While proposed federal privacy law reform looms in Canada, it was a provincial privacy law that dominated the regulatory discussions among presenters and attendees at the IAPP Canada Privacy Symposium 2023.
Passed in 2021, Quebec's Bill 64 was an omnibus bill to modernize the province's Private Sector Act over the span of the ensuing three years. Contained within Bill 64 is Law 25, which will see most of its key provisions enter into force 22 Sept., and includes enhanced administrative penalties regarding risk management ranging from CAD10 million or 2% of global turnover up to CAD25 million or 4% of global turnover for violations.
Several provisions of Law 25 already went into effect in September 2022, including requiring companies to designate a privacy officer, requiring confidentiality in incident reporting, establishing a biometric database and tightening requirements for disclosing personal information for research purposes.
"In Quebec, they kind of went halfway between Canada and Europe," said Borden Lardner Gervais Partner Eloïse Gratton during the CPS privacy officer training. "They propose a new definition of sensitive information — information that due to its nature, includes medical, biometric or otherwise intimate information. There's a little bit of flexibility with that notion of intimacy, or the context of its user communication, and it (has) a high level of reasonable expectation of privacy."
Other major Law 25 provisions entering into force this fall, as Dentons Global Privacy and Cybersecurity Group Co-Chair Chantal Bernier previously detailed in an article, include:
- Adopting a privacy program according to prescribed requirements.
- Establishing a process to perform a privacy impact assessment before adopting technology that processes personal information and transfers personal information outside Quebec.
- Updating privacy notices to meet enhanced transparency requirements, including transparency in relation to automatic decision-making systems.
- Reviewing consent mechanisms according to more stringent conditions, including new provisions on minors' consent.
- Reviewing data anonymization to demonstrate it is performed for "serious and legitimate reasons" and according to "generally accepted best practices."
- Like under the EU General Data Protection Regulation, organizations that disseminate information must prepare to respond to a "right to be forgotten" in the form of a right to deindexation.
As Law 25's new provisions are set to enter into force, Canadian privacy professionals are now preparing for how their organizations will comply with them.
A major point of consternation with Law 25 for privacy professionals working in companies outside of Quebec is Section 17, which governs the ability to transfer personal data outside Quebec.
Under the law's requirements, entities transferring customer's personal information outside the province must conduct a data transfer impact assessment. These are comprised of assessments concerning the sensitivity of the information, the purpose of transferring the data, ensuring adequate protection of the information once transferred outside Quebec and that third parties subsequently accessing the data are to be subject to the same requirements, according to nNovation Counsel Dustin Moores, CIPP/C.
"We've got our data transfer impact assessment, there's still another hurdle: You can only transfer the information outside of Quebec, if you've determined that it'll receive an adequate protection based on generally recognized privacy principles," Moores said. "The communication of the information has to be subject to a written agreement that takes into consideration the results of the assessment and the mitigation measures that are going to be in place in order to protect against the risks that were identified."
Gowling WLG Cybersecurity and Data Protection Counsel and Co-leader Antoine Guilman, CIPP/C, CIPP/E, CIPP/US, CIPM, FIP, said, initially, Law 25 created a scenario where legal minds came away with two differing interpretations of how Quebec's data protection authority, the Commission d'accès à l'information du Québec, would enforce transfer requirements. One in which "proper contractual protection would be sufficient," and one a more conservative interpretation, in which "an analysis of the foreign legislation would have to be performed in order to ensure that there is an equal balance of protection."
Guilman said regulations have now been more comprehensively spelled out to clarify that Quebec's legislation sets the standard for transferring to other jurisdictions as "adequate protection" of personal data and not "equivalent protection."
"The first aspect to note is the shift from equivalent protection to adequate protection … (the concern was) if we Pass Law 25, then as a matter of fact, we will become one of the most stringent privacy laws in North America, and how could any other privacy law outside Quebec be equivalent?" Guilman said. "The current government realized that it was a pretty big burden on (organizations) to assess which jurisdiction would be adequate."
Under the forthcoming regulations of Law 25, the CAI will now have the authority to bring its own administrative complaints against organizations that mishandle individuals' personal information. However, Fasken Partner and National Co-leader, Privacy and Cybersecurity, Antoine Aylwin, CIPP/C, said an important element of the law allows for organizations that receive administrative penalties from the CAI can enter into an agreement with the agency to reduce their penalty or potentially avoid it entirely through proper remediation efforts.
"If the measures necessary to remediate, remedy the failure or mitigate the consequences are taken, then the commission may decide that no administrative penalty is to be imposed," Aylwin said. "I'm not saying the violation is negotiable, but the (monetary) sanction may be negotiable, because the difference between the administrative sanction and a legal sanction is really about trying to force compliance."
Still, to avoid the regulatory scrutiny of the CAI, Sun Chief Privacy Officer and Vice President for Enterprise Conduct and Data Ethics Suzanne Morin recommended for high-risk data processing, Law 25 will require companies to be more transparent with how they deploy automated systems.
Morin said organizations should focus on the real-world impacts mishandling customers' personal information will have on them when considering Law 25 compliance protocols, and, in doing so, they can best position themselves to comply with how the CAI will enforce the new round of regulations.
"It's reasonable to focus on the more material decisions, or more material impact," Morin said. "Be as upfront and transparent as you can using plain language, it's not going to be easy. Transparency is insurance and no one has the silver bullet."