On September 22, 2021, the Quebec government adopted Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, enacting significant changes to the requirements governing the use and protection of personal information under various statutes, including notably the Act respecting the protection of personal information in the private sector (the "Private Sector Act") and the Act respecting Access to documents held by public bodies and the Protection of personal information (the "Public Sector Act").
Bill 64 will undoubtedly drastically alter the province's privacy landscape. For instance, the Bill affords individuals increased rights and control over their personal information. As a necessary corollary to this, it also significantly increases the obligations of public and private sector entities that hold personal information. Many entities doing business in Quebec will therefore need to implement significant changes to the ways in which they collect, store, share, and retain personal information in order to comply with the requirements of the Bill. Those who fail to do so may face prescribed noncompliance consequences (discussed in greater detail below) – the most punitive in Canada. The changes enacted by Bill 64 will come into force gradually – the first will take effect on September 22, 2022, one year after the Bill's assent. The majority of the provisions of the Bill are set to come into force a year later, on September 22, 2023, with the final provisions effective on September 22, 2024.
When the initial version of Bill 64 was tabled in June 2020, we prepared a detailed article discussing the changes to both the Private Sector Act and the Public Sector Act proposed by the Bill, and the significant impact that these changes would undoubtedly have on the Quebec privacy landscape. Since then, numerous amendments have been made to the Bill, such that the version passed in to law differs in several regards from the version initially released. Below is a summary of the most significant amendments.
Increased penalties for noncompliance (in force as of September 22, 2022)
As mentioned in our previous article, Bill 64 increases the fines for noncompliance with privacy legislation, providing that private sector entities be subject to fines ranging from $15,000 to $25,000,000, or an amount corresponding to 4% of worldwide turnover for the preceding fiscal year, whichever is greater. This remains unchanged in the final version of the Bill.
For physical persons however, the initial version of Bill 64 presented last summer provided for fines ranging from $5,000 to $50,000 under both the Private Sector Act and the Public Sector Act. This maximum amount has now been doubled to $100,000 in both cases.
The amendments will make it an offence to fail to take appropriate security measures to protect personal information under both the Private Sector Act and the Public Sector Act. Public bodies and private sector entities who do not take the security measures necessary to ensure the protection of the personal information collected, used, released, kept or destroyed and that are reasonable given the sensitivity of the information, the purposes for which it is to be used, the quantity and distribution of the information and the medium on which it is stored will be subject to the fines above.
Private right of action (in force as of September 22, 2023)
Under the initial version of Bill 64, penal prosecution regarding violations of both the Public Sector Act and the Private Sector Act were to be instituted within three years of the date of the infraction.
Under the final version of the Bill, this deadline has been increased to five years, allowing the regulator a significantly longer timeframe in which to take action against offenders.
Mandatory breach reporting (in force as of September 22, 2022)
As previously mentioned, there is currently no requirement for Quebec entities to report data breaches or other security incidents. Bill 64 introduces the requirement that both public and private entities report incidents to both the Commission d'accès à l'information and to the persons whose data is affected where the incident "presents a risk of serious injury".
The Bill does not define the cases in which an incident presents a risk of serious injury, and it is unclear at this time whether any such definition will be provided by regulation. Nonetheless, the Bill provides general guidelines in assessing the risk of injury to a person whose personal information is concerned by a confidentiality incident - both public and private entities must consider the sensitivity of the information concerned, the anticipated consequences of its use and the likelihood that such information will be used for injurious purposes.
As of September 22, 2022, both public and private sector entities will be required to notify the Commission d'accès à l'information and any persons whose data is affected by a data security incident that "presents a risk of serious injury" as well as keep a register of these confidentiality incidents.
Exemptions to consent requirements (in force as of September 22, 2023)
The amendments also establish new situations in which an enterprise will be permitted to use personal information without the consent of the individual concerned. Notably, consent will not be required:
- If the use of the information is necessary to prevent or detect fraud, or to assess and improve security measures; or
- If the use of the information is necessary for the purpose of providing or delivering a product or providing a service requested by the individual.
Under the initial version of the Bill, the Private Sector Act was modified to provide that an enterprise will not require consent to use de-identified information. The amendments qualify this exemption, providing that an enterprise that uses de-identified information must "take reasonable measures to limit the risk of someone identifying a natural person" using said de-identified information.
The initial version of Bill 64 also introduced an exception permitting the use of personal information without consent in the context of commercial transactions, as currently exists in other Canadian jurisdictions. Under the initial version of the Bill, only the transfer of ownership of all or part of a business was deemed a "commercial transaction" for the purposes of this exemption. The amendments extend this definition to include the sale or lease of all or a part of an enterprise's assets, the modification of its legal structure by merger or otherwise, or "any other form of financing by the enterprise or of a security taken to guarantee any of its obligations". This amendment closer aligns the Private Sector Act with the exemption provided under federal privacy legislation, and will reduce the practical challenges faced by businesses concluding transactions in the province.
Privacy by design (in force as of September 22, 2023)
As previously reported, the draft version of Bill 64 first tabled introduced "privacy by design"–type settings, under which enterprises offering technological goods or services would be required to ensure that the parameters of these goods or services provided the "highest level of confidentiality by default", without any intervention by the user.
The concept of "privacy by design" remains in place in the final version of Bill 64, but the scope of application of the requirements in this regard has been narrowed somewhat. Under the final version of Bill 64, the requirements mentioned above will only apply to technological products or services offered "to the public" (as opposed to, say, those made available by an employer to its employees), and only where the product or service at issue "has privacy parameters". Finally, the updated version of Bill 64 exempts privacy settings for browser cookies from the requirements above.
New requirements regarding Information collected through technological means (in force as of September 22, 2023)
The initial version of Bill 64 introduced the requirement that, in certain circumstances and upon request, private entities must delete some of an individual's personal information or de-index any hyperlink attached to their name. This mirrors various "right to be forgotten" provisions that have recently been introduced to privacy legislation of various jurisdictions, including the European Union's General Data Protection Regulation.
This right remains for the most part unchanged from the initial version of the Bill: an individual may require that a private sector entity cease disseminating their personal information or de-index any hyperlink attached to their name that provides access to the information by a technological means if the dissemination of said personal information contravenes the law or a court order.
As mentioned in our previous article, an individual will also be permitted to make such an order, or to order that the hyperlink be re-indexed, where:
- the dissemination of the information causes serious injury to the individual's right to privacy or reputation;
- the injury is clearly greater than the interest of the public in knowing the information or the interest of any person in expressing themselves freely; and
- the cessation of the dissemination or the re-indexation or de-indexation requested does not exceed what is necessary for preventing the perpetuation of the injury.
One addition since the initial version of the Bill, however, provides that upon granting such request, the private sector entity's privacy officer must also declare, in the written response to the request, that the personal information has ceased to be disseminated or that the hyperlink has been de-indexed or re-indexed.
Designation of individuals responsible for personal information (in force as of September 22, 2022)
Bill 64 introduces the requirement that organizations designate an individual to be responsible for ensuring compliance with privacy legislation.
In private entities, this person will, by default, be the CEO. Under the initial version of Bill 64, this responsibility could be delegated to another member of the enterprise's personnel. Under the amendments, however, this right of delegation has been expanded, allowing a CEO to delegate this power to "any person", internal or external to the enterprise. Businesses will thus be permitted to outsource this function to a third party.
The contact information of the person in charge of the protection of personal information will need to be published on the enterprise's website.
Enhanced requirements for the communication of personal information outside Quebec (in force as of September 22, 2023)
The initial version of Bill 64 called for drastically increased requirements on enterprises wishing to transfer personal information outside the province of Quebec, providing that such a transfer could occur only if the target jurisdiction offered protection "equivalent to" that which the information would be afforded in Quebec.
Under the amendments, this requirement has been tempered; transfers will be permitted to jurisdictions offering "adequate protection," to be assessed "in particular in light of generally recognized principles regarding the protection of personal information."
Under the initial version of the Bill, the province was to publish a list of jurisdictions in which personal information received protection "equivalent to" that provided in Quebec, dispensing businesses from conducting such an assessment internally. This provision has been removed from the final version of the Bill, such that businesses wishing to transfer personal information out of the province will be required to conduct their own assessment of the protection to be afforded in the target jurisdiction.
New notification requirements (in force as of September 22, 2023)
The initial version of Bill 64 provided that upon the collection of personal information, an enterprise would have to inform the individual concerned of the purposes of the collection, the means by which the information is collected, and the person's right of access, rectification, and withdrawal of consent.
The amendments add that an enterprise will also be required to inform the individual of the names of the third parties to whom the information collected will have to be communicated to in order to fulfill the purposes for which it was collected. Under this amendment, a simple statement that the information may be shared with third parties will not be sufficient. Instead, enterprises will be required to disclose the name of each such third party or categories of third parties.
Next steps and further considerations
Businesses that fail to comply with Bill 64 risk facing unprecedented penalties of up to $25 million (which exceed the maximum penalties available under the Competition Act, and the Canada's Anti-Spam law (CASL)) – a great departure from the $50,000 maximum penalty under the current regime. In addition, individuals maintain a private right of action for injury resulting from the unlawful infringement of a right conferred by the Private Sector Act or sections 35 to 40 of the Civil Code of Québec. The Bill also introduces a minimum award of $1,000 in punitive damages where the infringement is intentional or results from a gross fault.
In light of the above consequences for failing to comply with the forthcoming privacy reform, companies operating in Quebec should consider the following:
- Conducting an internal assessment of current processes (i.e. collection, use, maintenance and disclosure of personal information);
- Identify any jurisdictions outside of Quebec where personal information may be transferred, and conduct a privacy impact assessment for each such jurisdiction;
- Identifying the person best suited to be appointed the Privacy Officer and making delegation as deemed appropriate based on such identification;
- Review and revise current privacy policies and practices (e.g. internal and external privacy policies; current physical, technological and cyber privacy safeguards; etc.);
- Review current contractual obligations vis-à-vis the company's processing of personal information;
- Audit current data/consent practices and language; and
- Review and revise current confidentiality incident reporting and access/data subject rights request practices, with a view to implementing appropriate policies and procedures (e.g. establish an incident analysis and reporting process, implement "right to be forgotten" accommodations, de-indexing hyperlinks, etc.).
Should you have any questions on how these changes affect your business, please feel free to contact the authors and members of our Quebec Cyber Security & Data Protection Group.