Law in Quebec

News about Quebec legal developments

Privacy

  • Confidentiality breaches will no longer be published by Quebec privacy watchdog

    Québec’s privacy commissioner, the Commission d’accès à l’information (CAI), has had a change of heart, and announced it will no longer publish the list of organizations that have reported confidentiality incidents.

    Since 2022, all organizations operating in Québec had to report to the privacy watchdog any confidentiality breaches involving a risk of serious harm to the individuals concerned. The incidents were then published on CAI’s website as a list detailing the names of entities that had notified the CAI of a confidentiality incident involving personal information. The list also contained the nature of these entities as well as the date of receipt of the incident report.

    According to the Quebec privacy watchdog, the new policy is aimed at “enhancing the protection of personal information of citizens affected by confidentiality incidents.” The CAI maintains this new change will minimize the risk of harm to citizens, sidestep the possibility of inadvertently revealing the existence of technological vulnerabilities or cybersecurity concerns, and help management to deal with data breaches. The change is also intended to preserve CAI’s oversight functions and powers, particularly for ongoing or future investigations.

    But the CAI will however continue to publish statistical data on the incident reports it receives.

    Quebec privacy experts welcome the new policy. Some felt that the former practice of publishing a list of confidentiality incidents dissuaded organizations from reporting data breaches as they wanted to avoid at all costs being named by the CAI. “In our view, it will certainly increase the number of reports that organizations make” to the CAI, said Nareg Froundjian, a technology lawyer with Fasken’s privacy and cybersecurity group.

    Antoine Guilmain, co-leader, national cybersecurity & data protection group at Gowling WLG, too believes that Quebec is doing the right thing by following in the footsteps of Alberta, which put a halt to the practice in 2024. Any premature publication of information about a confidentiality incident, however limited, can hinder an organization’s crisis management process, encourage the malicious actor to exert pressure, or even further expose those affected, said Guilmain.

    He also points out that there is no specific legal regime that dictates that the CAI must “proactively publish” reports it receives, including those dealing with confidentiality incidents.

    Categories: , ,
    Tags: ,

  • High bar for use of biometric systems maintained by Quebec privacy regulator

    Canada’s largest printer was ordered to cease using facial recognition technology to monitor access to its facilities and to destroy all biometric information it previously collected by Quebec’s privacy watchdog in a decision that serves as a stark reminder that there is a high legal threshold for using biometric systems in the province, according to data and privacy experts.

    The use of biometrics in both the private and public sectors is on the upswing in Quebec, with the latest figures from Quebec’s privacy commissioner, the Commission d’accès à l’information (CAI), revealing that 124 entities declared they used biometrics in fiscal 2023-2024, nearly a 60 per cent jump over the previous year. Biometrics, the automated recognition of an individual’s unique body and behavioural characteristics such as fingerprints, facial and voice recognition, and retina scans, is a billion-dollar business, with the global biometrics market estimated at US$50.08 billion in 2024 and expected to surge to more than US $60 billion in 2025, according to Precedence Research. Employers are using it for access control, security, time-keeping, monitoring employee performance or safety, note pundits.

    (more…)

    Categories: , , ,
    Tags: , ,

  • Meta settles Quebec class action over unauthorized sharing of user data

    Meta, the American multinational social media giant that caused consternation around the world after it recently decided to overhaul its content moderation and fact-checking policies, has discreetly agreed to pay $9 million to settle a Quebec class action that alleged Facebook violated the privacy rights of users by providing access to their personal and private information to third parties without their consent.

    (more…)

    Categories: , ,
    Tags: , , , ,

  • Right to data portability in effect in Quebec

    Organizations doing business in Quebec face new compliance obligations as the right to data portability came into force at the tail end of September, spelling the end of a one-year leniency period following the entry into force of Quebec’s sweeping overhaul of its privacy regime.

    This right, part of an international trend to give individuals more control over their own data, compels business and public bodies to provide individuals computerized personal data they hold on the person in a structured and commonly used technological format. Individuals may also request that their computerized personal information be disclosed to any person or body authorized by law to collect such information.

    (more…)

    Categories: , , , ,

  • Quebec introduces most consumer-friendly privacy law in Canada

    Quebec introduced sweeping changes to its privacy regime, making it the most consumer-friendly privacy law in Canada by giving individuals much greater control over their privacy while compelling private and public sector organizations to implement onerous prescriptive obligations that will be challenging to fulfil within two years, according to privacy experts.

    The major overhaul, heavily influenced by the 2018 European Union’s General Data Protection Regulation (GDPR), introduces new privacy rights such as data portability rights and the right to be forgotten, new accountability and governance requisites, and new rules for the outsourcing and transfer of information outside Quebec. It also institutes new mandatory breach notification requirements, mandatory privacy impact assessments, clarifies consent requirements for collection, use or release of personal information, and significantly raises potential fines for violations.

    (more…)

    Categories: , ,
    Tags: , ,

  • Quebec plans ambitious overhaul of its privacy law

    An ambitious proposed overhaul of Quebec’s privacy law would make the provincial privacy watchdog the first Canadian privacy regulator with powers to directly impose administrative monetary penalties organizations for non-compliance.

    (more…)

    Categories: ,
    Tags:

  • Privacy commissioner launches consultation on artificial intelligence

    The chief executive of Alphabet and Google made it plain. Artificial intelligence needs to be regulated. It is too important not to, wrote Sundar Pichai in a Financial Times opinion piece.

    “The only question is how to approach it,” said Pichai succinctly.

    That’s what the Office of the Privacy Commissioner of Canada (OPC) is grappling with as well.

    (more…)

    Categories: , ,
    Tags: ,

  • Most U.S. & EU companies still not prepared for new privacy law

    The majority of European and American firms are not yet ready to comply with the European Union’s General Data Protection Regulation (GDPR), reveals a recent report.

    Many organizations fail to give the GDPR the attention it deserves, according to Seizing the GDPR Advantage: From Mandate to High-Value Opportunity,” a report by France-based legal tech consultant Capgemini that surveyed 1,000 executives and 6,000 consumers.

    The report notes that nearly one in five organizations fail to make the GDPR a top priority, 31 per cent feel that the sole purpose of their program is to comply with the mandate by the deadline, and only 28 per cent see the GDPR as an opportunity to gain consumer trust and competitive advantage, in addition to being a compliance mandate. Moreover, it reveals that 51 per cent of organizations are either lagging or feel they will be only partially compliant by the deadline.

    The report underscores that there is a “significant perception gap” between organizations and consumers around consumer data privacy and security performance. A staggering 80 per cent of executives believe that consumers trust their organization with the privacy and security of personal data. Consumers have a different take: only 52% of consumers agree with executives.

    “This overconfidence can blind organizations to the improvements they need to make in data practices and prevent sufficient investment,” said the report. “Such organizations will eventually lose out as consumers increasingly demand a best in-class data protection experience.”

    The global tech consultant leader strongly argues that GDPR is in fact a new opportunity waiting to be tapped but only for “organizations that get it right.” Besides enhancing employee loyalty, it maintains that consumers are “more willing to engage with organizations that protect data.”

    When consumers are convinced that an organization is protecting their personal data in line with the GDPR mandate, nearly half would share their positive experiences with friends and family. Just as importantly, more than one in three consumers (39 per cent) will spend more with an organization when convinced that the organization protects their personal data.

    More ominously, over 70 per cent of consumers said they are prepared to decrease spend and stop doing business with organizations in breach of GDPR compliance. In addition, 64 per cent of consumers said they are likely to request non-EU companies to delete their data if they find organizations non-compliant once the GDPR comes into effect.

    Categories: ,
    Tags:

  • Monetizing data, without consent

    You can still download the application if you want. But if you believe what Kyle Zak has to say about it, it’s not something you would do. Not unless you don’t mind the trade-off between ease-of-use and the reams of information you will allegedly provide to the popular audio maker Bose Corp.

    (more…)

    Categories: , , ,
    Tags: ,

  • Ashley Madison agrees to US$1.7 million settlement

    A month after the parent company of the controversial adult dating website Ashley Madison settled a complaint with the U.S. Federal Trade Commission and state charges over the 2015 data breach that exposed the personal data of more than 36 million users and highlighted the site’s unfair and deceptive practices, the firm is now trying to thwart 20 class actions against it by invoking online arbitration agreements the plaintiffs signed when they subscribed to its matchmaking services.

    (more…)

    Categories: , ,
    Tags: ,

  • Quebec chips away at government transparency

    Quebec, once a pioneer that lead the movement towards greater government transparency, is now among the least transparent provinces in Canada after successive provincial governments introduced more than 150 legislative exemptions that undermined the province’s access to information legislation, according to a recently published comprehensive report by Quebec’s Commission d’accès à l’information.

    With Quebec ranking 10th out of 14 jurisdictions in Canada, and 57th in the world, behind Honduras and Romania, the Quebec government should overhaul the provincial access to information legislation to compel all public bodies, even those partially financed by the provincial government, to be subjected to the access to information law, noted the 214-page, five-year report that issued 67 recommendations. The Commission, which also oversees provincial privacy legislation, also called on the Quebec government to beef up privacy protection measures.

    “The access to information law has not been the subject of a thorough reform in 35 years, and the privacy legislation in 22 years,” remarked Diane Poitras, the Commission’s vice-president. “It’s time to re-establish the balance between the rights of citizens — who are calling for greater transparency and stronger privacy protection measures — and the needs of business and government organizations to collect and use” — and in some cases safeguard — information.

    (more…)

    Categories: , ,
    Tags: ,

  • Federal privacy watchdog examines consent model

    Federal privacy watchdog examines consent model

    The consent model, the cornerstone behind the federal legislation that governs how private sector organizations may collect, use or disclose personal information in the course of commercial activities, is under the microscope after the Office of the Privacy Commissioner of Canada (OPC) published a consultation paper that examines its viability in today’s digital information ecosystem.

    (more…)

    Categories: ,
    Tags: ,

  • Health & life insurance industry intend to ignore privacy commissioner’s recommendations over genetic testing

    A call by Canada’s privacy watchdog to the life and health insurance industry to voluntarily refrain from requesting clients for access to existing genetic test results is going to be ignored, setting the stage for a divisive debate over access and the use of such personal information.

    (more…)

    Categories: , , ,
    Tags: , , , ,

  • Workplace privacy: “People don’t understand it”

    Workplace privacy, an issue few seriously thought about even a decade ago, has become a conundrum for employers. The ubiquitous presence of mobile technology, the explosive evolution of social media coupled with shifting and seemingly contradictory attitudes towards privacy as well as an evolving legal landscape have left in-house counsel in a quandary. Even outside of work, questions linger around the scope of employee privacy and the extent to which employers can keep tabs on employees.

    No wonder then when Borden Ladner Gervais LLP recently ran a seminar on workplace privacy in Toronto in the wake of a much publicized Supreme Court of Canada ruling that has divided privacy lawyers over its significance, the turnout out was nearly twice as much as expected.

    “Privacy is on people’s minds,” says Robert Weir, an employment lawyer who led the seminar.  “People don’t understand it, don’t get it.”

    (more…)

    Categories: , , , , , ,
    Tags: , ,

  • Canada’s privacy commissioner calls into question ombudsman model

    On the eve of a statutory five-year review of the legislation governing federally-regulated private-sector organizations, the Privacy Commissioner of Canada is openly calling into question the effectiveness of the ombudsman model to regulate private-sector practices for the protection of personal information in light of the recent spate of high-profile data breaches that have compromised the personal information of Canadians.

    (more…)

    Categories: , , ,
    Tags: , ,
Law in Quebec
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognizing you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.