Privacy legislation reform: Bill 64 has now been passed

In recent updates (available here and here), we announced the tabling of Bill 64 (Bill), which purports to implement an ambitious reform of the privacy legislation framework. More than one year after being tabled, the Act to modernize legislative provisions as regard the protection of personal information has now come into force. 

Impact of the coming into force

Even though the Bill was assented to last September 22, only a few sections came into force on that date, notably those relating to the reports on the application of privacy legislation that the Commission d’accès à l’information (Quebec’s access to information commission, or CAI) must present to the government. The Bill’s other sections will come into force gradually. The sections on the appointment of persons in charge of protecting personal information and the confidentiality incident notification obligations will come into force on September 22, 2022. September 22, 2023, will mark the coming into force of a vast majority of the sections, including those providing for penal sanctions, assessing privacy-related factors, developing privacy policies and practices, as well as changes in consent. Finally, the right to portability provision will come into force on September 22, 2024. Section 165 offers enterprises and bodies a grace period for aligning their practices with the many new requirements implemented by the Bill’s other 164 sections within the allotted time limit.

Changes with the greatest impact on enterprises and bodies

The Bill makes many changes to privacy legislation that specifically govern the protection of personal information, such as the Act respecting access to documents held by public bodies and the protection of personal information (Public Act) and the Act respecting the protection of personal information in the private sector (Private Act). Changes were also made to other laws, however, such as the Act respecting occupational health and safety or the Act respecting health services and social services.

While a few of the changes were made to correct clerical errors or ensure consistency, others are more substantial. Some of them even have a significant impact on enterprises and bodies, which will need to adapt their practices to comply with the new requirements within varying time limits. 

Here is an analysis of the main changes that entities subject to the Bill will have to  implement, along with the effective dates of these changes.

Changes coming into force on September 22, 2022

New notification requirements in cases of confidentiality incidents

One of the major changes introduced by Bill 64 is the procedure that must be followed in the event of a confidentiality incident involving personal information, namely any access to, or use or release of, personal information not authorized by law, or any loss of personal information. 

From now on, enterprises (and public bodies governed by the Public Act) having cause to believe that a confidentiality incident involving personal information they hold has occurred must take reasonable measures to reduce the risk of injury and prevent new incidents of the same nature. If the incident presents a risk of serious injury, the enterprise or public body must promptly notify the CAI as well as any person whose personal information is concerned by the incident.

Although there was previously no obligation to notify the CAI and persons concerned by the confidentiality incident (albeit best practices strongly suggested doing so), lawmakers chose to make this an obligation, in line with the approach adopted under the federal law (Personal Information Protection and Electronic Documents Act, or PIPEDA) and the Albertan law (Personal Information Protection Act). Enterprises and public bodies will therefore need to modify their plans of action for confidentiality incidents, and will in future have less discretion on whether or not to report such incidents. 

Enterprises and public bodies will also now have to keep a register of confidentiality incidents. A government regulation will determine the content of this register; to date, it is expected to include at least the date and nature of the incident, and the number of persons concerned. Since a copy of the register will also be sent to the CAI on request, it will be important that enterprises and public bodies implement, among other things, appropriate systems for keeping such a register as early as September of 2022. 

Appointment of a person in charge of the protection of personal information

Enterprises and public bodies must have a person in charge of the protection of personal information, who will see to ensuring that the Private Act or Public Act is implemented and complied with and will play a leading role in all matters relating to the personal information held by the entity. This function will, by default, be exercised by the person with the highest authority, who may, however, delegate the function of the person in charge of the protection of personal information to any other person, which will certainly prove an interesting possibility for many enterprises and public bodies. The title and contact information of the person holding this function within an enterprise must be publicly available on a website or any other appropriate means. Public bodies, for their part, must notify the CAI of the title and contact information of the person in charge of the protection of personal information. 

The person in charge of the protection of personal information will play an active role in managing data, and will need to master the privacy policies and practices of the enterprise or body. That person will also need to be actively involved in the process of harmonizing the enterprise’s or public body’s practices with the new legislative requirements. 

Changes coming into force on September 22, 2023

Obligation to conduct an assessment of the privacy-related factors in certain circumstances

Enterprises and public bodies will now be required to assess the privacy-related factors in certain circumstances. This assessment will be required, among others, in the context of any project to acquire, develop or redesign information systems or to deliver services involving personal information electronically, or when the release of personal information outside Québec is being considered. 

Enterprises and public bodies must consult their person in charge of the protection of personal information before conducting such an assessment. The assessment must also be proportionate to certain elements, such as the sensitivity and quantity of the information concerned by the project, as well as the purposes for which it is to be used. 

Establishment and implementation of confidentiality policies and publication

Enterprises and bodies will also need to implement various policies and practices regarding personal information. These must address the parameters for keeping and destroying personal information held by enterprises or bodies, define the related roles and responsibilities of personnel, and provide a process for dealing with complaints. Moreover, enterprises and bodies that collect personal information through technological means must have a confidentiality policy. Information on these policies and practices, as well as the confidentiality policy itself, must be drafted in clear and simple language and published for the benefit of the persons whose personal information was collected. This duty to disclose and, more specifically, the fact that this disclosure must be clear and simply presented, may require a review of the policies currently in effect. With this measure, lawmakers have once again reinforced the privacy protection available to individuals by giving them easier access to information on how their personal information is being processed. 

Reform of the process by which consent is obtained and information provided at the time of collection

Enterprises and public bodies wanting to collect personal information will now have to meet new requirements. 

First, the person concerned will need to be informed of: (i) the purposes for which the information is being collected, (ii) how the information is collected, (iii) the rights of access and rectification granted to any person by law and (iv) if applicable, the name of the third party from on whose behalf the collection was carried out and the name or category of third parties to whom the information must be released. 

Second, the person concerned must be informed of the possibility that his or her information could be released outside Québec and of his or her right to withdraw consent at any time. All of this information must be provided in clear and simple language. 

Consent, for its part, must always be clear, free and informed and be given for specific purposes. What’s more, the law now explicitly provides that enterprises and public bodies will need to obtain a new consent before using personal information for a purpose other than that initially intended. They therefore can no longer ask individuals to consent to the collection of their information without detailing the purposes for which that information will be used. 

Note, finally, that written requests of consent must be made separately from any other information provided to the person concerned. It will be interesting to see how this requirement will take shape, but it just might have repercussions on enterprises that gather information using technological products, seeing as the consent must be independent from the website’s terms of use, for instance. 

New default privacy parameters

One change that might have a major impact on many entities that are in the technologies sector or collect personal information using technological products is the coming into force of new measures for ensuring that personal information is protected by default. From now on, the parameters of the technological products or services enterprises and public bodies use to collect personal information must, by default, provide the highest level of confidentiality to users. This is yet another amendment that grants persons concerned by the collection better control over their personal information. Note, however, that this new requirement does not apply to cookies. Note, too, that this amendment will come into force on September 22, 2022, for public bodies governed by the Public Act. 

Similarly, another legislative amendment targets identification, localization or profiling functions that enterprises or public bodies might use when collecting personal information. These must now be deactivated by default. Enterprises or public bodies will therefore have the responsibility of informing persons concerned of what actions to take to activate these functions. 

Enterprises and public bodies may want to perform a more detailed review of the technological tools they use so as to: (i) determine which parameters will need to be changed in order to comply with this new requirement, and (ii) proceed with an update or change in the code or functioning of these tools so that the default parameters comply with the law. 

New prerequisites for releasing information outside Québec

Legal changes also circumscribe the release of personal information outside Québec. As mentioned earlier, enterprises and public bodies that want to release personal information outside Québec must first conduct an assessment that takes into account, in particular: (i) the sensitivity of the information; (ii) the purposes for which it is to be used; (iii) the protection measures, contractual or otherwise, applicable to the information released; and (iv) the legal framework applicable in the state in which the information will be released. 

The law now specifies that personal information may be released outside Québec if the assessment establishes that, based more specifically on generally accepted personal information protection principles, the information thus released benefits from adequate protection. Interestingly, the original version of Bill 64 required a level of protection equal to that offered in Québec, and stated that the government would publish a list of states offering such an equivalency. Those requirements, however, were abandoned during the detailed review of the Bill in favour of the current structure that aims for adequate protection, which will undoubtedly give enterprises and bodies greater flexibility.  

It is nevertheless clear from the above that lawmakers wanted to ensure that personal information released abroad will remain secure, and that enterprises and public bodies will not take advantage of a legal framework that limits the protections afforded to persons concerned by the international transfer of personal information. To that end, lawmakers also provided that a written agreement must be entered into between the parties concerned by the release of personal information so as to indicate the results of the assessment and the terms agreed on to mitigate the risks identified in that assessment. 

Requirements respecting the destruction or anonymization of personal information that has served its purpose

Bill 64 clarifies the options available to enterprises and public bodies once the purposes for which personal information was collected have been achieved. They will then have two options: destroy the personal information or anonymize it (to be used for serious and legitimate reasons in the case of enterprises, or in the public interest in the case of public bodies). Enterprises and public bodies may therefore not keep personal information indefinitely, just in case a new purpose materializes. Note that by law, information is considered to be anonymized when it can reasonably be foreseen, at any time, that it irreversibly no longer allows a person to be directly or indirectly identified. The government will, by regulation, determine the criteria that must be met for information anonymization.

Bear in mind that the requirements indicated above reflect best practices in the field, which practices recommend that personal information not be needlessly kept so as to minimize liability in the event of a potential confidentiality incident. Enterprises and public bodies should therefore review their archiving practices so as to comply with the legal requirements and ensure that they have the mechanisms in place to anonymize or destroy personal information, unless it can be used for serious and legitimate reasons.

Changes coming into force on September 22, 2024

Only one provision of the new Private Act will come into force three years after being passed, namely that of the right to portability. The long period within which to comply with this new obligation can be explained by the difficulties associated with its application. Note that this right is already provided for in the Public Act, but its scope has been broadened. 

As of September 22, 2024, persons whose personal information is held by an enterprise or public body will benefit from this right. First, enterprises and public bodies must, at the request of the person concerned, confirm the existence of the personal information and allow him or her to obtain a copy of it. 

Enterprises and public bodies will also need to release to the person concerned personal information collected from him or her (and not created or inferred by the enterprises or public bodies using personal information already held) in a structured, commonly used technological format. 

Therefore, enterprises and public bodies will need to ensure that their databases allow them to comply with this new requirement. This might require them, among other things, to: (i) review their retention practices and formats so that excerpts from a database can be released directly to the person making the request, (ii) create a conversion mechanism allowing information to be extracted from a database and converted into a format that complies with the legislative requirements. 

Other statutory changes to be considered 

Several other changes to the privacy protection regime came into force with the passage of Bill 64. Even if they do not require the direct intervention of enterprises and bodies, these changes should be taken into consideration, as they may have a significant impact on how data are processed. 

New definition of personal information

The definition of “personal information” has been expanded to include all information that can be used to directly or indirectly identify a natural person. This change could have a material impact on how certain types of data will be processed, such as IP addresses and other metadata that do not allow a person to be identified directly. 

Application of the legislation to employee information

Contrary to PIPEDA, which generally does not apply to personal employee information held by an enterprise, the Private Act and Public Act do not provide for such an exemption. Consequently, personal information gathered by an enterprise or a public body on its employees is subject to the Private Act or Public Act, as the case may be, with the exception of the professional personal information of a natural person, such as his or her email address or professional telephone number, to which Divisions II and III of the Private Act and Chapter III of the Public Act do not apply. 

In other words, in the event of a breach of personal employee information held by an enterprise, such as their social insurance numbers or banking information for payroll purposes, the new provisions of the Private Act will apply. With this decision, Québec lawmakers are reproducing the Albertan lawmakers’ approach, which also does not provide any such exception. 

Contexts in which the release of information without consent is possible 

In addition to reinforcing the parameters for obtaining consent to the collection of personal information, the Private Act and Public Act also specify the circumstances under which an enterprise may release or use personal information without obtaining the consent of the person concerned, including where such use is:

• consistent with the purposes of the collection 
• clearly for the benefit of the person concerned 
• necessary to the supply of property or the provision of a service requested by the person concerned (only in the case of the Private Act)
• necessary for study or research purposes, provided the information is de-identified.

It will also be possible to release personal information without the consent of the person concerned if that release is necessary to perform a contract of enterprise or for services. This scenario was already provided for in the Public Act, but now applies in the exact same manner to enterprises governed by the Private Act. Examples of this would be computer service agreements that require access to databases containing personal information. In such cases, enterprises holding the information will be required to ensure that their co-contracting party is informed of the measures it must take to protect the information’s confidentiality. This will not release enterprises from their liability for the personal information that they hold. 

Finally, enterprises may communicate personal information if doing so is necessary for concluding a commercial transaction. The notion of “commercial transaction” includes the disposition or leasing of an enterprise or its assets, a change in its legal structure, or its financing. 

Clarification of the right to deletion’s scope and creation of the right to be forgotten 

Bill 64 clarifies the scope of a person’s right to ask for the deletion of personal information. The Civil Code of Québec (Code) has long provided individuals with the right to request the deletion of obsolete information or information not justified by the purpose of the file concerning him or her. New provisions, however, now indicate that the fact of collecting personal information relating to another person is deemed to establish a file within the meaning of the Code, and refer directly to the articles of the Code providing for the right to deletion. It is therefore clear that an person may, under certain conditions, demand that an enterprise delete personal information that it holds concerning them. 

Additionally, the Private Act now provides for a right to be forgotten (still benefitting persons). These persons may now demand that enterprises cease disseminating information or de-index any hyperlink attached to their names. To do this, the persons concerned must, among other things, prove that their right to the respect of their reputation and privacy has been seriously injured, and that the injury is greater than the interest of the public in knowing the information on the persons concerned. 

Consent now applies to collection and communication

The consent given by persons at the time their personal information is collected will apply not only to the collection but also to the use and communication of that information, provided these are carried out in keeping with the purposes indicated at the time of collection. This provision might allow enterprises and public bodies to avoid asking the same person for several different consents, depending on the processing phase his or her personal information is at. 

What is deemed to be “sensitive” personal information

Bill 64 now defines “sensitive” information, a definition that may affect the scope of protective measures to be adopted as well as on the purposes for which such information may used. Consequently, the law considers information to be sensitive when it entails a high level of reasonable expectation of privacy due, among other things, to medical or biometric characteristics or the context of its use. 

Sanctions for non-compliance 

Considerable changes have also been made to the sanctions for failing to comply with the law. Enterprises that fail to comply with the Private Act now risk far more stringent sanctions than under the old regime.

Monetary administrative penalties

Monetary administrative penalties, which may be imposed by a person designated by the CAI following a breach of the Private Act, may be as high as, in the case of enterprises, $10 million or, if greater, the amount corresponding to 2% of worldwide turnover for the preceding fiscal year. 

The CAI will be required to publish a general framework for applying these penalties, which will detail the criteria to be taken into account when deciding whether or not to impose a penalty and, in the affirmative, the amount thereof. We do know, however, that some of the elements that will need to be considered include the sensitivity of the personal information, the number of persons concerned, as well as the nature, seriousness and duration of the breach. 

Penal sanctions

Penal sanctions are even higher than the monetary administrative penalties, although their application is limited. Breaches of the Private Act that might give rise to a penal sanction include the collection, use, keeping, release or destruction of personal information in contravention of the law, attempts to identify a person using anonymized information, and failure to inform the CAI of a confidentiality incident. In such cases, enterprises will be liable to a fine of up to $25 million or, if greater, the amount corresponding to 4% of a worldwide turnover for the preceding fiscal year. 

Judges may consider a number of factors before determining the amount of the fine. They may take into account the nature, seriousness and duration of the failure, the sensitivity of the personal information and the number of persons concerned, the intention, negligence or lack of concern of the enterprise that contravenes the Private Act, or the foreseeability of the offence. 

Now that the Bill has been sanctioned, it will be interesting to see what measures and approaches will be recommended by enterprises and public bodies for the purposes of complying with all of the changes introduced by the Bill, and whether the authorities will publish guidelines to help them with this task. On that note, the enterprises concerned should immediately start considering what harmonization measures they will take, given the short period allotted for compliance and the considerable quantity of changes they will need to make to their business practices where privacy management is concerned.