Act is 'first domino in a series of changes that will be reshaping the Canadian privacy landscape'
On September 22, the Act to modernize legislative provisions relating to the protection of personal information (“Bill 64”) received royal assent, after its adoption by the National Assembly of Quebec a day earlier.
The Act represents a major reform of the current privacy regime in Quebec, with changes aimed at improving transparency, enhancing consent requirements, and increasing data confidentiality. Its enforcement will be spread out over three years, and will affect both the private and public sector businesses operating in Quebec.
“The passing of Bill 64 cannot be overstated,” said Imran Ahmad, Head of Technology and Co-Chair of Data Protection, Privacy & Cybersecurity at Norton Rose Fulbright Canada.
“It’s the first domino in a series of changes that will be reshaping the Canadian privacy landscape,” Ahmad said in an email. “Increased enforcement powers coupled with a GDPR-type approach -- our clients are looking at it as a major compliance initiative for 2022 and beyond.”
The Act introduces amendments “that will cause structural changes” in the way organizations do business, says Chantal Bernier, head of the Privacy and Cybersecurity practice group for Dentons Canada LLP in Ottawa.
First, she says, mandatory privacy impact assessments (PIAs) will now be required for i) any project of acquisition, development and redesign of an information system project or electronic service delivery project involving personal information; ii) the transfer of personal information outside of Québec; and iii) the communication of personal information without consent for study, research or statistics.
This means that “organizations must create processes internally to determine when their activities meet the requirement to have a PIA,” Bernier adds, as well as how to go about them: “who does the PIAs, what is the method they want to implement … ?”
Second, since the Act strengthens the requirements for accountability -- meaning internal compliance processes for compliance with privacy law – it requires organizations “to step back, look at their compliance structures and processes, and ask themselves if they still meet the test.”
Third, the Act regulates the use of de-identified and anonymized information. The Bill defines de-identified information as information that “no longer allows the person concerned to be directly identified.” Anonymized information is that which is “at all times reasonable to expect in the circumstances that it irreversibly no longer allows the person to be identified directly or indirectly.”
Information that was anonymized and no longer personal used to be outside the scope of privacy law, she says, but now its use is much more restricted.
“Organizations will need to look at their practices, to make sure they still meet that test.”
And fourth, organizations using automatic decision-making will need to update their privacy policies and create new individual rights mechanisms to address new, individual privacy rights such as the right to be forgotten, and to access information on how automatic decision-making affected a decision made pertaining to them. Individuals will now have the right to obtain the information that went into automated decision-making, and to challenge decisions made through those processes.
The adoption of this law brings to a close a long legislative process that began on June 12, 2020 with the presentation in the National Assembly of Bill 64.
The new Act will come into effect in three stages over three years, says Éloïse Gratton, National Co-leader, Privacy and Data Protection at Borden Ladner Gervais LLP in Montreal.
Coming into effect in September 2022 is a new requirement for organizations to have someone in charge of personal information, i.e., a privacy officer. “By default, this person is the CEO of the company; and they will have to have a process in place” to manage the provisions of the Act.
New breach reporting requirements will come into effect then.
The majority of provisions will come into effect in September 2023; these include new requirements for policies and practices, privacy impact assessments, automated processing, cross-border transfers, outsourcing, transparency, consent, privacy by default, retention and destruction of information, and de-indexation rights (i.e., “the right to be forgotten” on the internet).
In September 2024, a new data probability right will come into effect. This right allows an individual to request their personal information, “collected from them be communicated to them (or to another organization designated by the individual) in a structured, commonly used technological format,” meaning shared with another provider; “so, consumers can easily grab their data and do business with someone else,” says Gratton.
Penalties for infractions are steep, and among the most stringent in the world. Administrative penalties for breaches would be $50,000 per individual says Bernier, and for corporations up to $10 million, or 2 per cent of global revenues, whichever is higher. Criminal penalties are even greater: 4 per cent of an organization’s gross global revenue in its financial year before the one in which the organization is sentenced, or $25 million, whichever figure is higher, and $100,000 per individual.
The penalties were “inspired by the GDPR,” or the EU’s General Data Protection Regulation, says Bernier.
But some of the requirements are more stringent than those required under the GDPR, says Gratton. For example, for cross-border transfers of information: under the new Act “there is an obligation to systematically conduct an assessment of the privacy-related factors whenever personal information is communicated outside Quebec.” However, “the nature, scope and content of this assessment lacks certainty and predictability, as it would require businesses to routinely evaluate broad, open-ended concepts such as the ‘legal framework’ of a foreign jurisdiction and ‘generally accepted data protection principles.’” These can have a wide meaning that can shift over time, she says.
“This also raises concerns about whether there is a need to routinely monitor developments in a foreign jurisdiction to ensure that [personal] information continues to receive an adequate protection.” It would have been preferable to have a regime limiting the cross-border transfer requirements to high-risk transfers, she says, involving especially sensitive information.
Another concern is the privacy by default and design requirements, Gratton says, or sections 8.1 and 9.1 of the Act. There is “a lot of uncertainty with regard to these provisions,” including what s. 9.1 means by what constitutes “the highest level of confidentiality,” leaving industry stakeholders guessing as to its meaning and precise application in any given context.
The new Act sets “a precedent of privacy law in Canada,” says Benrier. “Reading Ontario’s white paper on its modernization of privacy law, you already see the influence of Bill 64.”
Second, “the Commission d'accès à l'information du Québec (CAI) is known to exercise its jurisdiction over organizations that consider themselves covered by PIPEDA,” she says. “The view is when this information is collected in Quebec, Quebec legislation applies,” and so would be relevant outside its borders.