When the General Data Protection Regulation (also known as GDPR) came into force, the protection of personal information became a subject of concern for leaders of organizations, worrying them about the heavy fines provided for failure to do so. Many companies in Quebec have wondered whether or not they were subjected to this regulation and its many requirements.
Indeed, even if Quebec was a pioneer in this area, its legal arsenal had not been adapted for some time to the current situation and to the challenges of technologies that are more and more present and more and more intrusive for individuals.
Despite repeated calls from the Commission de l’Accès à l’Information (CAI) and industry professionals, legislators were reluctant to address this often-complex area with potentially significant repercussions for industry players.
It will certainly have taken a few scandals and numerous personal information leaks in the news headlines to finish convincing the government that it was time to act.
It is in this context that on June 12, Ms. LeBel, then Minister of Justice, introduced Bill 64 strengthening the protection of personal information.
This bill proposes substantial changes to several laws and will ultimately impact both the public and private sectors.
We will limit ourselves here to presenting to you what to remember concerning the law on the protection of personal information in the private sector.
Corporate accountability and sanctions
As its flagship measure, Bill 64 introduces heavy financial penalties for breaches of privacy obligations. The Commission d’Accès à l’Information would be given the option of imposing administrative monetary penalties of up to $ 10 million or 2% of the world turnover (if greater). The CAI could also initiate criminal proceedings. In this context, fines of up to 25 million dollars or 4% of turnover.
Individuals could initiate a claim for damages and obtain a minimum of $ 1,000 in the event of intentional infringement or gross negligence.
Before developing the sanctions, Bill 64 was inspired by the GDPR by establishing the role of responsible for the protection of personal information, the equivalent of the data protection officer.
Businesses will need to develop “protection of personal information policies and practices” and publish them on their website.
The protection of personal information will henceforth be part of “any project of information system or electronic service” by imposing in particular assessments of the factors relating to the private life, in other words, an analysis of specific risks as soon as there is collection, use , communication, retention or destruction of personal information.
The protection of personal information manager will play an active advisory role in these projects.
The bill formally introduces into Quebec law the concept created in the 1990s in Ontario of privacy by design as well as that of privacy by default.
We will return to these two concepts in a future article in order to present them to you in more detail.
Finally, these measures for the sound management of the protection of personal information will be accompanied by the obligation for companies to notify the CAI and the people of concern of confidentiality incidents whenever they pose a serious risk. Note that this obligation already exists at the federal level and in the other provinces with the exception of British Columbia
The bill would even go beyond what is done elsewhere by requiring reporting on incidents involving the unauthorized use of personal information.
Consent and transparency
Bill 64 clarifies the information that must be brought to the attention of people when collecting their personal information. These are the purposes for which this information is collected, the means of collection, the rights of access and rectification and the right of the person to withdraw his consent.
If necessary, it must also be informed of the name of the third party for whom the collection is made and of the possibility that the information will be communicated outside Quebec.
The person will be able to obtain, on request, “personal information collected from him, categories of people who have access to this information within the company, the period of storage of this data, as well as the contact details of the person in charge of the protection of personal information ”.
The bill adds that this information must be communicated to the person concerned in simple and clear terms, regardless of the means used to collect the information.
The bill also covers the use of technology that includes functions to identify, locate, or perform profiling. Again, there will be the obligation to provide prior information on the use of such technology and the means available, if any, to deactivate it.
In the same spirit, the bill introduces the concept of express consent for the collection, use and communication of sensitive personal information. Personal information will be considered sensitive because of its nature or the context of its use or disclosure, thus implying a high level of reasonable expectation of privacy.
On the other hand, the bill would allow secondary use of this personal data, that is to say for purposes compatible with those for which it was collected or when it is manifestly used for the benefit of the person concerned.
Similarly, the use of personal information in a context would be possible without the consent of the person but with transparency requirements. An exception is also provided for commercial transactions. In addition, business contact information would be subject to complete exclusion.
Three new rights inspired by the GDPR are introduced by Bill 64:
- The right of individuals to data portability – that is, the right to obtain a written and intelligible transcript including personal information about them in a structured and commonly used electronic format.
- Right to be forgotten – this is for the individual to ask companies to stop releasing their personal information and to remove any hyperlinks attached to their name if the release violates the law or a court order. The same would apply to cases where dissemination would seriously damage their reputation or their privacy.
- The right to object to automated processing – that is, to be informed of its existence, the information used and the main factors and parameters that led to the decision. The individual could have their information corrected and have an opportunity to comment.
Communication to third parties and outside Quebec
With regard to communications outside of Quebec, Bill 64 states that the company must first conduct a privacy factors assessment to determine whether personal information will benefit from “protection equivalent to that provided for in this Act”. Companies will have to consider the sensitivity of the information, the purpose of its use, the protective measures and the applicable legal regime.
Note that it is expected that the government will publish a list of states whose legal regime for the protection of personal information is equivalent to that of Quebec.
This bill is certainly a big step in strengthening the protection of personal information in Quebec. Even though there is still a long way to go before these requirements come into force, it is certain that there will be clarifications and adjustments; The movement is underway, and we must prepare.
As many of the planned provisions are inspired by best practices in force and GDPR provisions, In Fidem is now able to support you to allow you to integrate the management of privacy protection in your strategy, your projects and your operations.
So do not hesitate to contact us for more information and thus retain all the confidence of your customers and your current and future partners.