In a previous publication
, we had announced the Quebec government’s intention to put forward a significant reform of the Act respecting the protection of personal information in the private sector (the Act).
The government finally tabled the bill to implement this reform, thereby making known the details of this ambitious bill to modernize Quebec’s privacy framework.
The bill aims to modernize, not only the Act
, but also the Act respecting Access to documents held by public bodies and the Protection of personal information
, which provides a framework for handling personal information in the public sector. The sole purpose of this Legal update, however, is to address the proposed amendments to the Act
affecting Quebec-based private businesses.
On June 12, 2020, Quebec’s minister of justice, Ms. Sonia Lebel, tabled Bill 64, entitled An Act to modernize legislative provisions as regards the protection of personal information.
As discussed in our previous publication, this bill essentially aims to modernize the privacy framework applicable in Quebec and to adapt to the digital environment by drawing on the main principles of the European Union’s General Data Protection Regulations (GDPR).
Bill 64 proposes more than 60 amendments to the Act
. The purpose of this Legal update is not so much to analyze each of these amendments in depth, but rather to present the main components of the reform.
Person responsible in the business
Bill 64 provides that the person exercising the highest authority in the business be in charge of protecting personal information. This person may, however, delegate this function to another member of the personnel. The title and contact information of the person in charge of protecting personal information must be published on the business’ website.
Bill 64 provides that any business subject to the Act
Privacy by design
Bill 64 integrates in Quebec legislation the principle of privacy by design
. Private bodies covered by the Act
must conduct an assessment of the privacy-related factors of any information system project or electronic service delivery project involving the collection, use, release, keeping or destruction of personal information.
Obligation to notify the Commission in the event of a data breach
Bill 64 imposes on businesses the obligation to notify Quebec’s access to information commission (CAIQ) and the persons concerned regarding any confidentiality incident (e.g. loss of access or unauthorized access to personal information) to the extent that there is a risk of serious injury. This new regime is similar to the one already in force at the Federal level and in Alberta.
Collection of personal information
Businesses subject to the Act
must, before collecting personal information, determine the reasons for this collection. Businesses may only collect necessary information for purposes determined prior to collection. The bill also provides that businesses must, when collecting information, inform the person concerned (i) of the purposes for which this information is being collected, (ii) of how the information is collected, (iii) of the rights of access and rectification provided by law, (iv) of his right to withdraw his consent to the release or use of the information collected, and, to the extent applicable, (v) of the name of the third party for whom the collection was carried out, and (vi) of the possibility that the information will be released outside Quebec.
Locating and profiling tools
When a business collects personal information from a person using a technology that includes functions allowing the person to be identified, located or profiled, it must first inform the person (i) of the use of such technology, and (ii) of the means available, if any, to deactivate the functions that allow a person to be identified, located or profiled.
Parameters of confidentiality by default
Businesses that collect personal information by offering a technological product or service must ensure that the parameters of that product or service are set, by default, to the highest level of protection, without any intervention by the person concerned.
Decision based on the automated processing of personal information
When a business uses personal information in order to render a decision based exclusively on the automated processing of such information, it must, at the time of the decision or before, inform the person concerned. The business must also, at the request of the person concerned, inform him or her (i) of the personal information used to render the decision, (ii) of the reasons, as well as the main factors and parameters, that led to the decision, and (iii) of its right to have the personal information used to make the decision rectified. The person concerned must also be given the opportunity to submit observations to a member of the personnel of the business who is in a position to review the decision.
Consent specific for each purpose
Bill 64 provides that consent must be clear, free, informed and be given for specific purposes. This consent must be requested for each such purpose, in clear and simple language, separately from any other information provided to the person concerned. This consent is valid only for the time necessary to achieve the purposes for which it was requested.
Personal information released outside Quebec
Before releasing personal information outside Quebec, the business must conduct a privacy impact assessment, as well as an assessment of the legal framework applicable in the State where the information would be released. The information may be released only if the assessment establishes that it would receive protection equivalent to that afforded under the Act
. The release of the information outside Quebec must be the subject of a written agreement that takes into account, in particular, the terms agreed on to mitigate the risks identified in the assessment. Finally, the Minister needs to publish a list of the States whose legal framework governing personal information is equivalent to the personal information protection principles applicable in Quebec.
Carrying out a service contract or mandate
Businesses may, without obtaining the consent of the person concerned, communicate personal information to a mandatary or to a service provider if such communication is necessary for performing the mandate or for carrying out the service contract. The contract must, however, be in writing and specify the measures the mandatary or the service provider must take to protect the confidentiality of the personal information being communicated.
Concluding a commercial transaction
Bill 64 provides that businesses may, without obtaining consent from the persons concerned, communicate personal information to conclude a transaction involving a transfer of ownership. An agreement must first be entered into with the other party that stipulates that such party must undertake to protect the personal information and use it only for purposes of concluding the commercial transaction.
Destruction or anonymization of personal information
Bill 64 provides that, when the purposes for which personal information was collected or used are achieved, the person carrying on a business must destroy or anonymize the information, according to generally accepted best practices, subject to any preservation period provided for by the Act
Right of access and correction
Businesses must allow persons concerned to obtain confirmation that they hold personal information and have been authorized to obtain a copy of it. Persons concerns may also, if the personal information concerning them is inaccurate, incomplete or equivocal, or if collecting, communicating or keeping it is not authorized by law, require that the information be rectified.
Right to be forgotten
The person to whom personal information relates may require that a business cease to disseminate that information or to de-index or re-index any hyperlink attached to his or her name that provides access to the information by a technological means, when (i) the dissemination of the information causes the person concerned serious injury in relation to his right to the respect of his reputation or privacy, (ii) this injury is clearly greater than the interest of the public in knowing the information or the interest of any person in expressing himself freely, and (iii) the cessation of dissemination, re-indexation or de-indexation requested does not exceed what is necessary for preventing the perpetuation of the injury.
Penalty up to $10,000,000
Bill 64 contains a number of provisions to ensure compliance with the Act
. The most significant provision in this regard concerns the increase in penalties likely to apply in the event of non-compliance with the Act
. The maximum amount of the monetary administrative penalty for businesses is $10,000,000 or, if greater, the amount corresponding to 2% of worldwide turnover for the preceding fiscal year.
Bill 64 imposes new obligations for Quebec businesses that collect and have personal information. This bill also gives new rights to individuals who agree to release this information. The amendments proposed by Bill 64 will therefore substantially increase the risks related to the processing of personal information for Quebec businesses. In order to comply with the new provisions of the Act
, they will need to make significant changes to their personal information collection and management practices. This appears all the more true as the applicable penalties will be significantly increased.