Committee review completed for Bill 64: A step closer to a major reform of Quebec's personal information protection regime

 

The Québec government’s Act to Modernize Legislative Provisions respecting the Protection of Personal Information ("Bill 64" or the “Bill”) completed its parliamentary committee review phase on August 24, 2021. Bill 64 was first introduced by the Government of Quebec in the National Assembly on June 12, 2020. After months of committee review that began in February 2021, the detailed study of the Bill by the Committee on Institutions of the National Assembly ended on August 24, 2021. 

Aiming at improving transparency, increasing the level of data confidentiality and reinforcing consent requirements, Bill 64 will bring many changes to the current privacy regime in the province of Québec, notably by revising the existing Act respecting the protection of personal information in the private sector (“Private Sector Act”). Bill 64 will have important consequences for the companies that do business in Québec and those that handle personal information of Québec residents. 

In this blog, we provide a summary of the recent committee amendments to Bill 64 as they relate to the Private Sector Act.

Next steps

Although the reform brought about by Bill 64 is likely eminent, it remains to be passed officially by the Québec National Assembly. There are still a few more steps in the legislative process: the consideration of the Commission's report in the Québec National Assembly, the adoption of the bill, receiving the royal assent, and finally its entry into force. Further amendments are still possible at the report adoption stage. Considering that the current government holds a majority in the National Assembly, the adoption of Bill 64 can reasonably be expected to be completed sometime in the fall of 2021.

Major developments

In a previous blog published on the occasion of the introduction of Bill 64 in the Quebec National Assembly, we reported on the amendments to the current Private Sector Act proposed by the Bill in its initial form. The present blog focuses on the amendments adopted by the Committee on Institutions of the National Assembly during the parliamentary committee proceedings since February 2021, following a public consultation process. In comparison with the initial draft of Bill 64, the amendments bring changes that create both flexibility and, in some instances, greater constraints for businesses. Certain amendments positively address some concerns raised during the September 2020 public hearings on Bill 64 by certain members of the Quebec business community, while ignoring others.

 The main changes made in committee include the following:

1.     The possibility of delegating the position of "Privacy Officer" to any person;

2.     The obligation for businesses that collect personal information to inform individuals of the names of third parties to whom the information may be disclosed;

3.     Allowing businesses to use personal information without consent when necessary to provide a product or service, as well as for fraud prevention and security enhancement purposes;

4.     Requiring businesses, before disclosing personal information outside Quebec, to conduct an assessment that demonstrates that the personal information would benefit from adequate protection under generally recognized privacy protection principles;

5.     A new mechanism to limit administrative monetary penalties; and

6.     Additional rights to individuals.

1.     Delegation of the position of Chief Privacy Officer

In the initial version of Bill 64, this position, assigned by default to the person with the highest authority in a company, could only be delegated to a member of the company's staff. Now, the person with the highest authority can delegate this role to any individual, whether working for the company or not, thus allowing businesses to outsource this function to a specialized person.[1]

2.     New obligation to inform individuals of the names of third parties to whom the information may be disclosed

The committee added the requirement for businesses to inform individuals of the actual names of third parties (rather than merely the broad categories of third parties) to whom the business may disclose their personal information in order to fulfill the purposes for which it was collected.[2]  This is an impractical requirement that will add significant new burdens to businesses that contract with multiple service providers to process personal information.

3.     Allowing businesses to use personal information without consent under new circumstances

On the other hand, with the committee’s amendments, businesses will benefit from a wider range of exceptions to the requirement to obtain the consent of the individual whose personal information they collect. In effect, the latest amendments indicate that consent is not required when one of the following additional situations is encountered:

 a)     the use is necessary for the prevention and detection of fraud or the evaluation and improvement of protection and security measures ;[3] or

b)     the use is necessary for the purpose of supplying or delivering a product or providing a service requested by the person concerned.[4]

 In addition, Bill 64 created a new exception to the consent requirement when disclosure of personal information is necessary for the purposes of concluding a business transaction. The original Bill defined “business transactions” only as a transfer of ownership of all or part of an enterprise. The amendments expand this definition to include notably the sale of all or part of an enterprise’s assets, changes to its structure through merger or otherwise, any form of financing or the taking of a suretyship to guarantee an obligation.[5]  

The initial version of Bill 64 also introduced into the Private Sector Act the notion of anonymized information. No consent is required to use personal information for a new purpose when the use is required for research or statistical purposes. The amendments did not modify this welcome addition, but qualified it by adding that a person carrying on an enterprise using anonymized information must take reasonable measures to limit the risks that an individual may be identified based on anonymized information.[6]

4.     Disclosure of personal information outside Quebec

The initial version of Bill 64 required all businesses to disclose personal information outside Quebec only if the target jurisdiction offers a level of protection equivalent to the regime applicable in Quebec. Responding to concerns raised regarding this impractical requirement, including in the business community, the latest version of Bill 64 is more flexible: it now requires only an adequate level of protection, as regards generally recognized privacy protection principles.[7] However, under the amended drafting of this provision, businesses must conduct a privacy impact assessment (including an assessment of the legal framework for data protection applicable in the foreign jurisdiction to which personal information will be transferred for processing).

5.     Enforcement mechanisms

The primary enforcement mechanisms in Bill 64 included administrative monetary penalties and penal sanctions. The latest amendments increase the maximum penal sanction for natural persons from $50,000 to $100,000, while the initial maximum penal sanction for businesses remains set at $25,000,000 or 4% of their worldwide turnover as of the last financial exercise, if the latter is greater.[8] Since these penal sanctions can be doubled in the case of a repeat offender, the true maximum penal sanction for businesses is $50,000,000 or 8% of their worldwide turnover. For reference, the amendments have also not modified the maximum amount of administrative monetary penalty, which remains of $50,000 for a natural person and, for all other persons, of $10,000,000 or 2% of their worldwide turnover, if the latter is greater.[9] Thus, the Quebec government did not respond to concerns that such high potential penalties may have disproportionate adverse impacts on businesses.

However, regarding administrative monetary penalties, the amendments to Bill 64 introduce a new mechanism allowing a person (including businesses) to acknowledge a violation and to undertake, before the Commission d'accès à l'information ("CAI"), to take the necessary measures to remedy or mitigate the consequences of its violation of the Act. Such undertaking must describe the acts and omissions that lead to the violation and indicate the relevant dispositions of the law. Although the CAI can impose as a condition of the undertaking the payment of a certain monetary amount, if the undertaking is accepted by the CAI, the person carrying on an enterprise can no longer be subject to an administrative monetary penalty in relation to the acts or omissions described in the undertaking.[10] It should be noted that this mechanism does not apply to the penal sanctions mentioned above. Moreover, the amendments also add as a criteria to evaluate for the determination of a penalty (including its amount, in the case of a monetary penalty), the capacity to pay of the person who committed the violation, notably in relation to its assets, turnover and revenues.

6.     Rights granted to individuals

Finally, Bill 64 modifies the existing duty for businesses to, upon request, to give an individual access to the personal information they hold in their files. The original version of Bill 64 added the obligation to provide to applicants, except if this raises serious practical difficulties, computerized personal information in a structured, commonly used technological format. The committee amendments added that this right to obtain one’s personal information in a commonly used technological format does not include information created or inferred from personal information collected from that individual.[11]

Conclusion

The parliamentary committee review of the Bill has made several significant changes to the original version of Bill 64, while retaining its overall structure and some of its more controversial provisions. Although the Bill has not yet completed its passage through the National Assembly, businesses should already begin - or continue - their preparations for this impending reform, which is set to transform Quebec’s privacy landscape.  

 Stay tuned for further McCarthy Tétrault's publications on this subject.

 To learn more about how our Cyber/Data Group can help you navigate the privacy and data landscape, please contact national co-leaders Charles Morgan and Daniel Glover.

 

 

[1] Section 95 of the Bill, as amended.

[2] Section 99 of the Bill, as amended.

[3] Section 102 of the Bill, as amended.

[4] Section 102 of the Bill, as amended.

[5] Section 104 of the Bill, as amended.

[6] Section 102 of the Bill, as amended.

[7] Section 103 of the Bill, as amended.

[8] Section 151 of the Bill, as amended.

[9] Section 150 of the Bill.

[10] Section 150 of the Bill, as amended.

[11] Section 112 of the Bill, as amended.

Authors

Subscribe

Stay Connected

Get the latest posts from this blog

Please enter a valid email address