Seismic Shift in Privacy Risks and Obligations
As the world continues to focus on the ongoing effects of COVID-19 and plan for a recovery, many have noticed a seismic shift in Canada’s privacy laws. In addition to the Competition Bureau of Canada stepping in to impose a $9.5 million penalty based on alleged false and misleading privacy statements, discussed in our previous blog post, Québec has stepped up to the plate with draft legislation that, if ratified, will impose significant additional obligations and penalties for businesses.
On June 12, Bill 64 (the “Bill”), an Act to modernize legislative provisions as regards the protection of personal information, was introduced into Québec legislature. This Bill has the potential to overhaul Québec’s privacy legislation for both public and private sectors, if ratified. Many of the proposed changes to Québec’s Protection of personal information and the Act respecting the protection of personal information in the private sector contemplated by the Bill would move Québec’s private sector privacy laws closer the GDPR, which is considered one of the most strict data protection laws in the world.
While any legislative changes will apply to those persons processing personal information on individuals in Québec, one can reasonably expect the Office of the Privacy Commissioner of Canada and its provincial counterparts in British Columbia, Alberta and other provinces to consider making similar amendments to the privacy laws in their respective jurisdictions. All Canadians should keep a close eye on the progress of the Bill. The following highlights some key changes to Québec’s privacy laws proposed by the Bill:
Administrative Monetary Penalties, Fines & Private Right of Action
Businesses would be subject to significant monetary penalties and fines for contravention including administrative monetary penalties (“AMP”) to a maximum of $10 million or the amount corresponding to 2% of worldwide turnover for the preceding fiscal year, if greater. The Commission d'accès à l'information (“CAI”) would be empowered to institute penal proceedings. Potential fines would be substantially increased to $25 million or the amount corresponding to 4% of worldwide turnover for the preceding fiscal year, if greater. For subsequent offences, fines for these businesses would be doubled.
Businesses would also be subject to a private right of action against them, allowing individuals to be compensated for the unlawful infringement of a right conferred by the statute or the privacy articles of the Civil Code, unless the damage results from “superior force.”
New Individual Rights
In a clear move to align with the standards under the GDPR, individuals are granted significantly greater rights. Individuals will gain the right to be “forgotten,” the right to data portability and the right to object to the automated processing of their personal information.
Tracking and Profiling Technology Subject to Additional Obligations
Business that use technology to identify, locate or profile individuals must inform the individual of the use of such technology and the means available, if any exist, to deactivate these functions.
Businesses would be subject to increased obligations in relation to cross border transfers. Prior to communicating personal information outside of Québec, businesses must perform a privacy impact assessment which accounts for the sensitivity of the personal information, the purposes of the use of the personal information as well as security and legal framework, including governing laws and contract terms, and protecting the personal information to assess whether the information will receive a level of protection equivalent to the one granted under the Act.
Mandatory Privacy Officer
Similar to the GDPR and PIPEDA, businesses would be obligated to employ an individual accountable for privacy compliance. Although the responsibilities can be delegated, pursuant to the Bill, this role would sit with the CEO by default.
Policies and Practices
Businesses would be required to establish and implement governance policies and practices regarding the protection of personal information. These policies must include details on the life cycle of the personal information in use, including the storage and destruction of the personal information, the roles and responsibilities of the individuals in the organization who are responsible for the personal information throughout its life cycle. The business must have a mechanism for dealing with complaints and publish these internal policies and practices on their website.
Mandatory Privacy Impact Assessments
Organizations operating in Québec will have to undertake privacy impact assessments for initiatives that involve the processing of personal information.
Privacy by Design
Businesses that collect personal information using technology must ensure that such technology provides confidentiality by default, without the intervention of the person concerned.
Mandatory Incident Reporting
Businesses would have to notify the CAI and the impacted individuals upon “confidentiality incidents” that present a “risk of serious injury” to the individual. This threshold for notification of “risk of serious injury” is similar to PIPEDA’s breach notification threshold of “real risk of significant harm.”
Information Required on Collection of Personal Information
Before businesses may collect personal information, they would need to provide the individual with additional information in clear and simple language, regardless of the means used to collect the personal information. The type of information that must be provided to the individual prior to collection includes, but is not limited to the purposes of the collection, the means of collection, the rights of access and rectification as well as the individual’s right to withdraw consent from the communication or use of the information collected. If applicable, the individual must be informed of the name of the third party for whom the information is being collected and of the possibility that the information could be communicated outside of Québec.
Exceptions for Business Contact Information and Commercial Transactions
Businesses would enjoy long overdue and helpful exemptions from consent requirements relating to business contact information and personal information involved in commercial transactions.
All businesses that collect, use, disclose or otherwise process personal information on Canadians should anticipate changes to their obligations and risks, even if they do not operate in Quebec. If the Bill is ratified, every business that processes personal information on individuals in Québec, either directly or as a third party service provider, will be impacted. Business operating in Canada that process personal information on individuals outside of Québec should also anticipate that Canadian privacy regulators at the federal and provincial levels will be looking closely at Québec’s decisions in regards to enhancing privacy law obligations and penalties and considering whether to implement similar changes in their jurisdictions.
When dealing with personal information, it is best to contact legal counsel to manage the specific requirements of your organization. Aird & Berlis LLP is continually monitoring the changes to provincial privacy and data security laws and we would be pleased to assist you. Please do not hesitate to contact the author Paige Backman at email@example.com or 416.865.7700, or any member of our privacy and data security group with questions about how privacy and data security laws may impact your business.