Quebec introduced sweeping changes to its privacy regime, making it the most consumer-friendly privacy law in Canada by giving individuals much greater control over their privacy while compelling private and public sector organizations to implement onerous prescriptive obligations that will be challenging to fulfil within two years, according to privacy experts.
The major overhaul, heavily influenced by the 2018 European Union’s General Data Protection Regulation (GDPR), introduces new privacy rights such as data portability rights and the right to be forgotten, new accountability and governance requisites, and new rules for the outsourcing and transfer of information outside Quebec. It also institutes new mandatory breach notification requirements, mandatory privacy impact assessments, clarifies consent requirements for collection, use or release of personal information, and significantly raises potential fines for violations.
Most provisions of Bill 64, An Act to modernize legislative provisions as regards the protection of personal information (Act) which received Royal Assent on September 22nd, come into effect in two years. But some, such as notifying Quebec’s privacy watchdog of “confidentiality incidents,” come into a year from now on September 2022.
“This is the direction a lot of jurisdictions are headed,” observed Corey Omer, a Montreal litigator with Davies Ward Phillips & Vineberg LLP. “Some of the changes introduced by Bill 64 are in a sense catching up to other legislation, like the requirement to designate a privacy officer or the requirement to report data security incidents and notify affected individuals. Others are more akin to GDPR, like the right to be forgotten, the right to data portability, and certain rights with respect to automated decision-making. It’s the most consumer-friendly privacy law in Canada in the sense that it is going one step further than where the other laws are right now. But it’s not necessarily the only one that’s headed in that direction.”
Constantine Karbaliotis, an expert in global privacy compliance and privacy management with nNovation LLP, believes that Bill 64 is going to have profound implications for business both in Quebec and in Canada. “What Quebec’s Bill 64 really means is that GDPR has come to Canada,” remarked Karbaliotis.
Businesses are concerned about the steep penalties, compliance costs, the amount of legwork they have to accomplish in a relatively short period of time, and the legal uncertainty that may stem from Quebec’s “unique drafting style” as well as the potential lack of harmonization between privacy legislation and obligations with the rest of Canada, noted Charles Morgan, national co-leader of the cyber-data group at McCarthy Tétrault LLP.
Canada’s privacy regime is a patchwork of federal and provincial laws, some of which are the subject of ongoing consultations. Privacy reform has lagged at the federal level, with the status of federal Bill C-11 being uncertain, but several provinces are forging ahead. Ontario recently released a white paper for its provincial private sector privacy law that appears to draw elements from Bill 64, Alberta launched public consultations on privacy protections, and Nova Scotia’s premier Tim Houston announced the province would make changes to its privacy legislation. As is the case with Quebec, the efforts are partly driven by high-profile data breaches, the need to modernize legislation so that it takes into account contemporary technology, and a desire to maintain its “adequacy” status for European personal data transfers under GDPR, according to privacy experts.
“Everybody’s going to be looking at Bill 64 as both at the federal and provincial level will work to maintain its adequacy status,” said Morgan. “It’s really, really important that we think about harmonization across the country. But there could also be a desire for privacy arbitrage. In other words, some provinces may make a policy decision to make their provincial privacy regime more sort of business friendly in order to attract business. So there could be a lack of harmonization because some provinces decided to have a different balance between individual rights, the practicalities of a modern economy and business needs.”
Further legal uncertainty, added Morgan, could emanate from Quebec’s unique take on privacy and the language it uses to describe privacy concepts. Under Bill 64, consent requirements have been reinforced. Consent must be specific to each use of personal information and implied consent is only accepted if some conditions are met. Business are allowed to use personal information without consent when necessary to provide a product or service or for fraud prevention and security enhancement. But it must seek consent “expressly” over the use of “sensitive” information such as medical or biometric “or otherwise intimate information.”
“They amended the initial, original text drafted in 1993,” explained Morgan. “They didn’t rewrite the law altogether so it’s a series of amendments and obligations that have been inserted into this original text, and that text was drafted in a very different way than any of the other privacy laws in Canada. Quebec law doesn’t use the same language, so the way Quebec describes consent is unique to Quebec law.”
Accountability, often deemed to be the anchor of privacy law, has been bolstered. Unlike in the past when the Act did not explicitly give much weight to accountability, Bill 64 compels organizations to designate a privacy officer, requires every enterprise to establish and implement governance policies and practices that provide a comprehensive framework for managing and protecting personal information, and introduces “privacy by design” into Quebec law.
A concept developed by former Ontario privacy commissioner Ann Cavoukian, privacy by design (in pdf) entails a proactive approach to protecting personal information. Under Bill 64, companies will obliged to ensure that pre-established settings for their technological products and services are by default set at the highest levels of confidentiality. A last-minute change introduced during the clause by clause review of the bill introduced a single word – from deactivate to activate — that will have “far-reaching” consequences, asserted Eloïse Gratton, the national co-leader of privacy and data protection at Borden Ladner Gervais LLP. Following the amendment under section 8.1 of the Act, organizations that collection information using technologies that include functions allowing the person concerned to be identified, located or profiled need to ensure that these functions are deactivated by default.
“Bill 64 defines ‘profiling’ broadly so this amendment creates a great deal of uncertainty with respect to the use of online tracking tools such as cookies, beacons and pixels for marketing purposes since it is not clear if these technologies are covered by section 8.1,” explained Gratton. If that were the case, added Gratton, the shift from opt-out to an opt-in model could have “serious implications” for the entire digital advertising system by “placing unfavourable conditions” on Quebec business.
Bill 64, like the European Union’s GDPR, too has stringent rules around cross-border transfers. Before exchanging personal information outside Quebec, organizations must confirm that the information will receive an adequate level of protection according to generally accepted data principles.
“The nature, scope and content of this assessment lacks certainty and predictability as it would require businesses to routinely evaluate broad, open-minded concepts such as the ‘legal framework’ of a foreign jurisdiction and ‘generally accepted data protection principles,” said Gratton.
This obligation also raises concerns over whether business need to routinely monitor developments in a foreign jurisdiction to ensure that the information continues to receive adequate protection.
Under the new Quebec privacy law, mandatory privacy impact assessments must also be conducted for any acquisition, development and redesign of an information system involving personal information. This requirement, in combination with cross-border transfers, will have an impact on business supply chains, predicted Karbaliotis. “I expect much more interrogation of companies in supply chains as to how data is managed because there will be a greater requirement to conduct due diligence as there are now serious consequences or fines for failing to do so,” said Karbaliotis.
The fines under Bill 64 can be steep. Quebec’s privacy regulator, the Commission d’accès à l’information (CAI), now has greater powers of enforcement that allow it to impose administrative monetary penalties for a wide range of violations, The penalties for private sector offenders can reach as high as $10 million or if greater two per cent of worldwide turnover for the preceding fiscal year. The law also empowers the CAI to launch penal proceedings for breaches of the Act, with the minimum fine being $15,000 and the maximum up to $25 million or four per cent of the worldwide business revenue, whichever is greater. Moreover Bill 64 creates a private right of action for damages for unlawful infringement in the Act or the Civil Code.
Public and private sector organizations have their work cut out for them, assert privacy experts.
“The idea of treating this as a marathon rather than a sprint is very important,” said Omer. “This has to be sort of a process where you you really need to think about the data you have and collect. And, it’s not an obvious question. Some organizations might not really know what data they collect, what they store, how they store it, and whether they’re in compliance.
“You really need to understand your systems. You have to understand your policies, your procedures, and what you’re doing and figure out how it fits into each of the many elements of that, and there are many elements to this legislation. That’s why there’s a two-year period.”
This story was originally published in The Lawyer’s Daily.