Quebec: Bill 64 - Four reasons why it matters
On 22 September 2021, Bill 64, An Act to modernize legislative provisions as regards the protection of personal information1 ('Bill 64') received assent, making Québec the first province in Canada to proceed with a major privacy regime reform amid many attempts and consultations at the federal level. Vanessa Henri and William Deneault-Rouillard, Associates at Fasken Martineau DuMoulin LLP, break down the four main reasons why Bill 64 is important.
This article discusses the importance of Bill 64 and the amendments that it introduces to Québec's Act respecting the protection of personal information in the private sector ('the Private Sector Act')2 (as amended by Bill 64, ('the New Private Sector Act')) with a focus on impacts on Big Data analytics and emerging technologies. Below are the top four reasons for why Bill 64 is a big deal in Canada, but also, globally!
Indeed, the fact that a company is located outside of Québec does not mean it can evade obligations under the Private Sector Act; whenever a company collects personal information ('PII') of individuals located within Québec, regardless of where the company is located, the Private Sector Act applies3.
Reason #1: It will be enforced. And that's new!
The Private Sector Act will shift from being an innocuous regime to providing three distinct enforcement mechanisms with teeth: (i) administrative monetary penalties ('AMPs') of up to CAD 10,000,000 (approx. €7,031,760) or 2% of worldwide turnover4; (ii) new penal offences with fines of up to CAD 25,000,000 (approx. €17,579,410) or 4% of worldwide turnover5; and (iii) a private right of action ('PRA') allowing individuals to sue organisations for damages6.
With new powers to enforce those AMPs, the Québec Commission on Access to Information ('CAI') will become one of the most powerful regulatory bodies in Canada. At the federal level, under the Personal Information Protection and Electronic Documents Act, SC 2000 ('PIPEDA'), the Office of the Privacy Commissioner of Canada ('OPC') still does not have powers to impose fines or make orders, but may rather investigate potential breaches of PIPEDA and issue findings, express an opinion as to whether a complaint was well founded, and make recommendations7. The only statutory penalties under PIPEDA consist of fines resulting from penal proceedings, which may be intended in limited cases of investigation obstruction and non-compliance with breach notification requirements8.
Many deplore that the new enforcement regime will put brakes on the start-up ecosystem and recent technological momentum in Québec. It should be noted that Bill 64 was amended to add a seventh factor to be considered when determining whether to impose an AMP, as well as its amount, i.e. 'the capacity of the person in default to pay, particularly in light of his or her assets, sales or income'9. Without being exhaustive on this topic, the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') does not explicitly include any similar criteria10.
Bill 64 also creates a PRA for individuals to be compensated for the unlawful infringement of a right conferred by the New Private Sector Act or the privacy articles of the Civil Code of Québec CQLR, c CCQ-1991, with an award of punitive damages of at least CAD 1,000 (approx. €700) when the infringement is intentional or results from a gross fault11.
The CAI has already indicated its intention to embrace its new watchdog role by hiring more competent staff and by issuing fines. Adding to this the increased exposure resulting from the upcoming mandatory data breach reporting mechanism12, it is not only the amount of financial consequences that will increase, but also chances of suffering them.
Reason #2: It introduces modern proactive obligations aligned with governance, risk, and compliance best practices
While the current version of the Private Sector Act does not explicitly provide the principle of accountability, Bill 64 introduces several new obligations of organisations in this regard, including the implementation of: (i) governance policies for the protection of PII; (ii) a framework on retention and destruction of PII; (iii) a process for dealing with complaints; as well as (iv) a clear definition of the roles and responsibilities of staff members with regard to PII13. The foregoing will be under the supervision and responsibility of the 'person in charge of the protection of PII', a role that may be delegated to anyone outside the organisation14.
In addition, the New Private Sector Act will require organisations to conduct an 'assessment of the privacy-related factors' ('APF') of 'any project of acquisition, development and redesign of an information system or electronic service delivery involving the collection, use, communication, keeping or destruction of personal information'15.
APFs are just one of the many proactive compliance and risk management mechanisms introduced by Bill 64. Interestingly, Bill 64 also introduces a requirement to perform an APF prior to make cross-border transfers of PII outside of Québec. This was highly debated as the first version of Bill 64 required, as a condition to transfer PII outside of Québec, that the PII importer's jurisdiction offer 'equivalent' protection to that existing in Québec (i.e., at the provincial level). Early criticisms raised concerns about the heaviness of the restrictions on PII transfer, even applicable to transfers between provinces of the same country. As many have pointed out, the proliferation of multiple equivalency and adequacy assessment systems based on local criteria16 creates barriers to international trade and, in the long run, could lead to the global internet disintegrating.
Subsequent amendments to Bill 64 replaced the requirement for 'equivalent' protection by an 'adequate protection in compliance with generally accepted data protection principles'17. Similar to a transfer risk assessment ('TIA') to be conducted under the UK GDPR and the GDPR, the AFP must take into account several factors18 (see below). However, the Québec regime departs from the approach taken under the UK GDPR and the GDPR which require Standard Contractual Clauses ('SCCs') or other pre-approved mechanisms19, followed by a TIA20 to identify additional protection measures that may be required. Under the New Private Sector Act, the APF will be used as guidance to determine what measures must be implemented.
Table 1 - Comparison between Québec, Canada and the European Union
Private Sector Act
(as amended by Bill 64)
Transfer of PII
Transfer outside Québec.
Transfer outside the European Economic Area.
Transfer outside Canada.
Transfers can take place when:
Transfers can take place when based on an adequacy decision, or when:
Transfers can take place when:
Factors to consider when assessing risk
Taking a global approach to design a legislation agnostic procedure in line with worldwide best practices is a good idea, considering the inherently local - and conflicting - interests that countries encounter when seeking to regulate extraterritorially. Another good idea is to become familiar with a recognised international standard that provides a framework for performing privacy impact assessments21, and others that provide with a methodology for implementing good governance on the protection of PII22, under which companies can get certified. While it is still necessary to obtain legal opinions on how these laws apply, these standards are helpful to guide professionals implementing.
Reason #3: It introduces requirements for technological development in an AI-based economy
Bill 64 is also a big thing because of the economic context in which it is being inserted: Québec has recently been consolidating its AI powerhouse status and is multiplying investments in innovation23. Consequently, it is critical to maintain trust in such technologies; it is not a coincidence that the privacy tech industry is gaining attention24. However, it is a daunting challenge for smaller emerging companies to support this regulatory burden, as Canadian privacy laws, including the New Private Sector Act, do not feature any applicability threshold, unlike several U.S. privacy laws25.
Among those trust-enhancing mechanisms, Bill 64 introduces the concept of Privacy by Default which, in contrast to Privacy by Design under GDPR26, governs the parameters (if any) of tech products and services offered to the public, which must be set, by default, in a way that ensures the highest level of privacy27.
Consistent with this principle, Bill 64 restricts the use of technologies with functions allowing the profiling, localisation, or identification of individuals, implying that such functions will always need to be activated by the concerned individual through an opt-in. Organisations will be required to priorly inform individuals of: (i) the use of such technology; and (ii) how he/she can activate those specific functions28. Bill 64 provides a very broad definition of 'profiling', which encompasses any PII processing made to assess characteristics of an individual in any contexts and for any purposes, including work performance, economic situation, and personal interests29. In contrast, the GDPR provides data subjects to object, at any time, only to specific PII processing (including profiling): (i) made for direct marketing purposes; or (ii) based on public interest or the organisation's legitimate interest30.
The New Private Sector Act will also include new requirements around the use of decisions based exclusively on automated processing of PII31. While GDPR addresses a similar topic quite differently32, PIPEDA currently has no similar provision.
Table 2 - Comparison between Québec and the European Union regimes: decisions based solely on automated processing
Private Sector Act (as amended by Bill 64)
Decisions subject to legal requirements
Decisions based exclusively on an automated processing of PII.
Decisions based solely on automated processing that produces legal effects concerning the data subject or similarly affecting him.
Transparency and explainability obligations
Organisations must inform the concerned individual, no later than at the time it informs him/her of the decision, that such decision is based exclusively on an automated processing of his/her PII; and, at the individual's request:
Organisations must inform the concerned individual, at the time when PII are obtained:
Other rights and obligations specific to automated decision-making
The person concerned must be given the opportunity to submit observations to a member of the personnel of the enterprise who is in a position to review the decision.
Data subjects have the right not to be subject to such decision, except if it is necessary to conclude or perform a contract, based on data subjects’ explicit consent or authorised by applicable EU or local law.
If the decision is necessary to conclude or perform a contract or is based on consent, data subjects have the rights to obtain human intervention, to express their point of view, and to contest the decision.
Unlike the GDPR, Bill 64 does not establish an individual right to not be subject to decisions based solely on automated processing. It rather merely provides an 'opportunity' for the individual to submit observations to an employee, without any formal right to request human intervention in such decision. On the other hand, the GDPR only provides for those rights when the decision produces legal effects concerning the data subject or similarly affects her/him, while the obligations under the Québec regime could be triggered in case of a simple targeted advertisement for shoes.
In the absence of guidance from the CAI, commenters have raised concerns in connection with enforcement of the transparency obligations through regulatory actions that could involve disclosure of trade secrets, sensitive algorithmic process, and private IT systems33. For instance, InsurTech companies may be worried as the mechanism setting insurance premiums may constitute very sensitive confidential information for them, while not being necessarily relevant to a consumer34. In this regard, it is specified under the GDPR that data subjects' right to access 'should be limited to not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software35'. PIPEDA also provides that access rights are limited when their exercise would reveal 'confidential commercial information36'. According to Bill 64, no exemption will be made in this regard under the New Private Sector Act.
Reason #4: It tackles de-identification in a wider data governance discussion
For many generations, healthcare systems have been accumulating massive amounts of data of great interest to researchers, medical and pharmaceutical companies, and above all, to such systems. Otherwise, data may be scattered in disparate forms and difficult to access where outdated legal safeguards for the protection of PII are in force, as is currently the case in Québec37. At the other end, during the Coronavirus pandemic, the Israeli Government agreed to transfer all vaccination data automatically to a pharmaceutical company, providing it with real-time access to large amounts of data on the effect of their vaccine. Jurisdictions aiming for data governance are likely to implement structures that allow for greater access and use of data while ensuring confidentiality of PII. This may be achieved with the introduction of de-identification statutory requirements that improve trust and access protocols and allow data synthesis to be framed with more certainty.
Bill 64 introduces two types of processes that may be applied to PII to reduce or minimise its identificatory nature: de-identification and anonymisation.
Under Bill 64, PII is de-identified when it no longer allows the concerned individual to be directly identified38. De-identification of PII allows organisations to use such PII without consent to the extent necessary for study, research or statistical purposes39. Indeed, organisations frequently use de-identification to protect privacy of individuals while still extracting business intelligence from the PII, such as MedTech organisations that may want to share de-identified health data with researchers. The New Private Sector Act will also require that organisations using de-identified information take reasonable steps to mitigate the risk of anyone identifying an individual using de-identified information40. Here is another situation that will require the performance of an APF.
According to Bill 64, information is anonymised to the extent it is at all times reasonable to expect, in the circumstances, that it irreversibly no longer allows the individual it concerns to be identified, whether directly or indirectly41. Still, the field of de-identification science suggests that re-identification of individuals, rather than being hard, is sometimes surprisingly easy. It is difficult for organisations to predict the type and amount of external information that an adversary will be able to access, and that difficulty may result in some residual re-identification risk - even for the best-intentioned de-identification processes42.
Bill 64 also requires that PII anonymisation be made in accordance with 'generally accepted best practices' and with criteria and procedures prescribed under regulation to come43. There is often at least some residual risk that re-identification might be possible, if not with techniques and data that are available today, then perhaps with techniques and data that might become available in the future. Despite the fact that uncertainty remains around the re-identification risk threshold that would disqualify a dataset from being properly 'anonymized' in accordance with Bill 64, the explicit reference made to industry best practices ensures durability through technological advances and could facilitate the harmonisation with other standards prescribed under foreign regulations such as the Health Insurance Portability and Accountability Act of 1996 ('HIPAA'), the GDPR, and others, which is critical.
Finally, while PII anonymisation was initially proposed under Bill 64 as an equivalent alternative to PII destruction, Bill 64's final form integrates an important amendment requiring organisations to demonstrate a 'serious and legitimate purpose' in order to use anonymised PII44. This additional limitation could have critical impacts on the AI and Big Data analytics industry. It also creates interpretative issues since it is understood from the whole text of the new Private Sector Act that anonymized data does not constitute PII, and therefore, this specific article may be interpreted as overstepping the fundamental object of this law45. In contrast, both the GDPR46and PIPEDA47 fully exclude 'anonymous information' from their respective scope.
New requirements under Bill 64 will come into force in three annual stages: four in September 2022 (including the appointment of a privacy officer and breach reporting requirements), most in September 2023, and a last one in September 2024 (a data portability right for individuals).
It is obvious that the Québec reform is strongly inspired by the European regime, and may be viewed as an attempt from La Belle Province to model its own data governance regime on the GDPR's privacy standards. Indeed, the New Private Sector Act includes noteworthy distinctive features, some being firmly rooted in the Canadian privacy tradition48. While the federal49 and Ontario50 governments recently made first steps toward the adoption of new privacy legislations, it is fervently hoped that proposed initiatives will prioritise harmonisation, which will greatly benefit to all Canadian companies and innovators.
1. Available at: http://www.assnat.qc.ca/en/travaux-parlementaires/projets-loi/projet-loi-64-42-1.html?appelant=MC
2. Available at: http://www.legisquebec.gouv.qc.ca/en/pdf/cs/P-39.1.pdf
3. See: https://priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2021/pipeda-2021-001/#fn19Joint investigation of Clearview AI, Inc. by the Office of the Privacy Commissioner of Canada, the Commission d’accès à l’information du Québec, the Information and Privacy Commissioner for British Columbia, and the Information Privacy Commissioner of Alberta, PIPEDA Findings #2021-001, February 2, 2021; https://www.canlii.org/fr/qc/qccai/doc/2018/2018qccai245/2018qccai245.htmlFirquet c. Acti-Com, 2018 QCCAI 245 (CanLII); https://www.canlii.org/fr/qc/qccs/doc/2008/2008qccs1455/2008qccs1455.htmlSerres Floraplus inc. c. Norséco inc., 2008 QCCS 1455 (CanLII); Guilmain, A. & Douville, D., "https://www.fasken.com/en/knowledge/2019/05/van-the-quebec-private-sector-privacy-act/The Québec Private Sector Privacy Act: When does it Apply to Organizations Outside of Québec?," Fasken Bulletin, May 16, 2019; Geist, M., “https://lawcat.berkeley.edu/record/1117679Is there a there there? Toward greater certainty for internet jurisdiction,” Berkeley Technology Law Journal, Vol. 16, #3, p. 1345 (2001).
4. Article 90.12 of the New Private Sector Act.
5. Ibid., Article 91.
6. Ibid., Article 93.1.
7. See: PIPEDA, s. 12-13.
8. See: PIPEDA, s. 28. I
9. See: Article 90.2(2) of the New Private Sector Act.
10. Article 83(2) of the GDPR.
11. Article 93.1 of the New Private Sector Act.
12. Ibid., Article 3.5.
13. Ibid., Article 3.2.
14. Ibid., Article 3.1.
15. Ibid., Article 3.3.
16. See for instance: India's Personal Data Protection Bill (tabled in 2019), which proposes to require that certain types of PII be stored in India: 'critical personal data' must be stored and processed only in India, while 'sensitive personal information' must be stored within India but may be 'copied' elsewhere provided the destination country applies sufficient privacy protections to the data and does not impede Indian law enforcement access to the data.
17. Article 17 of the New Private Sector Act.
19. Article 46 of the GDPR.
20. European Data Protection Board, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, Nov. 10, 2020.
21. See: https://www.iso.org/standard/62289.html
22. See: https://www.iso.org/standard/71670.html
23. See: https://montrealgazette.com/news/local-news/artificial-intelligence-expert-moves-to-montreal-because-its-an-ai-hub
24. See: https://www.priv.gc.ca/en/blog/20210412/
25. For instance: the California Consumer Privacy Act applies to businesses that: (i) have annual gross revenue of over USD 25 million; buy, receive, sell or share the PII of 50,000 or more California consumers, households or devices for commercial purposes each year; or derive 50% or more of annual revenue from selling consumer PII (CCPA, s. 1798.140).
26. Article 25 of the GDPR.
27. Article 9.1 of the New Private Sector Act.
28. Article 8.1 of the New Private Sector Act.
29. Ibid.: i.e., 'the collection and use of personal information to assess certain characteristics of a natural person, in particular for the purpose of analyzing that person's work performance, economic situation, health, personal preferences, interests or behaviour.'
30. Article 21 of the GDPR.
31. Article 12.1 of the New Private Sector Act.
32. Articles 15 and 22 of the GDPR.
33. Only available in French at : https://bac-quebec.qc.ca/media/5919/20210527_memoire_pl64-commission-institutions.pdf
35. Recital 63 of the GDPR.
36. Article 9(3)(b) of PIPEDA.
37. Article 21 of the Private Sector Act; https://www.cca-reports.ca/wp-content/uploads/2018/10/healthdatafullreporten.pdfAccessing Health and Health-Related Data in Canada. Council of Canadian Academies Report, 2015, Ottawa, pp. 47, 51, 82; One of the most controversial aspects of Québec privacy laws for the research sector is the often lengthy and uncertain process researchers must go through to gain access to PII databases held by public bodies and private enterprises. The CAI generally grants the necessary approval after a year or more, while research funds are granted over a three-year cycle.
38. Article 12 of the Private Sector Act.
41. Article 23 of the Private Sector Act.
42. According to a https://dataprivacylab.org/projects/identifiability/paper1.pdf?fbclid=IwAR2qeD2uXtZmaUUPQzAStNoO1n2pAQpfzzhnDYg4WPN-yhjZ8oTBHmpmhowlandmark study, 87% of Americans can be uniquely identified from their ZIP code, date of birth and sex. According to https://www.cs.utexas.edu/~shmat/shmat_oak08netflix.pdfanother, more than 80% of users of a flagship subscription DVD rental service could be uniquely identified by when and how they rated any three movies they had rented.
43. Article 23 of the Private Sector Act.
45. Article 1 of the New Private Sector Act: 'The object of this Act is to establish, for the exercise of the rights conferred by articles 35 to 40 of the Civil Code concerning the protection of personal information, particular rules with respect to personal information relating to other persons which a person collects, holds, uses or communicates to third persons in the course of carrying on an enterprise […].'
46. Recital 26 of the GDPR.
47. Schedule 1, s. 4.5.3. of PIPEDA.
48. For instance, consent is preserved as the sole legal basis for processing.
49. https://parl.ca/DocumentViewer/en/43-2/bill/C-11/first-readingBill C-11, An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts; this bill has not been subject to any legislative developments from 2020 and its future is now uncertain.
50. In June 2021, the Ontario Government published https://www.ontariocanada.com/registry/showAttachment.do?postingId=37468&attachmentId=49462a white paper setting out a model for a new provincial statute.