Canada Bill 64
On 12 June 2020, the Quebec government introduced Bill 64 in an effort to modernize the current legal regime in Quebec regarding the...
On 12 June 2020, the Quebec government introduced Bill 64 in an effort to modernize the current legal regime in Quebec regarding the protection of personal information. The Bill not only updates the current legal framework regarding individuals’ personal information and privacy rights, but it also aligns Quebec’s privacy laws with those of other jurisdictions. In fact, many of the amendments that are proposed are influenced by, or are similar to, the provisions found in the federal Personal Information Protection and Electronics Act (“PIPEDA”) and the European Union’s General Data Protection Regulation (“GDPR”).
Once adopted, the modernization process will impact both private and public sectors as well as political parties, and will require compliance efforts by all these organizations given the new enforcement tools provided which include very significant monetary administrative penalties.
New monetary administrative penalties
Pursuant to Bill 64, the Quebec Commission on Access to Information (‘CAI’) will have the power to impose new monetary administrative penalties (‘MAPs’). MAPs may be imposed on organizations for the following reasons:
- failure to adequately inform individuals;
- unlawful collection, use, disclosure, or destruction of personal information;
- failure to report a confidentiality incident; and
- failure to inform individuals concerned by a decision based exclusively on an automated process or failure to provide individuals an opportunity to submit observations.
The maximum amount of the monetary administrative penalty is CAD 50,000 (approx. €33,330) (for individuals) and CAD 10,000,000 (approx. €66,670) (for businesses) or, if greater, 2% of worldwide turnover for the preceding year.
Bill 64 also modifies the penal penalties already prescribed in the Act and increases their scope. Currently, the power to institute penal proceedings under the Act rests with the Attorney General. Pursuant to Bill 64, the CAI may institute penal proceedings for the following offences, among others:
- unlawful collection, use, or disclosure to third persons;
- failure to report a confidentiality incident;
- identification or attempt to identify a natural person using de-identified information without authorization;
- impeding the progress of an inquiry or inspection of the CAI or the hearing of an application by the CAI by providing it with false or inaccurate information, by omitting to provide information it requires or otherwise; and
- failure to comply with an order of the CAI.
Pursuant to Bill 64, the maximum amount of the fine for a penal offence will be of CAD 5,000 (approx. €3,330) to CAD 50,000 (approx. €33,330) in the case of a natural person and, in all other cases, of CAD 15,000 (approx. €15,000) to CAD 25,000,000 (approx. €16,667,130), or, if greater, the amount corresponding to 4% of worldwide turnover for the preceding fiscal year. In the event of a subsequent offence, the fines will be doubled.
New private right of action
Finally, Bill 64 also provides for a new private right of action, allowing individuals to be compensated for the injury resulting from the unlawful infringement of their rights, unless the injury results from superior force. Where the infringement is intentional or results from a gross fault, the court shall also award punitive damages of at least CAD 1,000 (approx. €670).
Accountability and governance
Bill 64 explicitly introduces in the Act the principle of accountability by the organization collecting the data. Most significantly for businesses, the responsibility for the protection of personal information, or role of ‘Privacy Officer’, will now rest by default with the highest ranking officer. Similarly to the role of data protection officer (‘DPO’) under the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’), this person will now be responsible for the implementation of, and compliance with the provisions of the Act. All or part of this function may be delegated in writing to a staff member. Contact details for this person or the person to whom the role is delegated must be published on the organization’s website or, in the absence of a website, made available by any other appropriate means.
Policies and practices
Bill 64 proposes that all organizations establish and implement privacy governance policies and practices. Such policies and practices must provide a framework for the keeping and destruction of the information, define the roles and responsibilities of the staff members throughout the life cycle of the information, and provide a process for dealing with complaints regarding the protection of the information. These policies must be published on the enterprise’s website or, if the enterprise does not have a website, made available by any other appropriate means.
Bill 64 will require organizations to conduct a mandatory ‘assessment of privacy-related factors’, commonly known as a Privacy Impact Assessment (‘PIA’), with respect to any information system project or electronic service delivery project involving the collection, use, disclosure, keeping, or destruction of personal information. An assessment of privacy-related factors will also be required before disclosing personal information outside of Quebec or disclosing personal information without consent to a person or body wishing to use the information for study or research purposes or for the production of statistics.
Privacy by Default
Bill 64 includes a new Privacy by Default requirement. Organizations collecting personal information through technological products or services will now have to ensure that the parameters of the product or service provide the highest level of confidentiality by default.
Bill 64 provides for additional transparency obligations.
Duty to inform at the time of collection (and on request afterwards)
Bill 64 introduces a new provision outlining specific information which must be provided to the individual at the time of collection (and on request afterwards), i.e.:
- the purposes for which the information is collected;
- the means by which the information is collected;
- the rights of access and rectification provided by law;
- the person’s right to withdraw consent to the communication or use of the information collected;
- the name of the person for whom the information is being collected if it is being collected for a third person (if applicable); and
- the possibility that the information could be communicated outside Quebec (if applicable).
On request, the person concerned must also be informed of the personal information collected from them, the categories of persons who have access to the information within the enterprise, the duration of the period of time the information will be kept, and the contact information of the person in charge of the protection of personal information. The information must be provided to the person concerned in clear and simple language, regardless of the means used to collect the personal information.
Duty to inform of the use of technology allowing individuals to be identified, located, or profiled
Bill 64 requires that organizations disclose, in advance, their use of technology that can identify, locate, or profile users, and then provide users with the means to disable the identification, location, or profiling features. ‘Profiling’ is defined as the collection and use of personal information to assess certain characteristics of a natural person, such as work performance, economic situation, health, personal preferences, interests, or behavior.
Reinforcement of consent
Bill 64 reinforces the concept of consent for the collection and use of personal information, which is at the center of Quebec’s privacy regime.
Under the Act, consent must be manifest, free, enlightened, and solicited for specific purposes. Bill 64 provides that consent must be clear, free, and informed and be given for specific purposes. It adds that consent must be requested for each such purpose, in clear and simple language and separately from any other information provided to the person concerned. If the person concerned so requests, assistance is provided to help him understand the scope of the consent requested.
For sensitive personal information (i.e. information that entails a high level of reasonable expectation of privacy), Bill 64 stipulates that consent must be express.
Bill 64 also introduces new rules regarding children’s data. Personal information concerning a child (under 14 years of age) may not be collected from him without the consent of the person having parental authority, unless collecting the information is clearly for the minor’s benefit.
Consent to the processing of a child’s personal information is given by the person having parental authority. When a minor is 14 years of age or over, consent is given by the minor or by the person having parental authority.
Bill 64 introduces new consent exceptions.
Under the proposed provisions, the secondary use of personal information will be permitted without the prior consent of the person concerned, as long as:
- the use is for purposes consistent with those for which it was collected (and not for commercial or philanthropic prospection, which are specifically excluded);
- the use is for the benefit of the person concerned; and
- the use is necessary for study or research or for the production of statistics, and the information is de-identified (i.e. no longer directly identifies the person concerned).
Furthermore, Bill 64 proposes to fill a significant gap in the current version of the Act by expressly introducing an exception to allow the disclosure of personal information without consent in the course of a commercial transaction, as permitted under other Canadian privacy legislation of general application.
Outsourcing and transfers outside of Quebec
Bill 64 proposes clarifications to the rules applicable to the disclosure of personal information to service providers. Such disclosure may be made without consent and is subject to certain conditions, namely:
- a written agreement between the organization and the service provider;
- a description of the measures taken by the service provider to ensure the confidentiality of the personal information;
- a duty for the service provider to only use the personal information for the purposes of the contract and to not keep this information after the expiry of the contract; and
- a duty for the service provider to notify the organization of any actual or attempted confidentiality incident and to allow the organization to allow the privacy officer to conduct any verification relating to the confidentiality requirements (this last requirement is not applicable if the service provider is a public body).
Transfers outside of Quebec
Bill 64 purports to reinforce the rules governing the cross-border transfer of personal information by businesses. Thus, as it currently stands, Bill 64 provides that before disclosing personal information outside of Quebec, an organization must conduct an assessment of privacy-related factors, taking into account:
- the sensitivity of the information;
- the purposes for which it is used;
- the protection measures that would apply to it; and
- the legal framework applicable in the State in which the information would be disclosed, including the legal framework’s degree of equivalency with Quebec’s privacy laws.
The information may only be transferred outside of Quebec if the assessment establishes that it would receive an equivalent level of protection.
The disclosure of the information is subject to a written agreement that takes into account the results of the assessment and, if applicable, the terms agreed on to mitigate the risks identified in the assessment.
While consent is not required to transfer personal information outside of the province, an individual must be informed of the possibility that the information could be disclosed outside of Quebec.
Mandatory breach reporting
With British-Columbia, Quebec is currently one of the last jurisdictions in North America without mandatory breach reporting provisions. Bill 64 purports to resolve this issue by introducing a general obligation for data breach notification (referred to as a ‘confidentiality incident’). The term ‘confidentiality incident’ refers to:
- unauthorized access, use, or disclosure of personal information; and
- loss of personal information or any other breach in the protection of that information.
When there is reason to believe that a confidentiality incident has occurred, the organization must take reasonable steps to reduce the risk of injury and to prevent new incidents of the same nature.
In the event of an incident involving a risk of serious injury, the organization must notify the CAI, as well as any person whose personal information is concerned by the incident (unless doing so would hamper an investigation conducted by a person or body responsible by law for the prevention, detection, or repression of crime or statutory offence). The organization may also notify any person or body that could reduce the risk, by disclosing to the person or body only the personal information necessary for that purpose without the consent of the person concerned. In the latter case, the person in charge of the protection of personal information must record the disclosure of the information.
Organizations must keep a register of confidentiality incidents, which must be sent to the CAI upon request.
Rights of individuals
Bill 64 creates three new GDPR-inspired rights for individuals, which we will refer as the right to erasure, the right to data portability, and the right not to be subject to automated decision-making.
Right to erasure
If adopted, Bill 64 will allow individual to require an organization to:
- cease disseminating personal information about him or her;
- de-index any hyperlink that provides access to that information, if the dissemination contravenes the law or a court order; and
- re-index any hyperlink that provides access to that information.
Such a request may be made when the following conditions are met:
- the dissemination of this information causes the person serious injury in relation to the person’s right to respect of his or her reputation or privacy;
- the injury is clearly greater than the public interest in knowing the information or the right to free expression (the balance of convenience criterion); and
- the remedy requested does not exceed what is necessary to prevent the perpetuation of the injury.
Right to data portability
Bill 64 provides that an individual may request a copy of computerized personal information in the form of a written and intelligible transcript. Unless doing so raises serious practical difficulties, computerized personal information collected from the applicant must, at their request, be disclosed to them in a structured, commonly used technological format. The information must also be disclosed, at the applicant’s request, to any person or body authorized by law to collect such information.
Right not to be subject to automated-decision making
Finally, Bill 64 stipulates that an organization using personal information to render a decision based exclusively on an automated processing of such information must, at the time of or before the decision, inform the individual concerned accordingly.
Upon request, the individual must also be informed of:
- the personal information used to render the decision;
- the reasons and the principal factors and parameters that led to the decision; and
- the right of the person concerned to have the personal information used to render the decision corrected.
The individual must be given the opportunity to submit observations to a staff member who is in a position to review the decision.
Although Bill 64 has been adopted in principle in October 2020, it is going through a review process and is still subject to change in the upcoming months.
Bill 64 currently provides for a one-year transition period between its adoption and the coming into force of the new provisions, except for the right to data portability, for which Bill 64 proposes a three-year deferral of implementation.
Given the number of proposed changes and new requirements, such periods are needed to allow companies to review their current practices, identify gaps and implement the necessary changes to ensure compliance, in order to avoid being subject to the new strong enforcement tools contemplated.
To learn more about Canada Bill 64 and how CookiePro can help you comply, request a personalized demo with our team today.