Skip to content.

Quebec’s Bill 64 Introduces New Transparency and Consent Standards

This article is part of our Bill 64 Blog Series, which will provide readers with a 360° view on Bill 64 and its sweeping amendments to Quebec’s Act Respecting the Protection of Personal Information in the Private Sector (the “Private Sector Act”). To view other blog posts in the series, please visit this page.

The Act to Modernize Legislative Provisions respecting the Protection of Personal Information (“Bill 64” or the “Bill”)[1] received royal assent on September 22, 2021, introducing new obligations for private sector businesses in Québec that will be phased in over the course of three years. The steps businesses will have to take to ensure compliance, transparency and consent obligations imposed on businesses are among the most anticipated changes of this reform.

Bill 64 was introduced in an effort to add robust protections for the personal information of citizens held by private businesses, in particular by the profound modernization of the Act Respecting the Protection of Personal Information in the Private Sector (“Private Sector Act”). The provisions discussed in this blog are set to come into force on September 22nd, 2022, making them high priority items for businesses to prepare for.

New standards for corporate transparency and accountability

Bill 64 introduced many changes in information processing practices designed to improve corporate transparency and accountability. The Committee also added amendments to create new standards that provide, in some cases, greater constraints on companies and, in others, more flexibility.

These changes include (1) the obligation to establish, implement and publish policies and governance practices regarding personal information, (2) requiring businesses to appoint a privacy officer, and (3) requiring individuals to be informed of the names of third parties to whom the business may disclose personal information.

Publication of personal information governance policies and practices

Bill 64 includes a requirement for businesses to establish and implement policies and practices regarding the governance of personal information. The original version of the Bill also required businesses to publish these internal policies on their website or, alternatively, by any other appropriate means.

The problems surrounding this last requirement were discussed in sessions of the Committee. Indeed, it is not common practice for companies to publish their internal privacy policies and practices. Among the possible problems raised, it was noted that such a practice would create a risk of exposing commercially sensitive information about the internal workings of a company, without any real benefit to individuals. The publication of such information could therefore pose an increased risk of fraud for businesses and, incidentally, of leakage of data shared by individuals.

As amended, the Bill now imposes a more realistic requirement on companies to publish "detailed information about policies"[2].

Delegation of the position of Chief Privacy Officer

The primary role of the data protection officer will be to ensure that the company processes personal data in accordance with applicable data protection rules. This role, assigned by default to the highest authority in a company, could initially be delegated only to a member of the company's staff. Now, companies have great flexibility in delegating this role to any individual[3]. This means, for example, that a company may designate a single person to be responsible for the protection of personal information, or use the services of an external individual who specializes in the protection of personal information. This innovation will allow for more flexibility for companies who lack internal expertise in privacy matters.

Inform individuals of the names or categories of third parties to which the company may disclose personal information

The Committee adopted an amendment requiring businesses to inform individuals from whom personal information is collected of the actual names or categories of third parties to whom the information is to be disclosed for the purposes of the data collection. Businesses must also inform individuals of the possibility that the information may be disclosed outside Quebec[4].

Individuals do not have the option of refusing such transfers, but the responsibility for the processing of personal information by service providers remains with the companies making the transfer.

New consent standards

Consent is considered the keystone of the Private Sector Act. In most situations, businesses must obtain an individual's consent before they can collect, use and disclose his or her personal information. Under the current regime, only in a few limited circumstances can businesses process an individual's personal information without consent.

Bill 64 did not depart from this rule, although it now allows for greater flexibility in this area - notably by creating new exceptions to the consent requirement - which represents an evolution in the Quebec law toward a greater emphasis on accountability and the ethical use of personal information. 

New exceptions to consent

The amended Bill 64 adds two new situations where businesses can process personal information without consent[5]:

  1. where the use of the information is necessary for the prevention and detection of fraud or the evaluation and security enhancement purposes; and
  2. where the use of the information is necessary for the provision or delivery of a product or service requested by the individual.

These two exceptions are consistent with the new spirit that Bill 64 will bring to the Private Sector Act by covering other situations where the legitimate business practices of an enterprise justify the processing of information, including situations in which consent can safely be inferred and situations in which privacy interests are balanced alongside the need to combat fraud and reduce the prevalence of security incidents.

For example, in the current Private Sector Act, the exception relating to communication for study, research or statistical purposes is included. In the first version of Bill 64, the exceptions of use in a manner consistent with the purposes for which the information was originally collected and use that is clearly for the benefit of the individual concerned were added. While maintaining the exception for study and research purposes, the requirement that the information be de-identified was also added.

Conclusion

Bill 64 has made significant additions to the transparency and consent requirements that businesses who process personal information in Québec should be aware of. Given that the sections concerning these requirements are set to come into force on September 22nd, 2022 and September 22nd, 2023, companies should consider planning for how to align their internal privacy and data security practices with Bill 64’s new requirements.

Stay tuned for further McCarthy Tétrault publications on the subject.

To learn about how the Cyber/Data Group can assist you in navigating the privacy and data landscape and prepare you for developments in cybersecurity, please contact national co-leaders Charles Morgan and Daniel Glover for more information.

[1]Act Respecting the Protection of Personal Information in the Private Sector, CQRL, c P-39.1.

[2] Amended Private Sector Act, section 3.2.

[3] Amended Private Sector Act, section 3.1.

[4] Amended Private Sector Act, section 8.

[5] Amended Private Sector Act, section 17.

Authors

Subscribe

Stay Connected

Get the latest posts from this blog

Please enter a valid email address