This article is part of our Bill 64 Blog Series, which will provide readers with a 360° view on Bill 64 and its sweeping amendments to Quebec’s Act Respecting the Protection of Personal Information in the Private Sector (the “Private Sector Act”). To view other blog posts in the series, please visit this page.

This article follows a previous publication where we discussed how the Act to Modernize Legislative Provisions respecting the Protection of Personal Information (“Bill 64” or the “Bill”), which received royal assent on September 22, 2021 and will bring important changes to the requirements businesses must comply with when transferring personal information outside of Quebec under the Act Respecting the Protection of Personal Information in the Private Sector (the “Private Sector Act).[1] Our previous discussion focused on the new privacy impact assessments (“PIA”) businesses will need to conduct to assess whether the data transferred outside Quebec will receive an adequate level of protection. Here, we will analyze the added requirement to enter into written agreements that take into account the result of the PIAs.

Changes to the Previous Regime

Prior to Bill 64’s introduction, the Private Sector Act already required that transfers of personal information outside of Quebec to be subject to a written agreement. Section 17 required that “all reasonable steps” must be taken to ensure that the information transferred for the use, collection, or holding by a person outside Quebec would not be used for a purpose other than what was originally consented to.[2] In the context of a business transferring personal information to a third party for processing purposes, the Commission d’accès à l’information (“CAI”) elaborated strict requirements by requiring a written agreement to codify: 1) the scope of the mandate; 2) the purposes for which the agent would use the information; 3) the category of persons who would have access to the information; and 4) an obligation to maintain confidentiality.[3]

Bill 64 updates the Private Sector Act and introduces more stringent contractual requirements. First, there are new rules that apply to the communication of personal information to any third party, not only outside Quebec. Businesses that communicate personal information to a third party for the purposes of performing a contract of services must now:[4]

  • commit the contract to writing;
  • include in the measures the recipient must take to protect the confidentiality, specific purpose, and prompt deletion of data performed;
  • require the third party recipient to inform the person in charge of personal information at the business of any violation, or attempted violations; and
  • permit the person in charge of personal information at the business to conduct any verification relating to confidentiality requirements.

In addition, specific requirements are added for transfers outside of Quebec. During the committee stage, the legislature added to Bill 64 that privacy impact assessments should take into account the contractual protection measures that personal information may benefit from as part of the “adequate protection in compliance with generally accepted data protection principles” standard.[5]

Comparisons with Existing Privacy Regimes

PIPEDA and the GDPR employ similar provisions that require contractual clauses in the context of the transfer of personal information. All three regimes acknowledge that transfers of personal information may face unique and varied privacy challenges depending on the sensitivity of the information and the context of the transfer.

PIPEDA establishes that organizations are responsible for any personal information in their possession that has been transferred to a third party for processing. As part of the principle of accountability, businesses must take contractual or other means to provide a “comparable level of protection”.[6] Though specific measures leading to compliance are not specified in PIPEDA, the Office of the Privacy Commissioner (“OPC”) has published a guidance document that includes appropriate measures to take into consideration for compliance. In a recent report of findings, the OPC identified that appropriate contractual measures to protect personal information include: employee background checks and monitoring, effective information security training, access and other cybersecurity controls, and active monitoring of contractual obligations.[7]

The GDPR takes a more formal approach on the types of contractual protections considered appropriate for compliance when transferring data across borders. The GDPR specifies that a data transfer to a third country may be undertaken if the controller or processor provides “appropriate safeguards”, which can consist of using standard data protection clauses adopted by the European Commission or a supervisory authority in pre-drafted form.[8] These standard contractual clauses are pre-approved and available on the EU Commission’s website, which provides more clarity as to what constitutes appropriate contractual protections.

Originally, Bill 64 aligned more closely with the GDPR by tasking a Minister to provide a list of jurisdictions with legislative privacy protections equivalent to those applicable in Quebec. Industry submissions raised concerns that by setting Quebec’s privacy regime as the benchmark, the applicable privacy regime would stray from a pan-Canadian method of privacy regulation. In related concerns, industry leaders noted the lack of consideration of contractual measures commonly used to establish personal information protections between businesses. Debates in the Assemblé Nationale highlighted the same gap, insofar as they serve as measures to alleviate security concerns in jurisdictions without stringent legislative privacy protection regimes.

As a result of amendments at the committee stage, Bill 64’s changes align more closely with PIPEDA’s approach to contractual protections for data transfers. The legislator removed the mention of a list of equivalent jurisdictions, and added that “contractual” protection measures for third party transfers were to be taken into account in a PIA for personal information transmitted to a third party. Amendments to Bill 64 provide more flexibility for businesses by specifying contractual measures as a means to mitigate risk, but by setting the standard to “generally accepted data protection principles”, there is a remaining uncertainty as to what contractual clauses would be appropriate.

Outstanding Questions

One area that would benefit from greater certainty is what specific contractual provisions are necessary to provide adequate protections. Businesses should keep an eye out for any decisions or guidance from the CAI relating to specific contractual clauses deemed acceptable for the purposes of risk mitigation.

A further, and largely unresolved point, is the question of what businesses should do in the event that local laws are at odds with generally recognized privacy principles. In a practical sense, contractual clauses attempt to impose protection measures abroad but there are limits as to what a private contractual agreement can do when confronted with, for example, mandatory governmental disclosure requirements. PIPEDA’s guidance documents briefly reference this potential conflict, and the OPC takes the approach that businesses must take into account all elements surrounding the transaction, including the possibility that local laws conflict with Canadian privacy laws.[9] As discussed in a previous TechLex post, this concern had a major impact for GDPR compliance including through the Schrems II decision which invalidated the EU Commission’s EU-US Privacy Shield Framework based on US national security regulations. In the context of Bill 64, the legislature did briefly discuss the impact of national security legislation that could breach privacy in particular contexts, but made no affirmative statements. This remains another point to be watchful for in the future.

Concrete Steps for Businesses to Take

  1. Identify Potential Risks Where Data is Frequently Transferred

As noted in our previous publication, businesses should have a clear picture of what personal information they transfer, as well as where and for what purposes. Particularly in the case of processing by third parties, the jurisdiction where processing occurs in may create unique challenges that require redress by contractual means. These challenges will vary depending on jurisdiction, but businesses should attempt to identify what requirements over and above the baseline provisions would be necessary in relation to the business activity being performed.

  1. Establish Processes to translate PIA Conclusions Into Contractual Form

Businesses should have a concrete idea of what type of contractual clauses would remedy the types of risk that the business frequently faces when transferring data to third parties. By implementing a process that identifies the type and severity of the risk, and pairing it to a pre-existing clause, businesses can reduce the operational burden of drafting individual contractual protection measures for foreseeable risks.

  1. Monitor CAI and Jurisprudential Developments

The requirements for contractual protection clauses are set to be phased in progressively between September 22, 2022 and September 22, 2023. Businesses should be aware of any regulatory or jurisprudential developments released by the CAI that relate to acceptable contractual protections. The CAI may publish interpretive guidance documents that clarify the types of contractual clauses that remedy common privacy risks. As Bill 64’s changes leave room for interpretation for the types of contractual clauses that may be deemed appropriate, businesses and counsel should actively monitor any developments for efficient compliance.

Conclusion

Bill 64 creates new considerations for businesses on the contractual front, and may necessitate that standard operations be modified to comply with new obligations. As provisions requiring agreements to conclude commercial transactions come into force September 22nd, 2022 and requirements for agreements with third party processors come into force September 22nd, 2023 businesses should begin assessing whether existing business processes meet Bill 64’s requirements.