

The Act also reinforces the concept of consent. Consent has to be:

  • clear, free, informed, and given for specific purposes;
  • requested in clear and simple language;
  • given separately from any other information provided to the person concerned, when requested in writing;
  • express, for sensitive personal information; and
  • given by the person having parental authority or the tutor for minors under 14 years of age.

The Act also introduces new consent exceptions, such as:

  • an exception allowing the disclosure of personal information in the course of a business transaction, subject to certain conditions;
  • an exception allowing the secondary use of personal information when:
    • the use is for purposes consistent with those for which it was collected (and not for commercial or philanthropic prospection, which are specifically excluded);
    • the use is for the benefit of the person concerned;
    • the use is necessary to prevent or detect fraud or for the evaluation and improvement of protection and security measures;
    • the use is necessary for the supply or delivery of a product or service requested by the individual; or
    • the use is necessary for study or research or for the production of statistics, and the information is de-identified (i.e. no longer directly identifies the person concerned).

The Act also provides a new exclusion for business contact information, defined as "personal information concerning the performance of duties within an enterprise by the person concerned, such as the person's name, title and duties, as well as the address, email address and telephone number of the person's place of work".

Outsourcing and transfers outside of Quebec

The Act includes new rules regarding outsourcing of personal information to service providers. Such disclosure may be made without consent and is subject to certain conditions, namely:

  • a written agreement between the organisation and the service provider;
  • a description of the measures taken by the service provider to ensure the confidentiality of the personal information;
  • a duty for the service provider to only use the personal information for the purposes of the contract and to not keep this information after the expiry of the contract; and
  • a duty for the service provider to notify the organisation of any actual or attempted confidentiality incident and to allow the organisation to allow the privacy officer to conduct any verification relating to the confidentiality requirements (this last requirement is not applicable if the service provider is a public body).

The Act also significantly reinforces the rules governing cross-border transfers of personal information by businesses. Before disclosing personal information outside Quebec, an organisation must conduct an assessment of privacy-related factors taking into account the following:

  • the sensitivity of the information;
  • the purposes for which it is used;
  • the protection measures that would apply to it, including contractual measures; and
  • the legal framework applicable in the State in which the information would be disclosed, including the legal framework's degree of adequacy with Quebec's privacy laws.

The information may only be transferred outside of Quebec if the assessment establishes that it would receive an adequate level of protection. The disclosure of information is also subject to a written agreement that takes into account the results of the assessment and, if applicable, the terms agreed upon to mitigate the risks identified in the assessment.

Rights of individuals

Three new GDPR-inspired rights for individuals have been created:

Right to cease disseminating, deindexation, and re-indexation

The Act now provides that the right of an individual to request organisations to:

  • cease disseminating personal information about him or her;
  • de-index any hyperlink that provides access to that information, if the dissemination contravenes the law or a court order; and
  • re-index any hyperlink that provides access to that information.

Such a request may be made when the following conditions are met:

  • the dissemination of the information causes the person serious injury in relation to the person's right to respect of his or her reputation or privacy;
  • the injury is clearly greater than the public interest in knowing the information or the right to free expression (the balance of convenience criterion); and
  • the remedy requested does not exceed what is necessary to prevent the perpetuation of the injury.

Right to data portability

The Act also provides that an individual may request a copy of computerised personal information in the form of a written and intelligible transcript. Unless doing so raises serious practical difficulties, computerised personal information collected from the individual (and not information created or derived from their personal information) must, at their request, be disclosed to them in a structured, commonly used technological format. The information must also be disclosed, at the individual's request, to any person or body authorised by law to collect such information.

Right not to be subject to automated-decision making

Organisations using personal information to render a decision based exclusively on an automated processing of such information will have to inform the individual concerned accordingly, no later than the moment where the individual is informed of the decision. Upon request, the individual must also be informed of:

  • the personal information used to render the decision;
  • the reasons and the principal factors and parameters that led to the decision; and
  • the right of the person concerned to have the personal information used to render the decision corrected.

The person concerned must be given the opportunity to submit observations to a staff member in a position to review the decision.

Coming into force

The coming into force of the Act is spread over the next three years:

  • Within a year (i.e. on September 22, 2022): the provisions regarding the appointment of a Privacy Officer, mandatory breach reporting, and the consent exceptions for commercial transactions and for study or research purposes will come into force.
  • Within two years (i.e. on September 22, 2023): most of the provisions of the Private Sector Act, as amended, will come into force. For instance, the new transparency and consent requirements, the provisions on mandatory PIAs, cross-border transfers, the implementation of governance policies and practices, etc.
  • Within 3 years (i.e. on September 22, 2024): the right to data portability will come into force.

How can you prepare?

While the implementation of the Act will come into effect incrementally over the next three years, the magnitude of the task of complying with these new obligations should not be underestimated. Therefore, businesses operating in Québec would be well advised to take the necessary steps now to ensure the compliance of their practices in this area. You can start preparing immediately, with the following steps:

  1. Assign a Privacy Officer.
  2. Conduct a data mapping and a gap analysis: what personal information do you have, how is it collected, for what purposes, to whom is it disclosed, who has access to it, how long is it retained, how is it destroyed, etc.
  3. Identify any technologies with location, profiling and identification parameters, or using automated-decision making.
  4. Review or adopt privacy policies, practices, and guidelines.
  5. Review your consent mechanisms.
  6. Establish guidelines to conduct 'assessments of the privacy-related factors'.
  7. Review or adopt a training and awareness program with regard to the protection of personal information.
  8. Identify your service providers and review their contracts.

Caroline Deschênes Partner
[email protected] 
Marie-Laurence Goyette Lawyer
[email protected]
Langlois Lawyers, LLP, Montréal