On June 12, 2020, Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, was introduced into the National Assembly of Québec. The purpose is to modernize the framework applicable to the protection of personal information – in several Acts. Given the nature of this audience, I will confine the scope of my discussion to the changes that have been proposed regarding the protection of personal information in the private sector, involving the Act respecting the protection of personal information in the private sector (Québec Private Sector Act).
There are several important proposed changes, and here are a few of the highlights of the main changes that are being proposed:
- Enforcement – a significant change would be the monetary administrative penalty for contraventions, which the Commission d’accèss à l’information (Commission) would be able to impose on organizations, with a maximum amount of $10,000,000 or, if greater, the amount corresponding to 2 percent of worldwide turnover for the preceding fiscal year. In addition, there would be some changes regarding the penal provisions that exist, in that the Commission would be able to institute penal proceedings, and also the fines on organizations would be much higher – maximums would be $25,000,000, or, if greater, the amount corresponding to 4 percent of worldwide turnover for the preceding fiscal year. And, for a subsequent offence, the fines would be doubled. The types of violations would be different for monetary administrative penalties (as seen in section 90.1, such as failure to report a breach), and penal provisions (as seen in section 91, such as failing to comply with an order of the Commission).
- Breach reporting – there would be new breach reporting requirements that are in line with the Personal Information Protection and Electronic Documents Act (PIPEDA). The wording is somewhat different: organizations would be required to notify the Commission and also affected individuals when there is a confidentiality incident that creates a risk of injury to a person whose personal information is concerned by a confidentiality incident. A “confidentiality incident” would be defined as: access not authorized by law to personal information; use not authorized by law of personal information; communication not authorized by law of personal information; or loss of personal information or any other breach in the protection of such information. When assessing the risk of injury, it would be important to consider the sensitivity of the information concerned, the anticipated consequences of its use, and the likelihood that such information would be used for injurious purposes. Further, organizations would be required to keep a register of confidentiality incidents, and a government regulation could determine the content of the register.
- Consent – there would be new provisions stating that, unless the person concerned gives consent, personal information may not be used within the organization except for the purposes for which it was collected. And this consent would have to be given expressly when it concerns sensitive personal information. There would be further clarification regarding consent. For instance, consent would have to be clear, free and informed and be given for specific purposes, and be requested for each such purpose, in clear and simple language and separately from any other information provided to the person concerned. If the person concerned so requests, assistance would have to be provided to help the person understand the scope of the consent requested. Moreover, no person may communicate to a third person the personal information held on another person, unless the person concerned consents to, or the Québec Private Sector Act provides for, such communication. And this consent would have to be given expressly when it concerns sensitive personal information. Information is “sensitive” if, due to its nature or the context of its use or communication, it entails a high level of reasonable expectation of privacy.
- Impact assessments – organizations would be required to conduct an assessment of the privacy-related factors of any information system project or electronic service delivery project involving the collection, use, communication, keeping or destruction of personal information. And in doing so, the person must consult the person in charge of the protection of personal information within the organization from the outset of the project. This involves reviewing the project to identify any legal requirements, privacy risks, and ways to address the risks through the use of appropriate safeguards and measures.
- Highest level of confidentiality by default – organizations would be required to use privacy by design, meaning that the privacy rights of individuals must be considered, respected, and accounted for at all times, right from the outset. It is interesting to note that the phrase, “highest confidentiality by default” is not defined.
- Some other obligations – organizations would also be required to respect rights to be forgotten, to object to automated processing, rights to data portability, and rights to be informed of the use of technology that allows individuals to be identified, located, or profiled. They would also need to establish and implement governance policies and practices regarding personal information that ensure the protection of such information. The policies and practices would have to provide a certain framework and also be proportionate to the nature and scope of the organization’s activities and be approved by the person in charge of the protection of personal information (within the organization, the person exercising the highest authority must ensure that the Québec Private Sector Act is implemented and complied with).
These are just some examples of the proposed changes; organizations are recommended to review Bill 64 for further details.
What does this mean?
Of course, Bill 64 was just introduced, and it would be amending the Québec Private Sector Act. That said, this recent development is noteworthy for all organizations in Canada – some may go so far as to say that the changes that are proposed in Bill 64 represent a new direction when it comes to the protection of information not just for Quebec, but perhaps for all of Canada. More specifically, just as Quebec led the way 10 years before other Canadian jurisdictions in 1993 with the introduction of the Québec Private Sector Act, it appears to be forging a new path for Canada by adopting a similar framework to that of the EU. Indeed, Quebec seems to be following in the footsteps of the EU in that several of the proposed provisions are in line with and look very similar to the EU’s General Data Protection Regulation (GDPR).
In my view, we may expect to see a shift towards stronger, more protective privacy laws in the near future in the Personal Information Protection and Electronic Documents Act (PIPEDA), and also Alberta’s Personal Information Protection Act (AB PIPA) and British Columbia’s Personal Information Protection Act (BC PIPA).
So then, it is time for organizations to start paying close attention to what will likely be an evolution of privacy in Canada – beginning with Quebec’s Bill 64.