Bill 64: An Overhaul of Quebec’s Privacy Law Regime – Implications for Business
The Act Respecting the Protection of Personal Information in the Private Sector (the “Private Sector Act”), adopted more than 25 years ago, was introduced at a time when Quebec was the first jurisdiction in North America to adopt legislation to ensure the protection of personal information. However, subsequent legislation adopted by the federal government and technological advances in recent years have meant that the Private Sector Act is no longer adapted to the current context and, moreover, is not consistent either with Canadian federal laws and equivalent legislation in other provinces, nor with the European Union's General Data Protection Regulation (“GDPR”), which seems increasingly to be becoming a de facto international standard of reference.
On June 12, 2020, Bill 64, An Act to Modernize Legislative Provisions Respecting the Protection of Personal Information (the “Bill”) was introduced in the Quebec National Assembly.
According to the government, once passed, the Bill will promote transparency, enhance data privacy and strengthen user consent by increasing the responsibility of departments and agencies, private companies and, for the first time ever, political parties. Inspired by what is being implemented in other Canadian jurisdictions and in the European Union, the proposed amendments nevertheless remain a uniquely “made in Quebec” approach to privacy protection. The full harmonization of all privacy legislation in Canada, which many would like to see, has yet to be achieved.
This article focuses on the proposed amendments to the Private Sector Act, the changes that will be made to the current regime and their consequences for the private enterprises that will have to implement them.
Significant administrative sanctions may be imposed by the Commission d'accès à l'information (“CAI”) of up to $10 million or 2% of worldwide turnover, whichever is greater, and penal sanctions of up to $25 million or 4% of worldwide turnover.
The possibility for a company to be sued for damages.
The requirement to appoint a Chief Privacy Officer and establish governance policies and practices.
New obligations when a data breach incident occurs.
New rights for individuals with regard to data portability, the right to be forgotten and the right to object to automated processing of their personal information.
The creation of an exception allowing the disclosure of personal information in the course of a business transaction without the prior consent of the individuals concerned.
The removal for businesses of the possibility of communicating, without the consent of the persons concerned, nominative lists and new rules governing the use of personal information for commercial or philanthropic prospecting purposes.
The obligation for companies to ensure that pre-established settings for their technology products and services ensure the highest levels of confidentiality by default. (privacy by design)
Significant changes for private organizations
At the administrative level, the new legislation, if passed, will give more powers to the CAI, which will now be able to impose administrative monetary penalties on offenders. As for the private sector, the CAI will have the power to impose administrative monetary penalties of up to $10 million or 2% of a company's worldwide turnover (for the previous fiscal year).
The Bill also provides for an increase in penal penalties for violations of the Private Sector Act, up to $25 million or 4% of a company's worldwide turnover, whichever is greater, with a minimum fine of $15,000. By way of comparison, the Private Sector Act currently provides for fines ranging from $1,000 to $10,000 and a fine of up to $20,000 for repeat offences .
In addition, the Bill introduces the possibility for a person to bring an action for damages based on the infringement of a right provided for in the Private Sector Act or a right relating to privacy protection set out in the Civil Code of Québec. In the case where the infringement is intentional or results from a gross fault, the Bill provides for punitive damages of at least $1,000.
Accountability and Governance
Under the provisions of the Bill, the person exercising the highest authority within an enterprise will be responsible for the protection of personal information. However, he or she will have the option of delegating this function to a member of staff, whose contact information and title must be published on the enterprise’s Internet site. This new requirement is similar to that under the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and the European Union's GDPR. In addition, any person carrying on an enterprise will have to conduct a privacy impact assessment when collecting, using, disclosing, retaining or destroying personal information for any proposed information system project or electronic service delivery project. The Bill also requires enterprises to adopt governance rules for the protection of personal information, which must include a specific framework for its destruction and for its keeping. These policies and practices must be approved by the person responsible for the protection of personal information and published on the company's website.
Mandatory Breach Notification Requirements
The Bill also aims to introduce an obligation for enterprises to deal transparently with “confidentiality incidents” involving personal information. From this obligation flows the obligation to report to the CAI when the incident in question presents a “risk of serious harm”. To assess the risk of serious harm, the Bill provides that the person carrying on an enterprise must consider, among other things, “the sensitivity of the information concerned, the anticipated consequences of its use and the likelihood that such information will be used for injurious purposes”. Moreover, a person carrying on an enterprise must take reasonable measures to reduce the risk of harm resulting from the use of the information and to prevent the recurrence of such incidents. This new legislative framework is similar to what is currently set out in PIPEDA and Alberta's Personal Information Protection Act (“PIPA”). As is the case under PIPEDA, enterprises will also be required to keep a record of confidentiality incidents that must be sent to the CAI upon request.
Parameters of technology products or services
The proposed amendments to the Private Sector Act provide that when an enterprise collects personal information by offering a technological product or service, the enterprise must ensure that the default settings of this product or service ensure the highest degree of confidentiality, without the intervention of the person concerned. This new obligation seems to be inspired by the notion of “Data protection by design and by default” found in Section 25 of the GDPR.
The notion of third parties
The Bill provides that the Privacy Act would apply not only to companies that retain personal information, but also when the retention of this information is ensured by third parties. Thus, the obligation incumbent on an enterprise subject to the Private Sector Act also extends to its third party contractors. This necessarily implies that if a company hosts data on a third party server, for example, it will still have to ensure its confidentiality.
Business transaction exception
In Quebec, currently, the Private Sector Act does not provide for any exceptions to the consent that an individual must give for the collection and disclosure of his or her personal information in the course of a commercial transaction, creating certain practical problems. Under the Bill, the disclosure of personal information about an individual without his or her consent would be authorized when necessary for the purposes of concluding a commercial transaction and subject to certain conditions, namely:
- the conclusion of an agreement with the other party that includes specific clauses regarding the disclosure, protection and destruction of personal information;
- the use and disclosure of the information in accordance with the Privacy Sector Act when the commercial transaction is concluded and the personal information wishes to be used; and
- notification of the retention of personal information to the individuals concerned after the conclusion of the transaction.
This proposed new provision aligns with the federal legislation, PIPEDA, which provides an exception to obtaining consent in the context of a business transaction, as well as other provincial legislation such as PIPA and the British Columbia’s Personal Information Protection Act.
The obligation to destroy and anonymize
The Bill provides that enterprises will be required to destroy or anonymize (i.e. put in place technical measures to ensure that information about an individual can no longer be used to identify him or her) personal information about an individual when the purpose for which it was collected or used is achieved, unless a preservation period is provided for by law.
The use of technology to collect information
The Bill provides a duty to inform with respect to technological tools that enable to identify, locate or profile an individual in order to collect personal information from an individual. The individual must be informed of the use of such a technological tool and of the means available to deactivate the identification, tracking or profiling functions.
New exceptions to consent
The Bill adds the possibility of using de-identified information for study, research or statistical purposes. The Bill defines the process of de-identification as the fact that the information no longer directly identifies an individual. It should also be noted that this definition differs from the definition also introduced by the Bill concerning the anonymization of information, which states that information is anonymized when it is “irreversibly no longer allows the person to be identified directly or indirectly”.  It also provides a new exception to consent where personal information is used for study, research or statistical purposes and a privacy impact assessment concludes that:
the objective of the study, research or the production of statistics cannot be accomplished otherwise;
it is unreasonable to require the consent of the individuals concerned;
the objective of the study, research or production of statistics outweighs the impact of communicating and using the information on the privacy of the individuals concerned;
personal information is used in a manner that ensures its confidentiality; and
only the necessary information is communicated.
In order to use such personal information for study, research or statistical purposes, a person or enterprise must, among other things, make a request in writing, explain to the support that the conditions mentioned above are met and attach the research protocol. An agreement must also be entered into with the person or organization to whom the confidential information is transmitted that provides, among other things, for measures to ensure the protection of confidential information and must be sent to the CAI 30 days before it comes into force. This obligation to provide information in such circumstances is also consistent with what is found in PIPEDA .
- De-indexing and the right to be forgotten
The Bill specifies that an individual may require, when certain conditions are met, that a person carrying on an enterprise cease disseminating personal information about himself or herself “or to de-index any hyperlink attached to his name that provides access to the information by a technological means, if the dissemination of the information contravenes the law or a court order”. This has several practical consequences, particularly for search engine administrators who will have to comply with these new requirements. In addition, an individual may require that the hyperlink providing access to personal information be re-indexed if the following conditions are met: the dissemination causes serious injury to the individual's right to respect for his or her reputation or privacy, the injury is clearly greater than the public interest and the cessation of the dissemination, re-indexing or deindexing requested does not exceed what is necessary to avoid perpetuating the injury. This new right appears to be inspired by the notion of the “right to be forgotten” found, among others, in section 17 of the GDPR.
- Right to object automated decision-making
In addition, the Bill proposes a new framework for automated decision-making. It proposes that personal information may not be used by an enterprise to render a decision based exclusively on the automated processing of personal information, unless the enterprise informs the person concerned. The person concerned also has the right to be informed of the following:
the personal information used to render the decision;
the reasons for the decision; and
its right to have the personal information used corrected.
The person concerned will also be able, under the Bill, to take advantage of the opportunity to present his or her observations to a member of the enterprise’s staff who would be able to review the decision.
- Data portability
The Bill also provides, in light of the GDPR, that an enterprise that holds information on a person must, upon request by the person, confirm the existence of the information and communicate it to the person. If the information is computerized, it must be disclosed in an intelligible manner, in the form of a written transcript and communicated in a structured and commonly used technological format.
Outsourcing and cross-border transfer
The Bill sets out new rules for the outsourcing and transfer of personal information outside Quebec, including an equivalency system inspired by the European model.
The Bill considerably increases the requirements set out in the current section 17 of the Private sector Act. Before disclosing personal information outside Quebec (including for outsourcing purposes), an enterprise will be required to conduct a privacy impact assessment to evaluate whether the information will receive a level of protection equivalent to the one provided under Quebec law. To this end, enterprises will be required to consider not only the sensitivity of the information, the purposes for which it will be used and the protection measures that would apply, but also “the legal framework applicable in the State in which the information would be released, including the legal framework’s degree of equivalency with the personal information protection principles applicable in Québec.” If, as a result of this assessment, the enterprise concludes that the foreign legislation is not equivalent, it must not disclose the personal information.
If the assessment is satisfactory, the disclosure must be the subject of a written agreement taking into account the results of the assessment and, if applicable, the terms and conditions agreed upon in order to mitigate the risks identified.
It is expected that the Government of Québec will publish a list of states whose legal framework governing personal information is equivalent to the Québec framework.
The use of personal information for commercial or philanthropic purposes
Following the adoption of the Bill, an enterprise that uses personal information for commercial or philanthropic prospecting purposes will have to identify itself and inform the person concerned of its right to withdraw its consent to such use of personal information concerning it. Once consent has been withdrawn, the use of personal information must cease.
A time for change
In 1995, the European Union adopted Directive 95/46/E (the “European Data Protection Directive”). Section 25 of this Directive prohibits member states (and companies within their borders) from transferring personal data to a third state whose laws do not adequately protect the data. Transfers to non-member states may occur if the European Union determines that the privacy protection regime of such jurisdictions is “adequate” (or if other specified protective measures are put in place by the transferring entity). For the purposes of Section 25, Canada's PIPEDA received a favourable “adequacy” determination in 2001.
Although the Private Sector Act (like the Alberta and British Columbia legislation) has been found to be “substantially similar” to PIPEDA, it has not received a decision of adequacy under the European Data Protection Directive. In fact, in 2014, it was recommended to the European Commission not to declare the Quebec law adequate with respect to the European Data Protection Directive because of uncertainty about the territorial scope of application of the Private Sector Act, the need to strengthen the requirements for transparency about who holds an individual's personal information, the need to define the concept of “sensitive information” and the need to make the transfer of information subject to contractual or other binding legislative provisions to ensure a level of data protection comparable to that prevailing in the European Union.
As of May 25, 2018, GDPR replaced the European Data Protection Directive. Under GDPR, the European Union must again assess the adequacy of PIPEDA's protections, an exercise to which it will be invited every four years. As part of this assessment, PIPEDA will be evaluated in light of the new, higher standards of protection set out in the GDPR. As a result, changes are expected to be made to PIPEDA.
The adequacy of the Private Sector Act may also be reassessed. The Bill is therefore being tabled in the context of a fundamental overhaul of Canada's privacy legislation.
Although the Bill will be subject to the next steps in its adoption when Parliament resumes in the fall, and its transitional and final provisions have a one-year period to come into force following the Bill's assent for most of its provisions, in order to prepare, enterprises should begin reviewing their privacy policies and contracts with third parties, review their consent forms, conduct an audit of the personal information they hold in order to determine its degree of sensitivity and the level of protection required, implement protocols in the event of a confidentiality incident and ensure that they use technological means that meet the highest security standards.
Stay tuned to McCarthy Tétrault's publications on the subject. A more comprehensive study will follow the publication of this text and will be available upon request. In the meantime, we invite you to read our series of five blogs on the proposed amendments to PIPEDA here and the proposed changes to British Columbia's privacy legislation here.
Act Respecting the Protection of Personal Information in the Private Sector, CQRL, c P-39.1.
 Section 150 of the Bill.
 Section 151 of the Bill.
Act Respecting the Protection of Personal Information in the Private Sector, CQRL, c P-39.1, s. 91.
Civil Code of Québec, c CCQ-1991, s. 35 et s.
 Section 152 of the Bill.
 Section 95 of the Bill.
Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5.
 Section 95 of the Bill.
 Section 95 of the Bill.
 Section 95 of the Bill.
 Section 95 of the Bill.
Personal Information Protection Act, SA 2003, c P-6.5.
Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, s. 10.3(1).
 Section 93 of the Bill.
 Section 107 of the Bill.
Personal Information Protection Act, SBS 2003, c 63.
 Section 111 of the Bill.
 Section 99 of the Bill.
 Section 102 of the Bill.
 Section 111 of the Bill
 Section 110 of the Bill.
Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, s. 7(2)c).
 Section 113 of the Bill.
 Section 113 of the Bill.
 Section 102 of the Bill.
 Section 112 of the Bill.
 Section 103 of the Bill.
 Section 103 of the Bill.
 Section 111 of the Bill.
 Data Protection Working Party, Opinion 7/2014 on the protection of personal data in Quebec, s. 29, June 4, 2014, Available at the following URL: https://www.dataprotection.ro/servlet/ViewDocument?id=1087
 Section 165 of the Bill.