The Québec National Assembly has passed and the Lieutenant-Governor has assented to Bill 64, An Act to modernize legislative provisions as regards the protection of personal information (Act). The Act, which became law on September 22, 2021, contains a broad range of important amendments to Québec’s private sector privacy law, the Act respecting the protection of personal information in the private sector (Private Sector Act), in addition to amending Québec’s public sector privacy law. With the passage of this Act, Québec has ushered in the most consumer-friendly privacy law in Canada, allowing individuals to assert much greater control over their personal information and imposing a number of prescriptive obligations on organizations (including foreign organizations) “carrying on an enterprise” in Québec and processing personal information of Québec residents. The Act, which was heavily influenced by the European Union’s General Data Protection Regulation (GDPR), introduces a private right of action and significant administrative penalties and penal fines – up to $25 million or, if greater, 4% of worldwide turnover for the preceding fiscal year. Fines are doubled for subsequent penal offences.
The Act’s provisions will be phased in over a three-year period, with a few provisions set to take effect one year from the date of assent – that is, September 22, 2022; most provisions will take effect a year later, on September 22, 2023. As organizations doing business in Québec determine and implement the organizational and technical changes required by the new law, they may wish to consider the experience of organizations in Canada and the United States that underwent similar challenges in meeting the onerous obligations of the GDPR in 2018. The key lesson learned from that experience was that organizations that treated GDPR compliance as a marathon rather than a sprint were substantially more successful in timely meeting their compliance obligations.
To help enterprises subject to Québec’s Private Sector Act embark on that road, and ensure timely compliance with the Act, we set out below some of its key requirements.
Reporting and Notification of Confidentiality Incidents
Québec’s privacy law has to date imposed limited obligations on an organization facing a data breach. The Act ushers in several key changes, which will take effect on September 22, 2022. Enterprises will be required to keep a register of all “confidentiality incidents,” defined to include privacy breaches and unauthorized access to, use of or communication of personal information. Where such an incident poses a “serious risk of injury,” it must also be reported to Québec’s privacy regulator, the Commission d’accès à l’information (CAI), and notice must be provided to any person whose personal information was affected.
Enterprises must also take reasonable measures to reduce the risk of injury from suspected confidentiality incidents and prevent new incidents of the same nature. In so doing, enterprises may provide notification of the incident to any person or body that could reduce the risk of injury.
Prior to communicating personal information outside Québec, enterprises must confirm that the information will receive an adequate level of protection according to “generally accepted data principles.” Relevant factors include the sensitivity of the information, the purposes for which it will be used, applicable protective measures (including contractual protections), and the legal framework and data protection principles applicable in the receiving jurisdiction. This assessment applies whether the information is transferred to a foreign data controller or to a data processor entrusted with the collection, use, communication or storage of the information on the enterprise’s behalf. Communications of personal information outside Québec must also be the subject of a written agreement that addresses the results of this assessment and, if applicable, the terms agreed on to mitigate any risks noted in the assessment.
The Act imposes on enterprises a suite of responsibilities and obligations relating to the preservation, protection and destruction of personal information. As of September 22, 2022, CEOs will become directly responsible for the implementation of and compliance with the Private Sector Act, though they are permitted to delegate all or part of this function to another person – that is, a privacy officer –whether internal or external to the enterprise.
Every enterprise will also be required to establish and implement governance policies and practices that provide a comprehensive framework for managing and protecting personal information in accordance with the amended Private Sector Act. These policies and practices must be proportionate to the nature and scope of the enterprise’s activities.
The Act also introduces “privacy by design” into Québec law by requiring that the parameters of any technological product or service provide the highest level of confidentiality by default. Moreover, enterprises must conduct an appropriate privacy impact assessment with respect to any acquisition, development or redesign of an information system or electronic service delivery involving the collection, use, communication, keeping or destruction of personal information.
The Act requires an enterprise that collects personal information to make available to the affected individual – the data subject – information regarding the purpose and means of collection as well as regarding the individual’s rights of access, rectification and withdrawal of consent prior to or concurrent with collection. If applicable, the enterprise must also disclose the names of any third parties on behalf of whom the information is being collected or to whom it is necessary to communicate the information, and the possibility that the information could be communicated outside Québec. Additional disclosure requirements apply in the event of requests from data subjects and when the information is collected using technology that allows the data subject to be identified, located or profiled.
The enterprise must publish on its website, in clear and simple terms, detailed information about its policies and practices regarding personal information; if the enterprise does not have a website, it must make this information available by any other appropriate means. Enterprises that collect personal information through technological means must likewise publish a confidentiality policy.
Subject to certain exceptions, enterprises must obtain consent before communicating personal information to a third party or using such information for any purpose other than the purpose for which it was collected. If the information is of a sensitive nature, consent must be given expressly. To be effective, consent must be clear, freely provided and informed, and given for specific purposes. It remains valid only for the time necessary to achieve the purposes for which it was requested.
Notable exceptions to the need to obtain consent for a new purpose include where the personal information is used for the benefit of the person concerned, used for a purpose consistent with that for which it was collected, necessary for the prevention or detection of fraud, necessary for the supply or delivery of a product or service to the person concerned, or used for study or research (in which case it must be de-identified). Although an exception was considered for the use of employee information in connection with employment-related decisions, this exception was ultimately not adopted.
The Private Sector Act also allows personal information to be communicated to certain third parties without the consent of the person concerned. For example, as long as certain contractual protections are in place, an enterprise may communicate personal information without the consent of the person concerned where necessary to carry out a mandate or perform a contract. Authorized employees or agents may also have access to personal information without consent if the information is needed for the performance of their duties.
Moreover, as a boon to parties acquiring or selling businesses or business assets, and again subject to certain protections, the Act provides that personal information may be communicated without consent by an enterprise to its intended counterparty to a commercial transaction, if such communication is necessary to conclude the transaction. Commercial transactions are defined under the Act to include those involving the disposition or lease of all or part of a business or its assets, a change in the business’s legal structure by amalgamation or otherwise, the obtaining of a loan or other form of financing, or the grant of a security interest. This amendment, which will take effect on September 22, 2022 and generally aligns Québec’s Private Sector Act with the ‘business transaction’ exemption under Canadian federal privacy legislation and substantially similarly provincial privacy legislation, is intended to avoid certain practical challenges currently experienced in the course of sharing personal information during commercial transactions as a result of the Private Sector Act.
The Act clarifies and expands upon the individual rights of access and rectification previously provided by Québec’s Private Sector Act by introducing rights to data portability and to be forgotten. Persons whose information has been collected have the right under the Act to obtain, upon request, a written transcript of computerized information held about them by an organization. Three years after the date of assent (that is, September 22, 2024), persons will also have the right to request such information in a structured, commonly used technological format, such as a computer file. The amended Private Sector Act also grants individuals a “right to be forgotten” – that is, the right to be de-indexed and to demand that personal information cease to be disseminated – in two circumstances: (i) the disseminated information contravenes a law or court order; and (ii) the disseminated information causes serious injury to an individual’s reputation or privacy and such injury is clearly greater than the interest of the public in knowing the information or the interest of any person in expressing himself/herself freely.
Fines and Penalties
The CAI has expanded powers of enforcement under the Act that allow it to impose administrative monetary penalties for a wide range of violations of the Private Sector Act. Other than for natural persons, these penalties could be as high as $10 million or, if greater, 2% of worldwide turnover for the preceding fiscal year. The Act mandates the CAI to develop a general framework for the application of administrative monetary penalties, but guarantees enterprises certain safeguards, such as notification before the imposition of a penalty, an internal review process and a right to contest a review decision before the Court of Québec.
The Act also provides the CAI with the power to institute penal proceedings before the courts for violations of the statute. Other than for natural persons, fines upon conviction can range from $15,000 to $25 million or, if greater, 4% of worldwide turnover for the preceding fiscal year.
Private Right of Action
The Act creates a private right of action for individuals who suffer injury as a result of an unlawful infringement of their rights under the Private Sector Act or certain articles of the Québec Civil Code relating to reputation and privacy. If the injury results from an intentional infringement or gross fault, the Act further provides that punitive damages of at least $1,000 shall be awarded.
As noted above, the provisions of the Act will be phased in at yearly intervals over a three-year period. While most of the provisions take effect two years after the date of assent – that is, September 22, 2023 – a few provisions take effect after one year (on September 22, 2022). These include the requirement that a CEO define and designate a privacy officer role (or assume it by default), obligations relating to privacy breaches and other “confidentiality incidents,” and the provision allowing the communication of personal information without the consent of the person concerned where necessary to conclude a business transaction. The provision that grants individuals the right to obtain information collected about them in a commonly used technological format will become effective three years from the date of assent (September 22, 2024).
The Act largely overhauls the Québec privacy law landscape and imposes meaningful obligations on individuals and entities operating an enterprise in Québec, under threat of stiff penalties and potential civil litigation. Many Québec enterprises, particularly those that do business in Europe, may already be several steps ahead in formulating and implementing a personal information governance strategy. Others will now need to embark on that journey. The experience of organizations that were required to comply with the GDPR upon its implementation in 2018 demonstrates that beginning this process early is key: according to estimates compiled by the International Association of Privacy Professionals, only 53% of surveyed entities felt confident that they were fully compliant when the GDPR came into force. Enterprises subject to the Private Sector Act would be well advised to begin considering and formulating a plan to comply with the new administrative, organizational and technical requirements. The new era of privacy law in Québec is fast approaching.