Wondering what are the Quebec privacy act amendments?
What are the new privacy obligations proposed under Bill 64?
How does that affect your business?
In this article, we will discuss the legislative amendments proposed by the Quebec government to modernize its data privacy law.
Are you ready?
Let’s get started!
What is Bill 64?
On June 12, 2020, An Act to Modernize Legislative Provisions Respecting the Protection of Personal Information, or Bill 64, was introduced in the Quebec National Assembly.
Bill 64 proposes legislative amendments to modernize Quebec’s privacy act, the Act Respecting the Protection of Personal Information in the Private Sector, adopted in 1994, more than 25 years ago.
The objective of this new Bill is to strengthen data protection and privacy in Quebec, increase the responsibility imposed on organizations to protect and safeguard individual personal information.
Quebec privacy act
The Act Respecting the Protection of Personal Information in the Private Sector (“Quebec Privacy Act”) was sweeping when it was adopted.
In 1994, Quebec took the lead within the North American jurisdictions to become the first jurisdiction to adopt data protection and privacy legislation intended to protect individual personal information.
Over the years, however, the Quebec fell behind.
A recent string of data breaches involving Quebec organizations revealed the inadequacies of the Quebec Privacy Act urging the Quebec authorities to act.
The Quebec privacy act inadequacies have become more important in light of the adoption of the General Data Protection Regulation or GDPR in 2018.
The European Union adoption of GDPR has made them global reference with respect to data protection and privacy.
Within Canada, the Quebec Privacy Act applies when organizations collect, use and disclose personal information occurring entirely within the province.
The moment the personal information travels across the Quebec borders, then the federal legislation on data privacy will apply, namely Personal Information Protection and Electronic Documents Act (PIPEDA).
In the context that the Quebec Privacy Act applies, let’s evaluate Bill 64 suggested amendments.
What are the proposed amendments by Bill 64?
Bill 64 represents an overhaul of the Quebec Privacy Act.
In February 2020, the Quebec minister of justice indicated that the new legislation will draw important principles from the data protection and privacy laws in Europe.
Bill 64, if adopted, will become the most onerous data privacy legislation in Canada.
So what are the proposed amendments by Bill 64 to the Quebec Privacy Act?
In summary, the amendments proposed are intended to:
- Increase the sanctions on organizations violating the Quebec Privacy Act
- Allow for companies to be pursued for damages
- Organizations to appoint a Chief Privacy Officer
- Comply with data breach notification obligations
- Enhance individual rights with respect to their data
- Privacy by design obligations
- Cross-border data protection and impact assessment
As you can see from the summary above, the Quebec legislative authorities intend to ramp up the Quebec Privacy Act and bring it to the current global standards.
Stricter penalties and sanctions
Based on the proposed amendments, the Commission d’accès à l’information (“CAI”), the privacy governing body, will the power to impose stricter penalties on organizations violating the Quebec Privacy Act.
The administrative sanctions can go up to $10 million or 2% of the organization’s worldwide turnover based on revenues recorded in its previous fiscal year.
The penal sanctions can up to the higher of $20 million or 4% of the organization’s worldwide turnover including a minimum fine of $15,000.
In light of the amendments proposed to the Quebec Privacy Act, the highest-ranking person within a company will be accountable for the company’s data privacy and protection practices.
We can consider this person to be the company president or Chief Executive Officer (CEO).
The company president or CEO may delegate this obligation to a person who must be specifically mandated to this effect.
The person to whom such an obligation is delegated must be presented publicly by the company on its website.
Privacy governance obligations
Companies must perform a privacy impact assessment when collecting, using, disclosing, retaining or destroying personal information.
This privacy governance obligation requires companies to comprehend and understand the impact on collecting, using and disclosing personal information and take necessary steps to mitigate any risk to an individual.
Furthermore, companies must adopt governance rules to safeguard and protect personal information from the moment personal data is collected to its destruction.
The company’s appointed privacy officer or the president must approve the governance policies.
For individuals to understand the privacy policies and practices employed by companies operating in Quebec, companies are required to publish this information on their website.
Breach notification obligations
The Quebec Privacy Act needed a refresher with respect to data breach incidents and the associated obligations on organizations.
To harmonize itself with PIPEDA and the Alberta Personal Information Protection Act (PIPA), Bill 64 imposes the following:
- If a data breach incident occurs, the incident must be reported to the CAI if there is a risk of serious harm to the individual
- Risk of harm should be evaluated based on the sensitivity of the data breached, the consequences on the individual along with the possibility of an injurious use
- Companies must mitigate the risk of harm and take preventive measures to reduce the chances of an incident
Privacy by design
In alignment with GDPR, the privacy amendments proposed in Quebec require that companies adopt a privacy by design approach when offering technology products and services.
When designing software, technology products or rendering services, companies must ensure that by default, there is a high degree of confidentiality mechanisms intended to protect and safeguard personal data.
Third-party service provider obligations
When a company retains the services of a third-party service provider, the confidentiality obligations of the proposed privacy amendments will apply to them.
For example, companies offering software-as-a-service or SaaS generally hire a third-party service provider for the hosting environment.
Based on the proposed amendments under Bill 64, even when engaging a third-party service provider, companies and the third-parties will remain accountable to preserve the confidentiality of the data.
Consent exception relating to a business transaction
Bill 64 allows for companies entering into a business transaction to benefit from an exception in getting individual consent when the following conditions are met:
- A business transaction is being concluded including provisions relating to disclosure, protection and destruction of personal data
- The use and disclosure of the personal data must be in accordance with the Quebec Privacy Act
- The individual must receive a notification of the retention of personal information after the business transaction is concluded
Data anonymization and destruction
The Quebec legislative authorities intend to adopt legal provisions to oblige companies to either destroy the personal data or anonymize them when the purpose for which the data was collected has been achieved.
Data anonymization is the technological process where personal data is anonymized and irreversibly no longer allows the person to be identified directly or indirectly.
Technological methods to collect personal data
When companies use technology to collect personal data and information to identify a person, locate or profiling a person, then the individual must be informed of such practices.
Furthermore, companies must inform the individual how they can block or deactivate the collection of their information so they are not tracked or profiled in any way.
Exceptions to getting consent
Bill 64 introduces certain exceptions to the obligation of getting individual consent particularly by allowing the de-identification of information for a study, research or statistical purpose.
De-identification means that the person can no longer be identified as an individual.
The Bill provides the conditions based on which the new exception to getting consent can be considered when organizations are engaged in a study, research or performing statistical studies.
Right to be forgotten
The Act to Modernize Legislative Provisions Respecting the Protection of Personal Information introduces important enhancements to individual rights such as the right to be forgotten.
Under certain conditions, individuals can ask companies to either erase their personal information in the event of the violation of a law or as required by a court of law.
Right to be de-indexed
In addition to the right to be forgotten, individuals can ask companies to de-index any hyperlink associated with their name when the following conditions are met:
- The dissemination of the information causes serious injury to the individual’s reputation
- The injury is greater than the public interest and the cessation of the dissemination
- Re-indexing or de-indexing should not exceed what is needed to avoid perpetuating the injury
Right to object to automated decision-making
Based on this new right, individuals can request that companies refrain from making decisions about them exclusively based on automated decision-making processes unless the company has previously informed the individual in question.
Individuals are given the following rights:
- Understand the personal information used to make a decision
- The reasons for the decision
- Right to have the information corrected
Similar to other important data privacy laws, data portability is a new right granted to individuals in Quebec.
When requested, companies must provide the data related to a person in a machine-readable format and disclose it in an intelligible manner to the individual.
Companies should deliver personal data to individuals in a structured and in a commonly used technological format.
Cross-border transfer of data
Based on the amendments proposed in Bill 64, companies must observe important new obligations to transfer data outside of Quebec.
Before a company transfers data to an organization outside of Quebec, companies must;
- Perform a privacy impact assessment
- Consider the sensitivity of the information to be transferred out of Quebec
- Consider the purpose of the transfer
- Consider the protection the data will be afforded when transferred out of Quebec
- Assess the legal framework of the jurisdiction where data is being transferred to
- Assess the degree of equivalence of the protections offered by the foreign jurisdiction as compared to Quebec
If the companies privacy impact assessment is satisfactory, companies must enter into a written agreement for the protection of data and privacy and mitigate any risk identified during the impact assessment.
If the impact assessment is not satisfactory, companies are not authorized to transfer data outside of Quebec.
Quebec was the first jurisdiction in North America to adopt a data privacy law back in 1994.
When the Act Respecting the Protection of Personal Information in the Private Sector was adopted in Quebec, it placed Quebec as a leader in the data privacy and protection space in North America.
However, over time, Quebec lost its leadership position.
The Canadian government adopted PIPEDA and the European Union its GDPR in 2018 becoming the global leader in this segment.
The Quebec Privacy Act was due for an important overhaul and that’s is exactly what is proposed under Bill 64 or An Act to Modernize Legislative Provisions Respecting the Protection of Personal Information.
Bill 64 intends to bring Quebec back to the forefront of data privacy and data protection laws around the world.
If adopted, the Quebec Privacy Act will become Canada’s strictest data privacy law.
In this article, we’ve looked at the amendments proposed by Bill 64 and they relate to:
- Heavy administrative and penal sanctions in the event of violations to the Quebec Privacy Act
- Possibility for companies to be sued for damages
- Important governance obligations on companies to manage their data protection and privacy obligations
- New and mandatory data breach notification obligations
- Enhancements to individual rights to their personal information
- Privacy by design obligations
- Obligations imposed on companies for cross-border transfer of personal information
We hope this article allows you to better grasp the changes and amendments that are on the horizon.
We will monitor the legislative process relating to Bill 64 and inform you of any important changes and milestones in the sanctioning of this Bill.