Quebec: Quebec's privacy legislation is growing teeth - What businesses need to know before they get bitten
On 12 June 2020, the Quebec government introduced Bill 64, An Act to modernize legislative provisions as regards the protection of personal information ('Bill 64'), which aims to significantly overhaul Quebec's privacy framework and impose tougher restrictions on applicable organisations. Caroline Deschênes, Partner at Langlois Lawyers, discusses Bill 64 and what changes it has in store.
This insight has been updated on 1 September 2021 to reflect recent changes to Bill 64.
Once adopted, Bill 64 will result in significant changes to various laws in order to modernise the regulatory framework for the protection of personal data in Quebec. The modernisation process will impact both private and public sectors as well as political parties, and will require compliance efforts by all these organisations given the new enforcement tools provided which include very significant monetary administrative penalties.
This article focuses on key amendments to the Act Respecting the Protection of Personal Information in the Private Sector ('the Act'), which will have the most impact on businesses operating in Quebec.
A major change introduced by Bill 64 which attracts attention is the additional and stronger enforcement tools provided to ensure compliance with the Act.
New monetary administrative penalties
Pursuant to Bill 64, the Quebec Commission on Access to Information ('CAI') will have the power to impose new monetary administrative penalties ('MAPs'). MAPs may be imposed on organisations for the following reasons:
- failure to adequately inform individuals;
- unlawful collection, use, disclosure, keeping, or destruction of personal information;
- failure to report a confidentiality incident
- failure to take the security measures necessary to ensure the protection of the personal information; and
- failure to inform individuals concerned by a decision based exclusively on an automated process or failure to provide individuals an opportunity to submit observations.
The maximum amount of the monetary administrative penalty is CAD 50,000 (approx. €33,301) (for individuals) and CAD 10,000,000 (approx. €6,660,398) (for businesses) or, if greater, 2% of worldwide turnover for the preceding year.
Bill 64 provides that businesses can acknowledge their failure to comply with applicable legal requirements and enter into an undertaking with the CAI to remedy the contravention or mitigate its consequences. Where such an undertaking is accepted by the CAI and is respected, the business cannot be subject to a MAP with respect to the acts or omissions covered by the undertaking.
Bill 64 also modifies the penalties already prescribed in the Act and increases their scope. Currently, the power to institute penal proceedings under the Act rests with the Attorney General. Pursuant to Bill 64, within five years of the commission of the offence, the CAI may institute penal proceedings for the following offences, among others:
- unlawful collection, use, disclosure, keeping, or destruction of personal information;
- failure to report a confidentiality incident;
- failure to take the security measures necessary to ensure the protection of the personal information;
- identification or attempt to identify a natural person using de-identified information without authorisation;
- impeding the progress of an inquiry or inspection of the CAI or the hearing of an application by the CAI by providing it with false or inaccurate information, by omitting to provide information it requires or otherwise; and
- failure to comply with an order of the CAI.
Pursuant to Bill 64, the maximum amount of the fine for a penal offence will be of CAD 5,000 (approx. €3,330) to CAD 100,000 (approx. €66,660) in the case of a natural person and, in all other cases, of CAD 15,000 (approx. €15,000) to CAD 25,000,000 (approx. €16,667,130), or, if greater, the amount corresponding to 4% of worldwide turnover for the preceding fiscal year. In the event of a subsequent offence, the fines will be doubled.
New private right of action
Finally, Bill 64 also provides that where individuals have suffered an injury resulting from the unlawful infringement of a right conferred by the Act or by Sections 35 to 40 of the Quebec Civil Code and the infringement is intentional or results from a gross fault, the court shall award punitive damages of at least CAD 1,000 (approx. €670).
Accountability and governance
Bill 64 explicitly introduces in the Act the principle of accountability by the organisation collecting the data. Most significantly for businesses, the responsibility for the protection of personal information, or role of 'Privacy Officer', will now rest by default with the highest ranking officer. Similarly to the role of data protection officer ('DPO') under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), this person will now be responsible for the implementation of, and compliance with the provisions of the Act. All or part of this function may be delegated in writing. Contact details for this person or the person to whom the role is delegated must be published on the organisation's website or, in the absence of a website, made available by any other appropriate means.
Policies and practices
Bill 64 proposes that all organisations establish and implement privacy governance policies and practices. Such policies and practices must provide a framework for the keeping and destruction of the information, define the roles and responsibilities of the staff members throughout the life cycle of the information, and provide a process for dealing with complaints regarding the protection of the information. Detailed information on these policies must be published on the enterprise's website in clear and simple language or, if the enterprise does not have a website, made available by any other appropriate means.
Bill 64 will require organisations to conduct a mandatory 'assessment of privacy-related factors', commonly known as a Privacy Impact Assessment ('PIA'), with respect to the acquisition, development and redesign of any information system project or electronic service delivery project involving the collection, use, disclosure, keeping, or destruction of personal information. It shall be performed in any manner proportionate to the information’s sensitivity, purpose of use, quantity and support. An assessment of privacy-related factors will also be required before disclosing personal information outside of Quebec or disclosing personal information without consent to a person or body wishing to use the information for study or research purposes or for the production of statistics.
Privacy by Default
Bill 64 includes a new Privacy by Default requirement. Organisations collecting personal information by offering to the public technological products or services that have privacy parameters will now have to ensure that, by default, the parameters of the product or service provide the highest level of confidentiality without any intervention by the person concerned. However, this obligation does not include the privacy settings of a cookie.
Bill 64 provides for additional transparency obligations.
Duty to inform at the time of collection (and on request afterwards)
Bill 64 introduces a new provision outlining specific information which must be provided to the individual at the time of collection (and on request afterwards), i.e.:
- the purposes for which the information is collected;
- the means by which the information is collected;
- the rights of access and rectification provided by law;
- the person's right to withdraw consent to the communication or use of the information collected;
- the name of the person for whom the information is being collected if it is being collected for a third person (if applicable);
- the name of the third parties to which it is necessary to communicate the information (if applicable); and
- the possibility that the information could be communicated outside Quebec (if applicable).
On request, the person concerned must also be informed of the personal information collected from them, the categories of persons who have access to the information within the enterprise, the duration of the period of time the information will be kept, and the contact information of the person in charge of the protection of personal information. The information must be provided to the person concerned in clear and simple language, regardless of the means used to collect the personal information.
Duty to inform of the use of technology allowing individuals to be identified, located, or profiled
Bill 64 requires that organisations disclose, in advance, their use of technology that can identify, locate, or profile users, and then provide users with the means to enable the identification, location, or profiling features. 'Profiling' is defined as the collection and use of personal information to assess certain characteristics of a natural person, such as work performance, economic situation, health, personal preferences, interests, or behaviour.
Reinforcement of consent
Bill 64 reinforces the concept of consent for the collection and use of personal information, which is at the centre of Quebec's privacy regime.
Under the Act, consent must be manifest, free, enlightened, and solicited for specific purposes. Bill 64 provides that consent must be clear, free, and informed and be given for specific purposes. It adds that consent must be requested for each such purpose, in clear and simple language and, if solicited in writing, separately from any other information provided to the person concerned. If the person concerned so requests, assistance is provided to help him understand the scope of the consent requested.
For sensitive personal information (i.e. information that entails a high level of reasonable expectation of privacy), Bill 64 stipulates that consent must be express.
Bill 64 also introduces new rules regarding children's data. Personal information concerning a child (under 14 years of age) may not be collected from him without the consent of the person having parental authority or his tutor, unless collecting the information is clearly for the minor's benefit. Consent to the processing of a child's personal information is given by the person having parental authority or his tutor. When a minor is 14 years of age or over, consent is given by the minor or by the person having parental authority or his tutor.
Bill 64 introduces new consent exceptions.
Under the proposed provisions, the secondary use of personal information will be permitted without the prior consent of the person concerned, as long as:
- the use is for purposes consistent with those for which it was collected (and not for commercial or philanthropic prospection, which are specifically excluded);
- the use is for the benefit of the person concerned;
- the use is necessary to prevent or detect fraud or for the evaluation and improvement of protection and security measures;
- the use is necessary for the supply or delivery of a product or service requested by the individual; or
- the use is necessary for study or research or for the production of statistics, and the information is de-identified (i.e. no longer directly identifies the person concerned).
Furthermore, Bill 64 proposes to fill a significant gap in the current version of the Act by expressly introducing an exception to allow the disclosure of personal information without consent in the course of a commercial transaction, as permitted under other Canadian privacy legislation of general application. It also provides a new exclusion for business contact information, defined as 'personal information concerning the performance of duties within an enterprise by the person concerned, such as the person’s name, title and duties, as well as the address, email address and telephone number of the person’s place of work.'
Outsourcing and transfers outside of Quebec
Bill 64 proposes clarifications to the rules applicable to the disclosure of personal information to service providers. Such disclosure may be made without consent and is subject to certain conditions, namely:
- a written agreement between the organisation and the service provider;
- a description of the measures taken by the service provider to ensure the confidentiality of the personal information;
- a duty for the service provider to only use the personal information for the purposes of the contract and to not keep this information after the expiry of the contract; and
- a duty for the service provider to notify the organisation of any actual or attempted confidentiality incident and to allow the organisation to allow the privacy officer to conduct any verification relating to the confidentiality requirements (this last requirement is not applicable if the service provider is a public body).
Transfers outside of Quebec
Bill 64 purports to reinforce the rules governing the cross-border transfer of personal information by businesses. Thus, Bill 64 provides that before disclosing personal information outside of Quebec, an organisation must conduct an assessment of privacy-related factors, taking into account:
- the sensitivity of the information;
- the purposes for which it is used;
- the protection measures that would apply to it, including contractual measures; and
- the legal framework applicable in the State in which the information would be disclosed, including the legal framework's degree of adequacy with Quebec's privacy laws.
The information may only be transferred outside of Quebec if the assessment establishes that it would receive an adequate level of protection.
The disclosure of the information is subject to a written agreement that takes into account the results of the assessment and, if applicable, the terms agreed on to mitigate the risks identified in the assessment.
While consent is not required to transfer personal information outside of the province, an individual must be informed of the possibility that the information could be disclosed outside of Quebec.
Mandatory breach reporting
With British-Columbia, Quebec is currently one of the last jurisdictions in North America without mandatory breach reporting provisions. Bill 64 purports to resolve this issue by introducing a general obligation for data breach notification (referred to as a 'confidentiality incident'). The term 'confidentiality incident' refers to:
- unauthorised access, use, or disclosure of personal information; and
- loss of personal information or any other breach in the protection of that information.
When there is reason to believe that a confidentiality incident has occurred, the organisation must take reasonable steps to reduce the risk of injury and to prevent new incidents of the same nature.
In the event of an incident involving a risk of serious injury, the organisation must notify the CAI, as well as any person whose personal information is concerned by the incident (unless doing so would hamper an investigation conducted by a person or body responsible by law for the prevention, detection, or repression of crime or statutory offence). The organisation may also notify any person or body that could reduce the risk, by disclosing to the person or body only the personal information necessary for that purpose without the consent of the person concerned. In the latter case, the person in charge of the protection of personal information must record the disclosure of the information.
Organisations must keep a register of confidentiality incidents, which must be sent to the CAI upon request.
Rights of individuals
Bill 64 creates three new GDPR-inspired rights for individuals, which we will refer as the right to erasure, the right to data portability, and the right not to be subject to automated decision-making.
Right to erasure
If adopted, Bill 64 will allow individual to require an organisation to:
- cease disseminating personal information about him or her;
- de-index any hyperlink that provides access to that information, if the dissemination contravenes the law or a court order; and
- re-index any hyperlink that provides access to that information.
Such a request may be made when the following conditions are met:
- the dissemination of this information causes the person serious injury in relation to the person's right to respect of his or her reputation or privacy;
- the injury is clearly greater than the public interest in knowing the information or the right to free expression (the balance of convenience criterion); and
- the remedy requested does not exceed what is necessary to prevent the perpetuation of the injury.
Right to data portability
Bill 64 provides that an individual may request a copy of computerised personal information in the form of a written and intelligible transcript. Unless doing so raises serious practical difficulties, computerised personal information collected from the applicant (and not information created or derived from their personal information) must, at their request, be disclosed to them in a structured, commonly used technological format. The information must also be disclosed, at the applicant's request, to any person or body authorised by law to collect such information.
Right not to be subject to automated-decision making
Finally, Bill 64 stipulates that an organisation using personal information to render a decision based exclusively on an automated processing of such information must inform the individual concerned accordingly, no later than the moment where the individual is informed of the decision.
Upon request, the individual must also be informed of:
- the personal information used to render the decision;
- the reasons and the principal factors and parameters that led to the decision; and
- the right of the person concerned to have the personal information used to render the decision corrected.
The individual must be given the opportunity to submit observations to a staff member who is in a position to review the decision.
Bill 64 has been adopted in principle in October 2020, and has undergone a clause-by-clause review, during which amendments were made to the original text. In the coming weeks, Bill 64 will go through the last steps in the legislative process, but it is unlikely that additional changes will be made.
Bill 64 is expected to be passed in Fall 2021. It provides for a two-year transition period between its adoption and the coming into force of the majority of the new provisions, with some exceptions. Thus, a one-year transition period will apply to some provisions, including the provisions on mandatory breach reporting, the requirement to designate a person in charge of the protection of personal information, and the commercial transaction exception. A three-year deferral of implementation will apply to the right to data portability.
Given the number of proposed changes and new requirements, such periods are needed to allow companies to review their current practices, identify gaps and implement the necessary changes to ensure compliance, in order to avoid being subject to the new strong enforcement tools contemplated.
Caroline Deschênes Partner
Langlois Lawyers, Montréal