Privacy in Quebec is about to get a major makeover — one that may lead to wider reforms across Canada. In September, lawmakers enacted Bill 64, which aims to modernize crucial aspects of the various laws governing individuals’ privacy in Quebec, amending provisions involving consent, data protection officers, notice, individuals’ rights and more.
“(Bill 64 is) actually a pretty big deal in Canada and will probably have a domino effect in terms of seeing other jurisdictions move to update their laws too,” wrote IAPP Canada Managing Director and nNovation Partner Kris Klein, CIPP/C, CIPM, FIP. And the reverberation does not stop at the nation’s border, he wrote. “Regardless of whether you’re in Quebec, this law will likely impact (privacy professionals’ work) in some way.” Klein added firms outside Canada should evaluate the operational impacts posed by Bill 64 given the chance that Quebec’s neighboring provinces may soon follow suit in modernizing their privacy and data protection statutes.
Even with the likelihood of provincial reforms, there appear to be no immediate plans to overhaul the Personal Information Protection and Electronic Documents Act, the country’s main federal privacy law. However, according to Klein, a string of successful privacy reforms across the provinces could result in some federal reforms which provisions may mimic those featured in Bill 64. This province-before-federal likelihood reflects the Canadian legal system’s decentralized approach to privacy law, which generally offers the provincial and federal governments equal footing with one another in regards to regulating data protection and individuals’ privacy.
Bill 64: An omnibus
The new law in Quebec is an omnibus legislative package that amends several discrete privacy laws in the province. But perhaps the most significant amendments of Bill 64 reform the Private Sector Act, Quebec’s main statute that regulates the collection, use and disclosure of personal information by private organizations.
The amendments to the Private Sector Act gradually come into effect over the next three years, but this delay has not stopped Quebec’s Data Protection Authority, Le Commission d’accès à l’information du Quebec, from releasing guidance and interpretation even though the final text of Bill 64 has not been released as of this writing.
Here are some of the most significant impacts Bill 64 will have on the Private Sector Act and when to expect them to come into effect.
DPOs
Beginning in September 2022, firms will be required to comply with certain administrative controls, which include naming a designated employee responsible for complying with the Private Sector Act. By default, the amended law designates the CEO of every firm with compliance oversight, but firms may designate any individual as privacy officer so long as they publish the name, title and contact information of the individual responsible on the firm’s website.
Breach reporting
Also beginning in September 2022, organizations must begin notifying CAI and individuals regarding any breaches to compromised personal information that present a “risk of serious injury” to the affected individuals. The determination of a risk of serious injury is assessed under the “real risk of significant harm” factors outlined in PIPEDA, which generally evaluate the sensitivity of the personal information involved in the breach and the probability that the personal information is subject to misuse. Organizations must keep a register of all breaches, but the contents and details of the registries are expected to be promulgated by CAI in the coming months.
Website notice
Bill 64 requires that organizations establish, implement, and publish policies and practices that describe how organizations govern the use of personal information. Organizations must publish these policies on their website, and they must be approved by the person in charge of protecting personal information at the organization. The contents of the policies must include how organizations define the roles and responsibilities of the members of its personnel throughout the life cycle of the information and provide website visitors a process for dealing with complaints regarding the protection of the information. Importantly, these policies and practices must be proportionate to the nature and scope of the organization’s activities. Organizations have until September 2023 to begin publishing such notices.
Privacy by default
One of the modernization efforts in Bill 64 requires that organizations configure individuals’ privacy settings for products or services to offer the highest level of confidentiality and privacy. This includes deactivating profiling, tracking or identification technology, and giving individuals the opportunity to expressly opt for such features in accordance with their preferences. Such privacy by default requirements take effect September 2023.
Privacy impact assessments
Beginning September 2023, firms must conduct PIAs under a few scenarios. First, firms must conduct PIAs regarding any upgrades, acquisitions or developments of any of the firm’s IT infrastructure or digital products. Second, firms must conduct PIAs prior to transferring covered data out of Quebec. In conducting PIAs prior to transfer, the firm must consider the sensitivity of the information, the purposes for which it will be used and the protection measures used in the transfer. Firms must also assess whether the information will receive adequate protection in compliance with “generally accepted data protection principles” in the jurisdiction to which it is sent. Lastly, an organization must conduct a PIA when it discloses covered personal information “for research purposes” without data subjects’ consent.
Consent
Bill 64 brings Quebec’s consent rules closer in line with similar requirements under the EU General Data Protection Regulation. Provisions affecting consent mechanisms take effect September 2023.
Under the amended Private Sector Act, at the time of collecting personal information (and subsequently upon request), firms must inform individuals about the purpose for which the information is collected, the means by which the information is collected, and individuals’ right to access and rectify the information. If applicable, firms must also name any third parties’ information is being collected for and notify users of the possibility of the information being transferred out of Quebec. Firms must implement administrative measures to provide, upon request, the categories of individuals who have access to the information within the firm as well as the contact information of the DPO or whoever is in charge of the protection of personal information at the firm.
Firms must obtain express consent before using sensitive personal information for secondary purposes. Sensitive personal information includes medical, biometric or otherwise intimate information. Personal information may become sensitive if the context of its use or communication naturally entails a high level of reasonable expectation of privacy, but neither Bill 64 nor the CAI’s website clarify how personal information becomes sensitive under these circumstances.
Consent from minors under the age of 14 must be obtained through a parent or legal guardian. There is an exception to this consent requirement if collecting the information “is clearly for the minor’s benefit,” but the text of Bill 64, the pre-Bill 64 Private Sector Act or the CAI’s website do not elaborate on what constitutes a use to serve a minor’s benefit. However, it seems reasonable that these circumstances would include compulsory data sharing in certain emergency contexts, such as police investigations or circumstances related to children’s safety or wellbeing.
Individual Rights
As part of the modernization effort by Quebec lawmakers, Bill 64 expressly codifies rights that are similar to those offered under GDPR, including the rights to erasure (otherwise known as deindexation) and portability. Individuals’ right to de-indexing comes into effect in September 2023 and requires individuals be able to ask organizations to stop distributing their personal information. The right also allows individuals to demand that their personal information be deindexed if dissemination causes them prejudice or contravenes the law or a court order. In other words, individuals have a similar so-called “right to be forgotten” that exists under Article 17 of the GDPR and is expounded upon in Recitals 65 and 66. Deindexation rights must be in place beginning September 2024.
Under the right of portability, organizations will be required to provide individuals with personal information collected about them in a structured and commonly used technological format. The portability requirements are the only provision amending the Private Sector Act that will take effect in September 2024.
Automated Decision Making
Individuals must be informed when an automated decision has been made about them and about the rights they have to access or rectify the underlying personal information. Individuals also have the right to obtain information on how the decision was made or have the decision reviewed by someone with the authority to change it. Organizations must also provide individuals with the opportunity to submit materials as a way to appeal adverse decisions taken as a result of the automatic processing. These provisions will come into effect in September 2023.
Enforcement
Bill 64 amends the enforcement provisions in the Private Sector Act by providing a private right of action for individuals to sue organizations for damages and by creating two tiers of monetary penalties.
The private right of action enables individuals to file suit against organizations for failing to comply with certain aspects of the amended Private Sector Act. These include collecting, using, disclosing, destroying or retaining personal information in violation of the law. They also include failures to provide an appropriate privacy notice and to notify CAI or individuals whose personal information was affected by a data breach. Lastly, individuals may file suit if organizations fail to inform them concerning an automated decision or fail to provide them with an opportunity to appeal the automated decision. Damages are available for successful plaintiffs, although the law provides no insight into the amount or type of damages available.
Organizations may also be fined by CAI anywhere between CAD $10 million and $25 million or 2 or 4 percent of annual global revenues, whichever amount is higher. CAI is authorized to assess such fines for the types of violations available to private plaintiffs, but CAI has unique authority to impose fines for organizations’ refusal or failure to comply with requests to produce documents or other orders issued by CAI.
Conclusion
Even though the final text of Bill 64 has not been published, enough is known about it to allow firms to begin examining how to comply with the amended Private Sector Act. CAI is expected to continue publishing guidance and insight into compliance over the next three years as provisions gradually come into effect. The IAPP will also continue monitoring province-level reforms passed in the wake of the legislative success in Quebec and any legislative or regulatory developments from the nation’s federal government.
Photo by Ashley Ross on Unsplash