Quebec’s Bill 64 proposes amendments to modernize privacy laws

Computer and tablet

Data Protection, Privacy and Security Alert

By:

On June 12, 2020, Bill 64 was introduced in an effort to modernize the current legal regime in Quebec regarding the protection of personal information. The Bill not only updates and modernizes the current legal framework regarding individuals' personal information and privacy rights, but it also aligns Quebec’s privacy laws with those of other jurisdictions. In fact, many of the amendments that are proposed are influenced by, or are similar to, the provisions found in the federal Personal Information Protection and Electronics Act (“PIPEDA”) and the European Union’s General Data Protection Regulation (“GDPR”). At present, the Bill has been adopted in principle. However, it is still subject to amendments.

The Bill proposes changes to privacy laws affecting both public and private sectors. This article will focus on the key changes impacting the private sector, more particularly the proposed amendments to the Act Respecting the Protection of Personal Information in the Private Sector (“Private Sector Act”).

Responsibilities relating to protection of personal information

Privacy Officers

The Private Sector Act, in its current form, does not require a business to designate a privacy officer who would be accountable for compliance with the Private Sector Act. However, under Bill 64, the person exercising the highest authority in an enterprise is responsible for the implementation and compliance with the Private Sector Act and he or she shall exercise the function of “person in charge of the protection of personal information”. Parts or all of the function may be delegated to another member of the personnel.

Businesses will be required to publish the title and contact information of the person in charge of the protection of personal information on their websites or, if no website is available, through other appropriate means.

Governance policies and practices

Under Bill 64, every business will be required to establish and implement governance policies and practices that appropriately ensure the protection of personal information considering the nature and scope of its activities. Said policies and practices would need to provide a framework for the conservation and destruction of personal information, define the roles and responsibilities of the members of the personnel throughout the life cycle of the information, and provide a process for dealing with complaints regarding the protection of personal information. 

Businesses, with the involvement of the person in charge of the protection of personal information, will ‎be required to conduct an assessment of privacy-related factors for all information system projects or electronic service delivery projects involving the collection, use, communication, keeping or destruction of personal information. The term “information system projects or electronic service delivery projects‎” is meant to encompass all systems that would process information or are intended to provide e-services.

Confidentiality incident

It will now become mandatory to report a confidentiality incident where a business has cause to believe that such an incident has occurred and that such incident presents a risk of serious injury. In that event, the business must promptly notify the Commission d’accès à l’information (“Privacy Commission”) and any person whose personal information is concerned.

Under the Bill, a confidentiality incident is defined as unauthorized access to, use or communication of personal information or the loss of personal information or any other breach in the protection of personal information.

In the event of a confidentiality incident, the business must take reasonable measures to reduce the risk of injury and to prevent any new occurrences of the same nature.

The business must maintain a register of confidentiality incidents.

The draft legislation sets out the factors to consider in assessing the “serious risk” of injury to the person whose personal information has been compromised. The concept of “sensitivity” of the information is introduced in assessing the risk. Personal information is deemed to be sensitive if there is a high level of reasonable expectation of privacy given the nature or context of its use or communication.

Retention, use and non-communication of information

Duty to inform

Bill 64 provides for additional transparency when personal information is collected and at any time on request. Any person who collects personal information must inform the person concerned:

  1. of the purposes for which the information is collected;
  2. of the means by which the information is collected;
  3. of the rights of access and rectification provided by law;
  4. of the person’s right to withdraw consent to the communication or use of the information collected;
  5. of the name of the person for whom the information is being collected if it is being collected for a third person; and
  6. of the possibility that the information could be communicated outside Quebec, if applicable.

In the case where technological means are being used to collect personal information, a confidentiality policy drafted in clear and simple language must be published on the business’s website and disseminated by any appropriate means to the persons concerned. Should the technology include functions to identify, locate or profile the person concerned, the business must also inform the person concerned of the use of such technology and how to deactivate the functions, if possible.

Profiling is the collection and use of information in order to assess certain characteristics of the person such as work performance, economic situation, health, personal preferences, interests or behaviour.

In the case where personal information is being used to render a decision based exclusively on an automated processing of the information, the business must, at the time of or before the decision, inform the person concerned accordingly. The person concerned may also request additional information to better understand the process and such person must be given the opportunity to have the decision reviewed.

Consent

The Bill clarifies that consent must be clear, free and informed and be given for specific purposes. In the case of sensitive personal information, the consent given by the person concerned must be express.

Bill 64 also makes a distinction with respect to consent for minor persons under the age of 14. If the personal information concerns a minor under the age of 14, the consent of the person having parental authority is required.

It should be noted that when consent is being requested, it must be done in clear and simple language and separately from any other information provided to ‎the person concerned.

Highest level of confidentiality by default

Bill 64 provides that a business which collects personal information when offering a technological product or service will be required to ensure that, by default, the parameters of that product or service are set to the highest level of confidentiality.

Transfer to foreign jurisdiction

Bill 64 sets out new rules, similar to the ones under PIPEDA and the GDPR, integrating the adequacy principle to the transfer of personal information to a foreign jurisdiction.

Before communicating personal information outside Quebec, businesses will now be required to conduct a privacy impact assessment in order to ensure that the personal information would receive protection equivalent to that afforded under the Private Sector Act. The same applies to situations where a business outsources the task of collecting, using, communicating or keeping personal information to an entity in a foreign jurisdiction.

To assist with this, the government will publish in the Gazette officielle du Québec a list of States whose legal framework governing personal information is equivalent to that in Quebec.

Communication to third persons

Section 18 of the Private Sector Act provides a list of recipients to whom a business can communicate ‎personal information it holds‎ without the consent of the person concerned. Bill 64 sets out a few other scenarios where the communication of personal information can be effected without having to obtain the consent of the persons concerned.

Carrying out a mandate or service contract

A business may communicate personal information to a third party, without having to obtain the consent of the persons concerned, where the information is necessary for carrying out a mandate or service contract. If the person performing the contract is not a public body or a member of a professional order, the contract must be in writing and must include measures the mandatary or the person performing the contract must take to protect the confidentiality of the personal information communicated. 

Concluding a business transaction

Similarly, Bill 64 also allows a business to communicate personal information, without the consent of the persons concerned, if the business is involved in a commercial transaction (such as sale of the business) which necessitates such communication. The parties must, however, enter into an agreement stipulating various undertakings by the other party ensuring that the personal information is appropriately protected prior to any such communication. If the business assets are sold to a purchaser, the purchaser must advise the persons concerned that the purchaser is now holding the personal information.

Access by persons concerned

Right of access and rectification

Bill 64 modernizes section 27 of the Private Sector Act regarding the right of access of persons concerned by integrating the notion of data portability. The Bill allows individuals to request that the personal information collected from the individual be communicated to him or her in a structured, commonly used technological format.

Any person may require rectification of personal information where such information is inaccurate, incomplete or equivocal.

Cessation of dissemination and de-indexing

In addition to the rectification rights of the persons concerned, Bill 64 also provides individuals with the right to require businesses to cease disseminating the personal information relating to them if such dissemination contravenes the law or a court order or, in certain circumstances, to de-index or re-index any hyperlink attached to his or her name that provides access to the information.

Penal provisions, administrative monetary penalties and damages

Under the current Private Sector Act, if a business contravenes a provision of the Private Sector Act, the attorney general could initiate penal proceedings against the business and the penalties can be in the range of $1,000 to $50,000 depending on the offence. Bill 64 drastically changes these provisions. Under Bill 64, the Privacy Commission will be granted the power to institute penal proceedings for an offence under the Private Sector Act and the monetary penalties have been substantially increased. The penalties would be between $5,000 to $50,000 for a natural person and in all other cases between $15,000 and $25,000,000 or if greater, 4% of the business’s worldwide turnover for the preceding fiscal year.

In addition to the penal proceedings, Bill 64 introduces an administrative penalty regime which allows the Privacy Commission, through a person it designates, to impose fines on businesses who do not comply with the Private Sector Act. The Privacy Commission would be responsible for developing and making public the general framework for the application of monetary administrative penalties. The amount of the monetary administrative penalties that can be imposed can be as high as $50,000 for a natural person and the greater of $10,000,000 or 2% of the business’s worldwide turnover for the preceding fiscal year.

Businesses are liable to damages for injuries caused by infringements of the provisions of this legislation and where the infringement is intentional or due to gross negligence, punitive damages of at least $1,000 can be awarded.

Commentary

The provisions of Bill 64 would generally come into force one year after the date of its assent, with the exception of certain provisions in order to allow additional time to make the appropriate technological adjustments. At the time of this writing, the Bill has been adopted in principle. While it is still subject to amendments, in its current form, the Bill has far reaching consequences impacting businesses of all sizes. It should be noted that during the special consultations and public hearings, consideration has been given to the impact the proposed changes would have on small and medium-sized enterprises. It remains to be seen how the Bill may be amended.

Nonetheless, it would be judicious for businesses, especially employers, to review the provisions of Bill 64 in further detail and to conduct an internal analysis of its current privacy policies and practices in order to be in a position to make the appropriate changes in a timely manner.

This article provides only general information about legal issues and developments, and is not intended to provide specific legal advice. Please see our disclaimer for more details.