
In Canada, the main laws governing personal data protection and privacy at the federal level are the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Privacy Act. On November 17, 2020, the former Minister of Innovation, Science and Industry, Navdeep Bains, introduced An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts (Bill C-11, or the Digital Charter Implementation Act) for consideration in the House of Commons. Bill C-11 was slated to update Canada’s private-sector data privacy laws. However, it died on the Order Paper in August.
While efforts to enact reforms at the federal level have been halted for the moment, businesses should still be keeping a close eye on what is happening at the provincial level.
On September 22, 2021, Québec’s An Act to modernize legislative provisions as regards the protection of personal information (Bill 64) received royal assent in the National Assembly of Québec. Octillo will continue to monitor these provisions to Québec’s new privacy law and will provide updates prior to the effective date. With broad implications and with substantive provisions becoming effective in 2022, 2023, and 2024, private-sector businesses should take proactive steps to prepare for Québec’s new privacy law starting now.
Here are some of the important changes to be aware of:
Provisions effective starting September 22, 2022:
Designation of the Person in Charge of the Protection of Personal Information
Section 95 of Bill 64 adds Section 3.1 to Québec’s Private Sector Act.
By default, the person exercising the highest authority in a business, such as the chief executive officer, will be the person in charge of the protection of personal information. This responsibility may be delegated to another person, and that person’s title and contact information must be posted on the website of the business.
Confidentiality Incident Notifications to the Commission d'accès à l'information (CAI).
Section 95 of Bill 64 adds Sections 3.5-3.8 to Québec’s Private Sector Act.
Bill 64 defines a “confidentiality incident” as: (1) access not authorized by law to personal information; (2) use not authorized by law of personal information; (3) communication not authorized by law of personal information; or (4) loss of personal information or any other breach in the protection of such information.
Businesses must promptly notify the CAI about confidentiality incidents that “present a risk of serious injury” and must also notify any person whose personal information is concerned in such an incident.
The determination of a “risk of serious injury” depends on certain factors, such as “the sensitivity of the information concerned, the anticipated consequences of its use and the likelihood that such information will be used for injurious purposes.”
Businesses must also keep a register of all confidentiality incidents for the CAI upon request.
Changes Concerning Personal Information in Commercial Transactions
Section 107 of Bill 64 adds Sections 18.3-18.4 to Québec’s Private Sector Act.
Bill 64 defines a “commercial transaction” as involving:
- the alienation or leasing of all or part of an enterprise or its assets;
- a modification of its legal structure by merger or otherwise;
- the obtaining of a loan or any other form of financing by the enterprise; or
- the obtaining of a security taken to guarantee any of its obligations.
When necessary for concluding a commercial transaction, businesses may communicate personal information without the consent of the person concerned. However, prior to such transactions, businesses must enter into an agreement ensuring that the other party will only use the information for concluding the commercial transaction, will not communicate the information without consent, will take measures required to protect the confidentiality of the information, and will destroy the information if the transaction does not go through or if the information is no longer necessary.
Please note that the new Section 18.4 on entering into an agreement prior to such transactions becomes effective in 2022, while the new Section 18.3 becomes effective in 2023.
Changes Concerning Personal Information in Research Studies
Section 110 of Bill 64 amends Section 21 of Québec’s Private Sector Act.
When using the information for study or research purposes or to produce statistics, businesses may communicate personal information without the consent of the person if a privacy assessment concludes that:
- the objective can only be achieved if the information is communicated in a form allowing the persons concerned to be identified;
- it is unreasonable to require obtaining consent;
- the objective outweighs with regard to the public interest;
- the personal information is used in such a way to ensure confidentiality; and
- only necessary information will be communicated.
Businesses wishing to use personal information in studies and research must request in writing and enclose several other pieces of required materials/information. If applicable, businesses must also describe the different technologies to be used. If applicable, businesses must also send documented decisions of a research ethics committee.
Bill 64 also lists several requirements that businesses must work into an agreement with the persons or entities receiving the personal information.
Provisions effective starting September 22, 2023:
Governance Policies and Practices Regarding Personal Information
Section 95 of Bill 64 adds Section 3.2 to Québec’s Private Sector Act.
Businesses must establish and implement governance policies and practices regarding personal information. Such policies must provide a framework for the keeping and destruction of the information, define the roles and responsibilities of the members of its personnel throughout the life cycle of the information, provide a process for dealing with complaints, be proportionate to the nature and scope of the business, and be approved by the person in charge of the protection of personal information.
Businesses must publish detailed information about these policies on their websites in simple and clear language.
Privacy Assessments
Section 95 of Bill 64 adds Sections 3.3-3.4 to Québec’s Private Sector Act.
Businesses must conduct privacy assessments for the acquisition, development, or overhaul of information or electronic service delivery systems involving the collection, use, communication, keeping, or destruction of personal information.
The person in charge of the protection of personal information may suggest measures such as:
- the appointment of a person to be responsible for implementing the personal information protection measures;
- measures to protect the personal information in any document relating to the project;
- descriptions of the project participants’ responsibilities regarding the protection of personal information; or
- training activities for project participants on the protection of personal information.
Privacy assessments must be conducted proportionately to the sensitivity of the information concerned, the purposes for which the information will be used, the quantity and distribution of the information, and the medium on which it is stored.
Personal Information Concerning Minors Under 14 Years of Age
Section 96 of Bill 64 replaces Section 4 of Québec’s Private Sector Act.
Businesses may not collect personal information concerning a minor under 14 years of age without parental or tutor consent unless collecting the information is clearly for the minor’s benefit.
Necessary Purposes
Section 97 of Bill 64 amends Section 5 of Québec’s Private Sector Act.
Any person collecting personal information on another person may collect only the information necessary for the purposes determined before collecting it.
Source of the Personal Information
Section 98 of Bill 64 amends Section 7 of Québec’s Private Sector Act.
Any person collecting personal information from another person carrying on an enterprise must, at the request of the person concerned, inform the latter of the source of the information.
Consent
Section 99 of Bill 64 replaces Section 8 of Québec’s Private Sector Act.
When collecting information and upon request, businesses must provide, in clear and simple language, the purposes of collection, the means of collection, the rights of access and rectification under law, and the right to withdraw consent.
Persons concerned may also request the categories of persons who have access to the information within the business, the duration of time the information will be kept, and the contact information of the person in charge of the protection of personal information.
Businesses must also inform individuals of any collection of personal information using a technology that includes functions allowing the individual to be identified, located, or profiled and the means available to deactivate such functions.
Businesses collecting personal information through technological means must publish on their websites a confidentiality policy in clear and simple language.
Any person who provides his or her personal information in accordance with this new Section 8 of Québec’s Private Sector Act consents to its use for the stated purposes.
Section 102 of Bill 64 replaces Sections 12-14 of Québec’s Private Sector Act.
Unless the person concerned gives his or her consent, personal information may not be used within the business except for the purposes for which it was collected. Such consent must be given expressly when it concerns sensitive personal information.
Personal information may, however, be used for another purpose without consent, but only if:
- its use is necessary for preventing and detecting fraud or assessing and improving protection and security measures;
- its use is necessary for providing or delivering a product or providing a service requested by the person concerned;
- its use is necessary for study or research purposes or to produce statistics and if the information is de-identified.
Privacy by Default
Section 100 of Bill 64 adds Section 9.1 to Québec’s Private Sector Act.
Businesses that collect personal information when offering a technological product or service must ensure that the parameters of the product or service provide the highest level of confidentiality by default, without any intervention by the person concerned.
Automated Decision-Making
Section 102 of Bill 64 replaces Sections 12-14 of Québec’s Private Sector Act.
Businesses that use personal information to render a decision based exclusively on automated processing of such information must inform the person concerned accordingly and not later than at the time it informs the person of the decision.”
The person concerned must be given the opportunity to submit observations to a member of the business who is in a position to review the decision.
Third Parties
Section 102 of Bill 64 replaces Section 12-14 of Québec’s Private Sector Act.
No person may communicate to a third person the personal information he holds on another person, unless the person concerned consents to, or this Act provides for, such communication. Such consent must be given expressly when it concerns sensitive personal information.
Cross-Border Data Transfers
Section 103 of Bill 64 replaces Section 17 of Québec’s Private Sector Act.
Before communicating personal information outside Québec, businesses must assess privacy-related factors. They must consider:
- the sensitivity of the information;
- the purposes for which it is to be used;
- the protection measures, including those that are contractual, that would apply to it; and
- the legal framework applicable in the State in which the information would be communicated, including the personal information protection principles, apply in that State.
The information may be communicated if the assessment establishes that it would receive adequate protection, in light of generally recognized principles regarding the protection of personal information.
Destruction of Personal Information
Section 111 of Bill 64 replaces Section 23 of Québec’s Private Sector Act.
Where the purposes for which personal information was collected or used are achieved, businesses must destroy or anonymize the information, subject to any preservation period provided for by an Act.
De-Indexation
Section 113 of Bill 64 replaces Section 28 of Québec’s Private Sector Act.
The person to whom the personal information relates may require a business to cease disseminating that information or to de-index any hyperlink attached to his name that provides access to the information by a technological means if the dissemination of the information contravenes the law or court order.
This new section lists several situations in which hyperlinks may be re-indexed.
Provisions effective starting September 22, 2024
Copies of Personal Information Upon Request
Section 112 of Bill 64 amends Section 27 of Québec’s Private Sector Act.
Businesses must, upon request, confirm the existence of personal information, communicate it in a structured and commonly used technological format, and allow people to obtain copies of their personal information.
Conclusion
Many of the provisions of Québec’s new privacy law do not become effective until 2023 and 2024. However, there are a few notable provisions that become effective starting on September 22, 2022. Octillo continues to monitor this area and will provide updates as the effective date approaches. Our Compliance Team recommends that businesses both within and outside Québec’s, take proactive steps to prepare for the full implementation of Bill 64 starting now, especially now that there will be new enforcement and penalties regime.
*Attorney advertising: prior results do not guarantee similar outcomes.