On June 12, the Quebec government introduced the highly anticipated Bill 64, An Act to modernize legislative provisions as regards the protection of personal information. In presenting the bill, the province's Minister of Justice, Sonia LeBel, noted that Quebec's current data protection laws have become outdated and no longer adequately regulate new and evolving digital technologies. Ms. LeBel noted that the current pandemic has highlighted the central role that information technology now occupies in our society, and that our laws must stay apace of this reality.
If adopted, Bill 64 will make significant changes to the requirements applicable to the use and protection of personal information under numerous provincial statutes, including notably the Act respecting the protection of personal information in the private sector (the "Private Sector Act") and the Act respecting Access to documents held by public bodies and the Protection of personal information (the "Public Sector Act"). In this article, we summarize some of the most notable changes to these two statutes.
Increased penalties for noncompliance
Bill 64 will significantly increase the fines that may be levied against both private and public sector entities who fail to comply with the province's privacy legislation.
Private sector entities will be subject to fines ranging from $15,000 to $25,000,000, or an amount corresponding to 4% of worldwide turnover for the preceding fiscal year, whichever is greater. This represents a dramatic increase from the current maximum penalty of $50,000, and would make the Private Sector Act the most punitive privacy law in the Canada – with a potential fine exceeding those available under the Competition Act, or the Anti-Spam law, CASL.
Moreover, Bill 64 would grant the Commission d'accès à l'information (CAI) the ability to impose monetary administrative penalties (AMPs) for certain violations following a notification of non-compliance – with maximum AMPs of $10,000,000 or, if greater, an amount corresponding to 2% of worldwide turnover for the preceding fiscal year.
For certain offences under the Public Sector Act, including releasing personal information in contravention of the law or attempting to identify an individual using anonymized information, fines will range from $15,000 to $150,000.
Private Right of Action and Punitive Damages
If passed into law, Bill 64 will create a private right of action whereby individuals could bring a claim for damages for injury resulting from the unlawful infringement of a right conferred by the Private Sector Act or sections 35 to 40 of the Civil Code of Québec.
The Bill also introduces a minimum award of $1,000 in punitive damages where the infringement is intentional or results from a gross fault – the latter defined as "a fault which shows gross recklessness, gross carelessness or gross negligence" per section 1474 of the Civil Code of Québec.
Privacy by Design
Bill 64 will introduce "privacy by design"–type default settings whereby enterprises who offer technological goods or services and who collect personal information must ensure that the parameters of the good or service provide the "highest level of confidentiality by default", without any intervention by the person concerned.
Mandatory breach reporting
Until now, Quebec has been one of the few Canadian jurisdictions where reporting of data security incidents has not been mandatory. While data breach notification has long been the subject of voluntary guidelines, Bill 64 will require that both public and private entities report incidents to both the Commission d'accès à l'information and to the persons whose data is affected where the incident "presents a risk of serious injury".
Entities may also notify "any person or body that could reduce the risk". The Bill provides that regulations may be adopted to establish the content and terms of these notifications.
Updated consent requirements
Bill 64 imposes more robust consent requirements prior to the collection, use, or disclosure of personal information. Currently, the Private Sector Act requires that consent be "manifest, free, enlightened" and given for specific purposes, while the Public Sector Act is silent on what constitutes adequate consent where consent is required under this law. Under Bill 64, both the Public and Private sector Acts will be amended to require that consent be "clear, free and informed" and given for specific purposes.
Where consent is required, both public and private sector entities must request consent for each separate purpose in "clear and simple language and separately from any other information provided to the person concerned". Entities will also be required, on request of the person concerned, to assist the person in understanding the scope of the consent requested.
Moreover, under Bill 64, consent will remain valid only for the time necessary to achieve the purposes for which it was requested, following which the information will have to be anonymized or destroyed.
Bill 64 also establishes new situations in which personal information may be communicated without the consent of the individual concerned. These include, notably:
- for study or research purposes, or for the production of statistics, if certain conditions including de-identification, are met;
- to the spouse or close relative of a deceased person, if the information could help the recipient in the grieving process and if the deceased person did not refuse such sharing in writing before their death;
- to carry out a mandate or to perform a contract of enterprise or service, on condition that this mandate or contract of enterprise or service provides for the safeguarding of the information, and is concluded with a private enterprise, rather than a public body; and
- from one enterprise to another for the purposes of a commercial transaction, provided the parties to the transaction have first entered into an agreement addressing particular points regarding the use of this information and the protection to be afforded thereto
Bill 64 also withdraws the right, provided under the current Private Sector Act, of an enterprise to communicate a nominative list without the consent of the individuals concerned.
New requirements regarding information collected through technological means
Following the trend of including "right to be forgotten" provisions in privacy legislation, Bill 64 will afford Quebec individuals the right to demand the deletion of certain personal data.
More specifically, it provides that an individual may require that a private sector entity cease disseminating his/her personal information or de-index any hyperlink attached to his/her name that provides access to the information by a technological means if the dissemination of said personal information contravenes the law or a court order.
An individual will also be permitted to make such an order, or to order that the hyperlink be re-indexed, where:
- the dissemination of the information causes serious injury to the individual's right to privacy or reputation;
- the injury is clearly greater than the interest of the public in knowing the information or the interest of any person in expressing himself/herself freely; and
- the cessation of the dissemination or the re-indexation or de-indexation requested does not exceed what is necessary for preventing the perpetuation of the injury.
In assessing whether the injury is clearly greater than public interest or the right to freedom of expression, the following elements are to be considered: the sensitivity of the information, the time elapsed between the dissemination of the information and the request, and whether or not the individual concerned is a minor or a public figure.
Designation of individuals and committees responsible for personal information
Bill 64 will also increase the obligations incumbent on both private and public sector entities regarding the protection of personal information.
With regards to private sector entities, the individual with the "highest authority" in that enterprise will be responsible for ensuring compliance with the Private Sector Act. This responsibility may, in writing, be delegated to a member of the enterprise's personnel. This person's title and contact information must be published on the enterprise's website.
Private sector entities will also be required to establish and implement governance policies and practices to protect personal information, which, in addition to being published on the enterprise's website, must:
- provide a framework for the keeping and destruction of the information;
- define the roles and responsibilities of the members of its personnel throughout the life cycle of the information; and
- provide a process for dealing with complaints regarding the protection of the information
As for public bodies, they will be required to appoint an individual in charge of access to documents and protection of personal information. Unlike in the private sector, where the appointed individual may be a member of the enterprises' personnel, the individual appointed by a public sector entity must be a member of the public body or of its board of directors, as the case may be, or a member of the management personnel. The title and contact information of this individual will have to be reported to the CAI.
Public bodies will also be required to establish a committee on access to information and protection of personal information, to be overseen by the aforementioned individual. Private bodies will not be required to establish such a committee.
Enhanced requirements for the communication of personal information outside Quebec
Bill 64 also imposes more stringent requirements on enterprises or public bodies wishing to communicate personal information outside of Quebec. Before releasing personal information outside of the province, an entity will be required to conduct an assessment of privacy-related factors, namely:
- the sensitivity of the information;
- the purposes for which it is to be used;
- the protection measures that would apply to it; and
- the legal framework applicable in the state in which the information would be communicated, including the legal framework's degree of equivalency with the personal information protection principles applicable in Quebec. The Minister will provide a list of states in which this is deemed to be the case.
The information may only leave the province if the assessment establishes that the information in the foreign jurisdiction will receive protection equivalent to that afforded in Quebec and the release of said information is subject to a written agreement that takes into account factors such as the results of the assessment and, if applicable, the terms agreed upon to mitigate the risks identified in the assessment.
The above applies even if the information is merely being stored or processed by a party outside the province.
New notification and assessment requirements
Under Bill 64, both public and private sector entities who collect personal information using technology that allows a person to be "identified, located or profiled" must first inform the person of the use of such technology and of the means available, if any, to deactivate the function that allows the person to be "identified, located or profiled".
For the purposes of the above, "profiling" refers to the collection and use of personal information to assess certain characteristics of a natural person, in particular for the purpose of analyzing that person's work performance, economic situation, health, personal preferences, interests or behavior. This could be the case, for example, of information collected via online cookies used in order to direct targeted advertising to an individual, or collected through a fitness tracker app.
Public and private sector entities will also be required, under Bill 64, to assess "the privacy-related factors of any information system project or electronic service delivery project involving the collection, use, release, keeping or destruction of personal information".
Finally, where a public or private sector entity uses personal information to render a decision based exclusively on an automated processing of such information, it will be required to inform the individual concerned of same prior to or at the time the decision is made. The entity must also, upon request, inform the individual of:
- the personal information used to render the decision;
- the reasons and the principal factors and parameters that led to the decision; and
- the individual's right to have the personal information used to render the decision corrected.
Following the introduction of Bill 64, Quebec's National Assembly adjourned for its summer break. It will return in September 2020, with committee proceedings to resume in mid-August. If passed into law, Bill 64's final and transitional provisions indicate that most amendments to the Private Sector Act will come into force one year after the date of assent.
The Gowling WLG Cyber Security & Data Protection group will be monitoring developments closely and may be contacted for further information.