On June 12, 2020, the Québec government proposed a significant overhaul of its current privacy laws through the introduction of the highly anticipated Bill 64, An Act to Modernize Legislative Provisions Respecting the Protection of Personal Information (Bill). The stated objective of the changes, once passed, is to modernize the protection of personal information and to ensure both the public and private sectors are meeting the obligations that they have to protect the personal information they possess.
Should the Bill pass, both public and private organizations across Québec would see major reforms and significantly increased obligations as to how they hold and protect their customers’ personal data.
The key changes are:
- Privacy by design obligations for the default settings for companies’ technology products.
- More onerous consent requirements.
- New rights for individuals: data portability, the right to be forgotten and the right to object to automated processing of their personal information.
- The requirement to appoint a Chief Privacy Officer and establish governance policies and practices.
- Mandatory breach reporting and notification.
- Significant penalties could be imposed by the Commission d’accès à l’information (CAI) of up to $50,000 for an individual and $10 million or 2% of worldwide turnover, whichever is greater, and penal sanctions of up to $25 million or 4% of worldwide turnover for organizations.
- A private right of action (in other words, statutory damages resulting from the unlawful infringement of a right under the Québec privacy acts).
- The introduction of a “business transaction” exception from consent that would allow personal information to be disclosed without consent in the course of a business transaction
In many ways, this proposed reform brings Québec’s privacy laws in line with in the European Union’s General Data Protection Regulation (GDPR). The proposed changes are also conceptually similar to those anticipated as part of the federal Personal Information Protection and Electronic Documents Act (PIPEDA) modernization.
We provide a comparison table at the end of the post that highlights the similarities and differences among Bill 64, PIPEDA and GDPR.
Key features of the Bill
Bill 64 proposes changes to current consent provisions. In particular, consent would be required for each specific purpose, in clear and simple language, and “separately from any other information provided to the person concerned”. Organizations would also be required to assist the individual in understanding the implications and terms of the consent requested. Additionally, under Bill 64 consent will remain valid up to the point necessary to achieve the purpose for which it was requested, at this point, consent will cease to exist and the information must be destroyed or anonymized. “Sensitive information” would also require express consent.
Bill 64 also creates new provisions for those under the age of 14, whereby express consent must be obtained from the person with parental authority.
Designation of a data protection officer
One of the key requirements under the new Bill is the introduction of a data protection officer (DPO), whose job would be to ensure the enterprise complies with the statutory privacy requirements and implement governance policies and practices regarding personal information. No specific name is given to this role, however, the role is assigned to the individual within the enterprise exercising” the highest authority” though they may delegate in writing this title to another personnel member. PIPEDA already imposes a similar requirement (every organization subject to PIPEDA is specifically required to designate an individual who is accountable for its compliance (often called a privacy officer), and to make the identity of the privacy officer known on request).
Data governance and accountability
Bill 64 mandates that all public bodies and enterprises through their DPO must establish and implement governance policies and practices regarding the company’s use of personal information. Specifically, these policies must:
- Outline the framework for keeping and destroying personal information;
- Define the key roles and duties of the employees for the enterprise throughout the life cycle of the data; and
- Outline a process for dealing with complaints regarding the protection of information.
All policies must be clearly published on the enterprise’s website (or by other means, if no website exists) after approval by the data protection officer.
Under this new provision, enterprises will be required to conduct “an assessment of the privacy-related factors of any information system project or electronic service delivery project involving the collection, use, communication, keeping or destruction of personal information”.
Privacy by design
The Bill also proposes new requirements for enterprises who collect personal information “when offering a technological product or service”. Persons carrying on such enterprises must ensure the “highest level of confidentiality by default”, without any intervention by the consumer. This brings the proposed legislation in line with provisions adopted by the GDPR in Section 25 that creates obligations for entities to ensure data protection by design and by default.
However, it is currently unclear what enterprises would considered as “offering a technological product or service”. This could be a narrow requirement (e.g., manufacturers of devices that collect personal information, such as mobile phones) or it could be much broader (e.g., enterprises which offer service online and use any kind of online metrics). The vague language will cause concern for enterprises as they will not have a clear understanding of whether they or their services are caught.
New rights created under Bill 64
Bill 64 would give individuals the right to force enterprises to de-index hyperlinks associated with a person or cease the dissemination of their personal information when such actions cause the person concerned “serious injury” in relation to reputation or privacy, such injury is greater than the public’s interest in knowing the information or freedom of expression, and request for de-indexing/non-dissemination is narrowly scoped. If passed, this provision would require enterprises to develop internal processes to respond to such requests, including implementing an internal mechanism for undertaking such balancing of interests.
Additionally, this Bill would create the right to request the source of information. This applies to situations where enterprises collect personal information from another person or entity. Upon request, the enterprise must inform the individual of the source of the data. Currently PIPEDA does not contain such a right.
The proposed legislation would also create rights concerning automated decision-making. Under the Bill, an enterprise which uses personal information to render a decision based exclusively on an automated processing of such information must, at the time of or before the decision, inform the person concerned accordingly. Enterprises adopting artificial intelligence or algorithms which engage in decision making (e.g., credit adjudication, admissions, denials of service, etc.) should think carefully about whether they should be inserting humans into the process at some point to avoid triggering these and other obligations.
The Bill would require anyone who collects personal information from a person “using technology that includes functions allowing the person concerned to be identified, located or profiled” must first inform the person (1) of the use of such technology; and (2) of the means available, if any, to deactivate the functions that allow a person to be identified, located or profiled.
“Profiling” means the collection and use of personal information to assess certain characteristics of a natural person, in particular for the purpose of analyzing that person’s work performance, economic situation, health, personal preferences, interests or behaviour.
This provision, if enacted, would, among other things, impose new obligations on the ad tech industry, as well as users of such services.
Right to data portability
Under current provisions set out by Québec’s privacy legislation, individuals have the right to request the confirmation and communication of their personal information held by an enterprise. Bill 64 would bring new rights under the proposed amendments by allowing individuals to request a copy of their information in writing. The Bill would require enterprises to provide individuals upon request with computerized personal information collected from the person and released in a structured, commonly used technological format. Note that this provision appears to apply only to electronic (“computerized”) information and does not impose an obligation on an enterprise to digitize records in paper format.
The Bill also introduces the right of action which allows individuals to bring claims against enterprises for “injury resulting from the unlawful infringement of a right” under the public or private sector privacy acts. Where infringement takes place as a result of intention or gross fault on behalf of the enterprise, statutory punitive damages of at least $1,000 would be awarded.
Mandatory breach notification requirements
Under the provisions of Bill 64, public bodies and private enterprises will be required to assess whether a ”confidentiality incident” presents a “risk of serious injury” to those impacted and, if so, must “promptly notify” the CAI and the individual of the confidentiality incident. Enterprises may also notify third parties that could reduce the risk. This provision brings the new legislation in line with current PIPEDA requirements as to when notification of breach takes place. Enterprises would also be required to maintain a register of confidentiality incidents.
New penalties for offences and a private right of action
Along with new provisions, Bill 64 radically updates current penalties and gives more power to the CAI to impose both administrative and penal penalties for offenders. The CAI will have the ability to impose administrative penalties on an individual, up to $50,000 and in all other cases up to $10,000,000, or if greater, 2% of the worldwide turnover for the preceding fiscal year for a variety of contraventions, including for failure to report a breach, processing of personal information in contravention of the Québec private sector privacy act, and failure to inform individuals about automated processing. Any such fines would be subject to review by the Commission’s oversight division, and further review by the Court of Québec.
For penal offences, the CAI can impose penalties on an individual, from $5,000 up to $50,000 and in all other cases up to $25,000,000, or if greater, 4% of the worldwide turnover for the preceding fiscal year for any enterprise that collects, holds, communicates to third parties or uses personal information in contravention of the Act; fails to report a breach, attempts to re-identify an individual without authorization where their information is de-identified; impedes the Commission’s investigation; or fails to comply with an order of the Commission.
While the existing Québec private sector privacy law contained directors and officers’ liability for offences, note that that exposure is now much more significant given the proposed quantum of monetary penalties.
Timing of Bill becoming law
Bill 64 has been sent to the consultation stage at the Québec National Assembly, which is currently in recess and will not come back until September. In addition, the transitional provisions provide that Bill 64 will come into force one year after the date of its assent. As a result, it seems unlikely that the amendments proposed in Bill 64 would come into effect until 2022.
Comparison chart: Bill 64, PIPEDA and the GDPR
Below is a table that briefly outlines the differences and similarities between Bill 64, PIPEDA, and GDPR.
The post "Québec’s new privacy bill: a comparison of Bill 64, PIPEDA, and the GDPR" was first posted on Privacy and Cyber Security Law written by Kirsten Thompson and Olivia D'Souza