By now, you have probably heard about Data Privacy Day (actually January 28th, unless you are the Privacy Commissioner of Canada, who has seen the opportunity here and declared January 22-26 to be Data Privacy Week).
Data Privacy Day this year has proved to be a busy one, as new technologies are driving lawmakers to revise, amend, update and pass laws aimed at reining in the indiscriminate use of personal information. The rapidly changing laws are forcing companies to overhaul their practices, processes, and in some cases, business models.
Anyone trying to keep up with the changes in Canada alone may feel overwhelmed.
Québec publishes draft anonymization regulations
Perhaps the biggest item on everyone’s reading list is the new Québec private sector privacy law (Québec Privacy Act). The bulk of its provisions came into force in September 2023, and it has been challenging to keep up with the Act itself, as well as the guidance coming from the Commission d’accès à l’information du Québec (“CAI”).
While the Québec Privacy Act allows anonymization, the CAI recently took the position it was prohibited until regulations outlining an acceptable process of anonymization were created (see our blog post here). Fortunately, draft regulations were released on December 20, 2023. You can access the draft regulations in English here and in French here.
They are a good first step, but have raised some questions for companies, as outlined in our blog post here. Note that the draft regulations are open for comment until the first week of February.
Criteria for Valid Consent
The CAI has issued a number of guidance documents to assist companies as they tried to navigate the Québec Privacy Act, which in many respects is conceptually different from PIPEDA and its provincial counterparts in Alberta and British Columbia. Most of those guidance documents on the CAI’s website are in French only. We provide Dentons’ unofficial English translations as our gift to you this Data Privacy Day/Week.
It is worth noting that the guideline primarily deals with valid consent and does not address in any detail the exception to consent or the availability of presumed consent.
Dentons has produced a simplified flow chart of the entire consent process (exceptions, presumed consent and valid consent), which will assist those struggling to understand Québec’s consent regime and is a helpful shortcut to navigating the actual legislation.
Privacy impact assessments
The Québec Privacy Act also introduced obligations on companies to conduct privacy impact assessments (PIA) for projects that involve any of the following three categories of activities:
1. Communicating personal information to a third party wishing to use the information for study or research purposes or for the production of statistics without the consent of the persons concerned. The information may only be communicated upon completion of a satisfactory PIA, which must address five specific factors set out in s. 21 of the Québec Privacy Act.
2. Implementing any project to acquire, develop or overhaul an information system or electronic service delivery system which involves the collection, use, communication, keeping or destruction of personal information (s. 3.3).
3. Communicating personal information outside Québec or entrusting a person or body outside Québec with the task of collecting, using, communicating or keeping personal information. The PIA in this case (technically a Transfer Impact Assessment or TIA) must take into consideration the factors set out in s. 17.
The CAI notes that use of the PIA Template is not mandatory and also suggests adapting the PIA Template to the context and scope of the assessment being conducted.
For more information on data privacy, please contact a member of Dentons’ Privacy and Cybersecurity group.