An ambitious proposed overhaul of Quebec’s privacy law would make the provincial privacy watchdog the first Canadian privacy regulator with powers to directly impose administrative monetary penalties organizations for non-compliance.
The tabled legislation, influenced by the 2018 European Union’s General Data Protection Regulation (GDPR) as well as federal and provincial laws in Canada, also introduces new privacy rights, new accountability and governance requirements, new obligations when data breaches occur, and sets out new rules for the outsourcing and transfer of personal information outside Quebec – all of which may set the stage for a much-needed “conversation” on privacy, according to privacy experts.
“I have to hand it to Quebec – they have seized the day,” remarked Constantine Karbaliotis, a Toronto lawyer and expert in global privacy compliance and privacy management with virtual law firm nNovation LLP. “It may compel the conversation that needs to be had about privacy. We clearly need to update our laws, and Quebec may be setting the tone for the country.”
Quebec has always been a privacy-friendly jurisdiction, pointed out Eloïse Gratton Ad.E., an internationally recognized expert who co-leads the national privacy and data protection practice at Borden Gervais LLP. The Quebec Charter of human rights and freedoms, adopted in 1975, includes a privacy right. Nearly two decades later, in 1993, the province became one of the first jurisdictions in North America to introduce a private sector privacy law, An Act Respecting the Protection of Personal Information in the Private Sector (Act), which was largely viewed as an avant-garde and progressive statute. The regard it had for privacy was bolstered further still a year later under the Quebec Civil Code of Quebec when it introduced a general principle under which every person has a right to the respect of his reputation and privacy, and an invasion of privacy provision.
“While the Act was slightly updated over the years, we now have come to a point where there is a consensus that this law is clearly outdated and clearly needs modernization as it creates a lot of challenges for businesses and perhaps not enough protection against new types of technologies or new issues,” said Gratton.
Bill 64, an Act to modernize legislative provisions as regards the protection of personal information, introduces three new provisions dealing with enforcement, all of them with bite. The privacy regulator, the Commission d’accès à l’information (CAI), can impose administrative monetary penalties on private sector offenders of up to $10 million or two per cent of a company’s worldwide turnover for the preceding fiscal year. The bill also empowers the CAI to launch penal proceedings for breaches of the Act, with the minimum fine being $15,000 and the maximum up to $25 million or four per cent of the worldwide business revenue, whichever is greater. Moreover, Bill 64 creates a private right of action for damages for unlawful infringement in the Act or the Civil Code. “This new right may translate in Quebec becoming an even friendlier jurisdiction for privacy class actions,” noted Gratton.
Accountability, often described as the anchor of privacy law, has too been bolstered. In the past, the Act did not place much explicitly give much weight to accountability. That’s about to change. Under Bill 64, both private and public organizations must designate a data protection officer who is responsible for overseeing the protection of personal information. While by default, it is the most person exercising the “highest authority” in the organization who is in charge of the protection personal information, they have the option of delegating this function to someone else, whose contact information and title must be published on the organization’s website. “It will be challenging for many organizations to find qualified people to manage the privacy program within companies,” said Karbaliotis. “This is what Europe faced when GDPR came into effect.”
Bill 64 also compels organizations to conduct privacy impact assessments, a process that is often mandatory in the public sector and deemed to be a best practice under Canadian private-sector privacy laws, said Gratton. The introduction of technology for any information systems or electronic service delivery will now require a privacy impact assessment. On top of that privacy by design is now required in order to ensure the highest level of confidentiality by default, “without any intervention by the person concerned,” underlines Bill 64.
In a similar vein to the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and Alberta’s private sector privacy law Personal Information Protection Act (PIPA), Bill 64 introduces mandatory breach notification requirements, a development widely expected by privacy experts. An organization that was the victim of a breach, or what the bill describes as a “confidentiality incident,” that presents a risk of “serious injury” must “promptly” notify the Quebec privacy watchdog. The threshold for serious injury is similar to the notion of “real risk of significant harm” under PIPEDA, which involves the sensitivity of the information concerned, the anticipated consequences of its use and the likelihood that such information will be used for injurious purposes, explained Gratton. But Quebec has taken a different tack compared to other jurisdictions, be it at the federal or provincial level or under GDPR or U.S. state breach notification laws.
“Bill 64’s breach notification requirements cover incidents involving the unauthorized use of personal information whereas the common approach for breach notification requirements in Canada and globally is to focus on unauthorized access to, disclosure or loss of personal information,” observed Gratton. “It will be important to follow the developments of Bill 64 because as currently drafted, organizations operating in Quebec may have to comply with enhanced notification requirements.”
Clarifications as well as new requirements over consent have been added under Bill 64. Consent must be expressly given for certain uses or disclosures of sensitive personal information, and requests for consent to the collection of personal information must be made separately from all other information provided to an individual. “Unfortunately Bill 64 does not include an employee consent exception,” said Gratton. “This is highly problematic since the consent model appears ill-suited to employer-employee relationship. Indeed it is difficult to think of an employee’s consent in dealing with their employer as being ‘free’ since an employee could well believe, rightly or wrongly, that their employment would be jeopardized by a refusal to consent.”
New individual rights are set out under the proposed legislation. The right to be forgotten, analogous to the GDPR, allows individuals to request organizations to cease disseminating their personal information if the content is for example defamatory. The bill also proposes a new framework for automated decision-making. When an organization uses an automated process of personal information to make a decision, individuals have the right to be informed. Moreover, individuals have the right to be informed about the personal information used to issue the decision, the reasons for the decision and the right to have the information corrected.
New rules around outsourcing and cross-border transfer of personal information outside Quebec are laid out by the bill, including an equivalency system that is akin to the GDPR. Organizations will be required to conduct a privacy impact assessment to evaluate whether the information will receive a level of protection that is the equivalent to that provided by Quebec law. That may prove to be a challenge for organizations, according to Gratton. “The government may have underestimated the efforts that would be required for them to publish a list of comprehensive list of adequate jurisdictions,” said Gratton. “This may put private organizations in a situation where they need to play the role of a privacy regulator and retain foreign legal experts to assess the equivalency of non-Quebec laws.
Karbaliotis would have liked to have seen the Quebec government adopt a more nuanced approach that would have taken into account the size of organizations, something that the GDPR does.
“You may not want to have the same expectations of a two-person travel agency than you do have of an organization that has hundreds of thousands of clients,” said Karbaliotis.
But in the end, added Karbaliotis, Bill 64 does not introduce ground-breaking and novel elements. Rather it is incorporating “a lot of thinking and principles that are already being implemented elsewhere in various ways.”
This story was originally published in The Lawyer’s Daily.