On June 12, 2020, the Québec government proposed a significant overhaul of its current privacy laws through the introduction of the highly anticipated Bill 64, An Act to Modernize Legislative Provisions Respecting the Protection of Personal Information (Bill). The stated objective of the changes, once passed, is to modernize the protection of personal information and to ensure both the public and private sectors are meeting the obligations that they have to protect the personal information they possess.
Should the Bill pass, both public and private organizations across Québec would see major reforms and significantly increased obligations as to how they hold and protect their customers’ personal data.
The key changes are:
- Privacy by design obligations for the default settings for companies’ technology products.
- More onerous consent requirements.
- New rights for individuals: data portability, the right to be forgotten and the right to object to automated processing of their personal information.
- The requirement to appoint a Chief Privacy Officer and establish governance policies and practices.
- Mandatory breach reporting and notification.
- Significant penalties could be imposed by the Commission d’accès à l’information (CAI) of up to $50,000 for an individual and $10 million or 2% of worldwide turnover, whichever is greater, and penal sanctions of up to $25 million or 4% of worldwide turnover for organizations.
- A private right of action (in other words, statutory damages resulting from the unlawful infringement of a right under the Québec privacy acts).
- The introduction of a “business transaction” exception from consent that would allow personal information to be disclosed without consent in the course of a business transaction
In many ways, this proposed reform brings Québec’s privacy laws in line with in the European Union’s General Data Protection Regulation (GDPR). The proposed changes are also conceptually similar to those anticipated as part of the federal Personal Information Protection and Electronic Documents Act (PIPEDA) modernization.
We provide a comparison table at the end of the post that highlights the similarities and differences among Bill 64, PIPEDA and GDPR.
Key features of the Bill
Bill 64 proposes changes to current consent provisions. In particular, consent would be required for each specific purpose, in clear and simple language, and “separately from any other information provided to the person concerned”. Organizations would also be required to assist the individual in understanding the implications and terms of the consent requested. Additionally, under Bill 64 consent will remain valid up to the point necessary to achieve the purpose for which it was requested, at this point, consent will cease to exist and the information must be destroyed or anonymized. “Sensitive information” would also require express consent.
Bill 64 also creates new provisions for those under the age of 14, whereby express consent must be obtained from the person with parental authority.
Designation of a data protection officer
One of the key requirements under the new Bill is the introduction of a data protection officer (DPO), whose job would be to ensure the enterprise complies with the statutory privacy requirements and implement governance policies and practices regarding personal information. No specific name is given to this role, however, the role is assigned to the individual within the enterprise exercising” the highest authority” though they may delegate in writing this title to another personnel member. PIPEDA already imposes a similar requirement (every organization subject to PIPEDA is specifically required to designate an individual who is accountable for its compliance (often called a privacy officer), and to make the identity of the privacy officer known on request).
Data governance and accountability
Bill 64 mandates that all public bodies and enterprises through their DPO must establish and implement governance policies and practices regarding the company’s use of personal information. Specifically, these policies must:
- Outline the framework for keeping and destroying personal information;
- Define the key roles and duties of the employees for the enterprise throughout the life cycle of the data; and
- Outline a process for dealing with complaints regarding the protection of information.
All policies must be clearly published on the enterprise’s website (or by other means, if no website exists) after approval by the data protection officer.
Under this new provision, enterprises will be required to conduct “an assessment of the privacy-related factors of any information system project or electronic service delivery project involving the collection, use, communication, keeping or destruction of personal information”.
Privacy by design
The Bill also proposes new requirements for enterprises who collect personal information “when offering a technological product or service”. Persons carrying on such enterprises must ensure the “highest level of confidentiality by default”, without any intervention by the consumer. This brings the proposed legislation in line with provisions adopted by the GDPR in Section 25 that creates obligations for entities to ensure data protection by design and by default.
However, it is currently unclear what enterprises would considered as “offering a technological product or service”. This could be a narrow requirement (e.g., manufacturers of devices that collect personal information, such as mobile phones) or it could be much broader (e.g., enterprises which offer service online and use any kind of online metrics). The vague language will cause concern for enterprises as they will not have a clear understanding of whether they or their services are caught.
New rights created under Bill 64
Bill 64 would give individuals the right to force enterprises to de-index hyperlinks associated with a person or cease the dissemination of their personal information when such actions cause the person concerned “serious injury” in relation to reputation or privacy, such injury is greater than the public’s interest in knowing the information or freedom of expression, and request for de-indexing/non-dissemination is narrowly scoped. If passed, this provision would require enterprises to develop internal processes to respond to such requests, including implementing an internal mechanism for undertaking such balancing of interests.
Additionally, this Bill would create the right to request the source of information. This applies to situations where enterprises collect personal information from another person or entity. Upon request, the enterprise must inform the individual of the source of the data. Currently PIPEDA does not contain such a right.
The proposed legislation would also create rights concerning automated decision-making. Under the Bill, an enterprise which uses personal information to render a decision based exclusively on an automated processing of such information must, at the time of or before the decision, inform the person concerned accordingly. Enterprises adopting artificial intelligence or algorithms which engage in decision making (e.g., credit adjudication, admissions, denials of service, etc.) should think carefully about whether they should be inserting humans into the process at some point to avoid triggering these and other obligations.
The Bill would require anyone who collects personal information from a person “using technology that includes functions allowing the person concerned to be identified, located or profiled” must first inform the person (1) of the use of such technology; and (2) of the means available, if any, to deactivate the functions that allow a person to be identified, located or profiled.
“Profiling” means the collection and use of personal information to assess certain characteristics of a natural person, in particular for the purpose of analyzing that person’s work performance, economic situation, health, personal preferences, interests or behaviour.
This provision, if enacted, would, among other things, impose new obligations on the ad tech industry, as well as users of such services.
Right to data portability
Under current provisions set out by Québec’s privacy legislation, individuals have the right to request the confirmation and communication of their personal information held by an enterprise. Bill 64 would bring new rights under the proposed amendments by allowing individuals to request a copy of their information in writing. The Bill would require enterprises to provide individuals upon request with computerized personal information collected from the person and released in a structured, commonly used technological format. Note that this provision appears to apply only to electronic (“computerized”) information and does not impose an obligation on an enterprise to digitize records in paper format.
The Bill also introduces the right of action which allows individuals to bring claims against enterprises for “injury resulting from the unlawful infringement of a right” under the public or private sector privacy acts. Where infringement takes place as a result of intention or gross fault on behalf of the enterprise, statutory punitive damages of at least $1,000 would be awarded.
Mandatory breach notification requirements
Under the provisions of Bill 64, public bodies and private enterprises will be required to assess whether a ”confidentiality incident” presents a “risk of serious injury” to those impacted and, if so, must “promptly notify” the CAI and the individual of the confidentiality incident. Enterprises may also notify third parties that could reduce the risk. This provision brings the new legislation in line with current PIPEDA requirements as to when notification of breach takes place. Enterprises would also be required to maintain a register of confidentiality incidents.
New penalties for offences and a private right of action
Along with new provisions, Bill 64 radically updates current penalties and gives more power to the CAI to impose both administrative and penal penalties for offenders. The CAI will have the ability to impose administrative penalties on an individual, up to $50,000 and in all other cases up to $10,000,000, or if greater, 2% of the worldwide turnover for the preceding fiscal year for a variety of contraventions, including for failure to report a breach, processing of personal information in contravention of the Québec private sector privacy act, and failure to inform individuals about automated processing. Any such fines would be subject to review by the Commission’s oversight division, and further review by the Court of Québec.
For penal offences, the CAI can impose penalties on an individual, from $5,000 up to $50,000 and in all other cases up to $25,000,000, or if greater, 4% of the worldwide turnover for the preceding fiscal year for any enterprise that collects, holds, communicates to third parties or uses personal information in contravention of the Act; fails to report a breach, attempts to re-identify an individual without authorization where their information is de-identified; impedes the Commission’s investigation; or fails to comply with an order of the Commission.
While the existing Québec private sector privacy law contained directors and officers’ liability for offences, note that that exposure is now much more significant given the proposed quantum of monetary penalties.
Timing of Bill becoming law
Bill 64 has been sent to the consultation stage at the Québec National Assembly, which is currently in recess and will not come back until September. In addition, the transitional provisions provide that Bill 64 will come into force one year after the date of its assent. As a result, it seems unlikely that the amendments proposed in Bill 64 would come into effect until 2022.
Comparison chart: Bill 64, PIPEDA and the GDPR
Below is a table that briefly outlines the differences and similarities between Bill 64, PIPEDA, and GDPR.
|How does this legislation impact private businesses?||The legislation applies to a person who collects, holds, uses or communicates personal information to third persons in the course of carrying on an enterprise. The meaning of “carrying on an enterprise” has been the subject of much debate. Paragraph 3 of article 1525 of the Civil Code of Québec provides the following criteria: “The carrying on by one or more persons of an organized economic activity, whether or not it is commercial in nature, consisting of producing, administering or alienating property, or providing a service, constitutes the operation of an enterprise.” The definition has not changed from the current Act.||PIPEDA applies to any organization that collects, uses or releases personal information during the course of its commercial activities.||The GDPR applies to organizations established in the EU. It will also apply to an organization based outside the EU if it either: (a) offers goods or services to EU data subjects; or (b) monitors the behaviour of EU data subjects.|
|Whom does this legislation protect?||All natural persons are protected, regardless of citizenship. However, the territorial application of the Bill is unclear. The definition has not changed from the current Act.||All natural persons are protected, regardless of citizenship.||Residents and citizens of the EU are protected.|
|Does this protect private sector employees?||Yes (albeit not expressly) The definition has not changed from the current Act.||No. It applies only with respect to employees of organizations considered a “federal work, undertaking or business”.||Yes.|
|What type of information is protected under this legislation?||Any information held by an enterprise that relates to a person. The definition has not changed from the current Act.||Any information about an identifiable individual, with the exception of “business contact information” used for the purpose of communicating or facilitating communication with an individual in relation to their employment, business or profession.||Any information relating to an identified or identifiable individual.|
|How is information to be protected?||Under the Bill, any person carrying on an enterprise must establish and implement governance policies and practices regarding personal information that ensure the utmost protection of such information. The policies and practices must be proportionate to the nature and scope of the enterprise’s activities and approved by the individual in charge of the protection of personal information.||The information must be protected in accordance with the level of risk and the sensitivity of the information||The information must be protected in a way that accounts for all modern forms of technology and the risks associated with it.|
|Is a data protection officer (or equivalent) required?||Yes.||Yes.||Yes if the core activities of the organization require regular and systematic monitoring of individuals or processing of large scales of special categories of data.|
|Does the data subject have access rights?||Yes.||Yes.||Yes.|
|Does the data subject have rectification rights?||Yes.||Yes.||Yes.|
|Does the data subject have deletion rights?||Yes.||No.||Yes.|
|Does the data subject have portability rights?||Yes.||No.||Yes.|
|Does the data subject have the right to object to/opt out of targeted ads?||Yes.||No.||Yes.|
|Is there a limitation on automated decision making?||Yes.||No.||Yes.|
|Is a privacy impact assessment required?||Yes.||No.||Yes.|
|Is there a carve-out for: de-identified, aggregated, anonymized, publicly available information?||Certain sections of the existing law (Divisions II and III of the Privacy Act) do not apply to personal information, which by law is public. De-identified information is partially addressed in narrow contexts. Anonymized information is carved out if it irreversibly no longer allows the person to be identified directly or indirectly. Aggregate information not addressed.||Limited for publicly available information. No for de-identified information. While PIPEDA states that information “made anonymous” is equated to “destroyed” and erased, but there is a lack of clarity on what qualifies as anonymized information.||No, carve out for publicly available information. The GDPR does not apply to “anonymized” data, where the data can no longer identify the data subject. De-identified and aggregate information not addressed. “Pseudonymization” is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific individual without the use of additional information which must be kept separately. Pseudonymized information remains personal information.|
|Is sensitive data defined?||Yes. Under the Bill, personal information is sensitive if, due to its nature or the context of its use or release, it entails a high level of reasonable expectation of privacy.||Not defined; driven by context.||Yes. The GDPR prohibits processing of special categories of personal data, which is “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.” However, the GDPR provides for exceptions to the prohibition of processing “sensitive data” in certain circumstances.|
|When is reporting to a data protection authority required in the event of a breach? Notification of individuals?||Under the Bill, any person carrying on an enterprise who has cause to believe that a confidentiality incident involving personal information the person holds has occurred must assess whether it presents a risk of serious injury. If so the person must “promptly notify” the CAI and “notify” any person whose personal information is concerned by the incident.||In the event that a breach occurs and a real risk of significant harm is posed the organization must report the breach to the Office of the Privacy Commissioner of Canada and notify individuals affected “as soon as feasible”.||When possible, notification must occur with 72 hours of the breach, unless the risk of harm to the rights and freedoms of a natural person is unlikely.|
|What type of penalties could a business face?||Penalties under Bill 64 are divided into administrative penalties and penal offences. Administrative Penalties CAI has the ability to impose administrative penalties on a natural person up to $50,000 and in all other cases up to $10,000,000 or if greater 2% of the worldwide turnover for the preceding fiscal year. Penal Offences CAI has the ability to impose penal penalties on a natural person from $5,000 up to $50,000 and in all other cases up to $25,000,000 or if greater 4% of the worldwide turnover for the preceding fiscal year.||An organization that destroys personal information that is subject to an access request, or take disciplinary action against an employee who in good faith seeks to uphold the Act, or fails to notify individuals impacted by a breach that should have been notified may be liable for fines up to $100,000 Canadian per individual who should have been notified and was not.||For especially severe violations, listed in Art. 83(5) GDPR, the fine framework can be up to 20 million euros, or up to 4 % of their total global turnover of the preceding fiscal year, whichever is higher. But even the catalogue of less severe violations in Art. 83(4) GDPR sets forth fines of up to 10 million euros, or up to 2% of its entire global turnover of the preceding fiscal year, whichever is higher. The GDPR provides individuals with a cause of action to seek damages for violation of privacy laws with regard to security measures violations and data breaches.|
For more information about Denton’s data expertise and how we can help, please see our Transformative Technologies and Data Strategy page and our unique Dentons Data suite of data solutions for every business, including enterprise privacy audits, privacy program reviews and implementation, and training in respect of personal information.