Quebec’s Privacy Law Reform in the Private Sector - Key Milestones to Consider for Businesses

As highlighted in our previous post, the Act to modernize legislative provisions as regards the protection of personal information (”Bill 64”) brings significant amendments to the Act respecting access to documents held by public bodies and the protection of personal information, the Act respecting the protection of personal information in the private sector as well as to the Act to establish a legal framework for information technology.

While the majority of the provisions of Bill 64 will enter into force on September 22, 2023, there are important new requirements coming into force in less than a month, on September 22, 2022. One final amendment will come into force on September 22, 2024. The present article elaborates on key changes for the private sector.

September 22, 2022

Reporting of confidentiality incidents

As of September 22, 2022, following an incident presenting a ”risk of serious injury” to individuals, organizations will be required to notify Quebec’s privacy regulator, the Commission d'accès à l'information (”CAI”), as well as the affected individual(s). There is no prescribed period of time to report an incident, but it must be done “promptly”. The “risk of serious injury” threshold will be assessed on the basis of factors such as the sensitivity of the personal information involved, the anticipated consequences of its use, and the likelihood that such information will be used for injurious purposes which are similar to those used under the “real risk of significant harm” test provided at the federal level in the Personal Information Protection and Electronic Documents Act (“PIPEDA”). Organizations must also keep a register of confidentiality incidents and send a copy of the register to the CAI at its request.

In addition, on June 29, 2022, the Quebec government published the draft Regulation respecting confidentiality incidents (the “Regulation”). The Regulation provides additional details regarding the notification and record keeping requirements. While the Regulation is still in draft form and open to modifications, under the current version, organizations will have to provide the CAI with a description of the elements that led them to conclude that there is a risk of serious injury to the affected individuals, and retain records of confidentiality incidents for five (5) years, which exceeds the two-year requirement under PIPEDA.

Designation of a privacy officer

Under the new provisions, the person that has the highest authority within an organization will be deemed responsible for overseeing the protection of personal information by default. This role can, in whole or in part, be delegated in writing to another individual. The organization must also ensure that the title and contact information of the privacy officer are available on its website.

Requirement to disclose use of biometrics 

As of September 22, 2022, organizations using biometrics for identity verification or confirmation must disclose this practice to the CAI in advance of any such use. Organizations will also be required to notify the CAI of the creation of a database of biometrics promptly and no later than 60 days before the database is brought into service.

September 22, 2023

The vast majority of the modifications introduced under Bill 64 will enter into force on this date.

Establishment and publication of governance and confidentiality policies

Organizations must establish and publish policies and practices on the protection of personal information. These policies and practices must (i) provide a framework for the retention and the destruction of the information, (ii) define the roles and responsibilities of employees throughout the life cycle of the information, (iii) provide a process for handling complaints regarding the protection of the information. Detailed information in plain language must be published on the organization's website.

At the same time, organizations collecting personal information through technological means will be required to publish a confidentiality policy on their website. This policy must be drafted in “clear and simple language”.

Privacy impact assessments

Organizations will be required to conduct privacy impact assessments (“PIA”) with respect to the acquisition, development and redesign of any information systems or electronic service delivery project involving the collection, use, communication, keeping or destruction of personal information.

A PIA must be “proportionate to the sensitivity of the information, the purpose for which it is to be used, and the amount, distribution and format of the information”.

Updated consent requirements

The September 2023 amendments update the applicable consent requirements. Any person who collects personal information from the person concerned must inform that person of the following:

• The purposes for which the information is collected;
• The means by which the information is collected;
• The rights of access and rectification provided by law; and
• The person's right to withdraw consent to the communication or use of the information.

This information must be provided in “clear and simple language”.

For the collection and communication of personal information, consent must be “clear, free and informed and be given for specific purposes”. A written request for consent must also be presented separately from any other information provided to the person concerned. In addition, consent is only valid for the “time necessary to achieve the purposes for which it was requested”.

However, Bill 64 includes certain exceptions to the consent requirement. For instance, it will be possible to outsource personal information without the consent of the person concerned if the information is necessary for carrying out a mandate or performing a contract or services entrusted and the organization complies with the formalities provided in the legislation.

New requirements are also introduced for the consent of a minor under the age of 14:

The personal information concerning a minor under 14 years of age may not be collected from him without the consent of the person having parental authority or of the tutor, unless collecting the information is clearly for the minor’s benefit.

Disclosure outside Quebec

A PIA will be required before personal information can be communicated outside of Quebec. Prior to transferring the information, organizations need to consider the following:

• the sensitivity of the information;
• the purposes for which it will be used;
• the protection measures, including those that are contractual, that will apply to it; and
• the legal framework applicable in the jurisdiction in which the information would be released, including the personal information protection principles applicable in that jurisdiction.

Such communication must be subject to a written agreement, which requires to take into account the results of the PIA, as well as, if applicable, the terms agreed upon to mitigate the risks identified in the PIA.

Right to be forgotten

Individuals may require that organizations cease to disseminate their personal information or that any hyperlink attached to their names and providing access to their personal information be de-indexed, where such dissemination contravenes the law or a court order.

Monetary administrative penalties and penal sanctions

The CAI will have the power to impose monetary administrative penalties up to $50,000 for a natural person, and for legal persons, up to the greater of $10,000,000 or 2% of the worldwide turnover for the preceding fiscal year.

The person or body in default will have the right to request a review of the decision made by the CAI. The review decision may also be contested before the Court of Quebec.

The CAI will also be able to institute penal proceedings. The maximum amount for penal sanctions will be $100,000 for a natural person, and $25,000,000 or 4% of the worldwide turnover for a legal person.

Disclosure regarding automated processing

Organizations must inform individuals when their personal information is used to render a decision based exclusively on the automated processing of this information. The individual concerned must be given the opportunity to submit observations to an individual within the organization who is in a position to review the decision.

Use of information to identify, localize or profile an individual

Organizations must inform individuals whose personal information is collected of the use of a technology that includes the functions allowing the identification, localization or profiling of these individuals.

Anonymization of personal information

Under the current legislation, organizations have an obligation to destroy personal information when the purpose for which it was collected or used has been achieved. As of September 22, 2023, such information may also be anonymized so that it can be used “for serious and legitimate purposes”. Personal information is anonymized under the act when it is at all times reasonable to expect that it will irreversibly no longer allow the individual to be identified directly or indirectly.  The anonymization must occur according to generally accepted best practices.

Default parameters to protect confidentiality

Bill 64 specifies that organizations collecting personal information and offering technology products or services that have privacy settings need to ensure that these settings provide the highest possible level of privacy by default. This requirement does not apply to website cookies.

September 22, 2024

Right to data portability

The only provision that will enter into force on this date concerns the release and transfer of personal information. Under the right to data portability, organizations will be required to provide individuals with personal information collected about them in a structured and commonly used technological format. At the same time, individuals can, at their request, require information to be released to any person or body authorized by law to collect such information.

Conclusion

With the coming into force of certain Bill 64 provisions, Quebec will become the first jurisdiction in Canada to modernize its privacy legislation. The CAI is expected to continue publishing guidance and compliance insight, in particular with respect to the interpretation and application of the “risk of serious injury” threshold and the PIA “proportionality test”.

If you have any questions on how these changes will affect your business, we invite you to contact our Cyber Security & Data Protection Group.