Assessments must be 'adapted to the level of complexity of the project,' says Guillaume Laberge
September’s implementation of the second phase of Quebec’s new private sector privacy law will include privacy impact assessments, which were formerly only present in the province’s public sector, says Guillaume Laberge, a Montreal-based partner at Lavery.
Law 25, which amended Quebec’s Act Respecting the Protection of Personal Information in the Private Sector, is coming into force in three phases. The first batch of amendments came into force in 2022. The second phase will take place in September 2023 and the final phase in September 2024. Among the next set of changes is a requirement companies execute privacy impact assessments in three different scenarios. When an organization communicates personal information outside of Quebec, they will need to complete a privacy impact assessment. The development or upgrade of an information system or electronic service that involves the collection, use, communication, or destruction of personal information will trigger the requirement. And a privacy impact assessment will also be necessary when a company shares personal information for research purposes.
“It's a risk management process that occurs before the decision is made,” says Laberge. “The purpose is to help businesses to ensure that they heed legislative requirements, and they identify beforehand the impacts that their activities will have on individuals’ privacy.”
Laberge is a member of Lavery’s administrative law group, practises administrative and constitutional law, and has experience in the law around access-to-information, privacy, and professional discipline.
Clients may be concerned about the time-commitment involved, the process’s complexity, and the resources required to execute a privacy impact assessment. But, he says, a proper assessment is not necessarily long, complicated, or resource intensive. It simply requires planning and an understanding the risks and potential privacy impacts.
“A good privacy impact assessment must be adapted to the level of complexity of the project.”
For an example of the necessary planning, when a company decides to communicate personal information outside of Quebec, they must consider the legal regime applicable in the jurisdiction in which the information will be disclosed, and whether that jurisdiction provides an adequate level of protection considering “generally accepted principles of protection of personal information,” says Laberge.
Organizations engaging in any of the activity triggering a privacy impact assessment will need to keep records of it on-hand in case there is an inquiry from the privacy commissioner as the result of a complaint, he says.
“It's not necessarily a complicated process, but it needs to be done carefully. It's not a superficial legal checklist. It's more than that.”
“It also needs to be kept up to date. It's not necessarily a one-time exercise. It's not a marketing tool… More importantly, it's not a tool to justify decisions already made or practices already in place. It needs to happen upstream of the decision-making process.”
Among the requirements that were introduced in September 2022 is that organizations appoint a privacy officer in charge of the handling personal information. Companies will also need to notify the Commission d'accès à l'information du Québec of any privacy breaches or unauthorized disclosure of personal information, as well as anyone impacted, and keep a record of the event for five years.
Fines for non-compliance with Law 25 range from $15,000 to $25,000,000 or, if greater, the amount corresponding to four percent of the company's worldwide turnover for the preceding fiscal year.