October 4, 2021Calculating...

Bill 64’s adoption confirms overhaul of Québec private sector privacy law

Authors

La version française de cette communication est publiée ici.

On September 21, the Québec National Assembly officially adopted Bill 64 – An Act to modernize legislative provisions as regards the protection of personal information1. The Bill ushers in a number of new privacy requirements for organizations doing business in Québec. These requirements will come into force over a period of one, two and three years starting from September 22, 2021, the date of assent. This bulletin summarizes the main requirements introduced by Bill 64 and what organizations need to consider as a result.

What you need to know

  • September 22, 2022 onwards, organizations will need to:
    • notify the Commission d’accès à l’information (CAI) and impacted individuals of any breach that presents a “risk of serious injury” and keep a register of any such incident; and
    • appoint a privacy officer.
  • September 22, 2023 onwards, organizations will need to:
    • ensure they have an implemented privacy program, including by incorporating privacy by design requirements and by publishing detailed information about their privacy program on their website;
    • undertake a privacy impact assessment for i) new information system or electronic service delivery initiatives and ii) transfers of personal information outside Québec; and
    • comply with the updated consent, automated decision making and anonymization requirements.
  • September 22, 2024 onwards, organizations will need to give effect to individuals’ data portability requests.
  • Bill 64 also introduces new administrative penalties, penal offences and related CAI powers to enforce new and existing Québec privacy law requirements. Punitive damages of not less than $1,000 have been set for individuals whose privacy rights under the Act or Civil Code sections 35-40 are infringed intentionally or as a result of gross negligence. These changes come into effect on September 22, 2023. 

Applicability

Bill 64 clarifies how the Act respecting the protection of personal information in the private sector2 applies to organizations doing business in Québec that collect personal Information, whether the organization keeps the information itself or through a third party. The definition of “personal information” has been made more precise to include “any information which relates to a natural person and allows that person to be identified either directly or indirectly”.

Overview of changes

This chart provides an overview of the changes introduced by Bill 64 that apply to organizations doing business in Québec.

September 22, 2022

Designate a privacy officer

Description

Committee changes adopted

Operational considerations

Organizations will be authorized to delegate “the function of person in charge of the protection of personal information” to any person, whether or not that person works for the organization.

This function may be delegated to any person, without being limited to a personnel member.

According to comments made during the detailed review of the Bill, this approach would allow a group of organizations to designate a unique person for that function or to retain the services of a person specialized in protecting personal information.

Organizations will have to:

  • designate a privacy officer; and
  • publish the contact information of the privacy officer on their website.

Breach response and reporting

Description

Committee changes adopted

Operational considerations

Organizations will need to:

i) Notify the CAI and impacted individuals of a breach (referred to as a “confidentiality incident”3) presenting a “risk of serious injury”;

ii) take all necessary measures to prevent the breach from causing any injury; and

iii) keep a record of breaches and send a copy of it to the CAI at its request.

N/A

Organizations will have to:

  • establish a policy for handling breaches; and
  • keep a record of breaches.

September 22, 2023

Consent and notice

Description

Committee changes adopted

Operational considerations

Consent must now be requested for each of the purposes identified by the organization, in clear and simple language and separately from any other information provided to the individual.

When collecting personal information and subsequently on request, organizations will need to inform individuals of:

i) the purposes for which the information is collected;

ii) the means by which the information is collected;

iii) their rights of access and rectification; and

iv) their right to withdraw consent.

Organizations will also need to inform individuals of the possibility that the information could be disclosed outside Québec, if applicable.

Organizations will also need to inform individuals of the names of the third parties or categories of third parties to whom it is necessary to disclose the information in order to carry out the purposes of the collection.

Organizations should review privacy notices and consent flows for necessary updates, taking into account applicable consent exceptions.

Collection from third parties

Description

Committee changes adopted

Operational considerations

Organizations that collect personal information from a third party must, at the request of the individual, inform them of the source of the information. This may include organizations that acquire lists of data or databases.

N/A

Organizations must ensure that they have processes in place to identify and record personal information collected from third parties and its source. One means of doing so is by maintaining a robust data inventory that tracks how and why personal information is collected, used and shared, including to and from third parties.

Privacy by design

Description

Committee changes adopted

Operational considerations

Organizations collecting personal information through a technological product or service that has privacy options must ensure that by default those options are set to the highest confidentiality (i.e., most privacy protective) settings. Note cookies are explicitly excluded from this requirement.

This requirement was introduced in the committee stage.

Organizations should review their technological means of collecting personal information (such as apps) to ensure that settings by default collect the least amount of personal information.

Technologies allowing a person to be identified, located or profiled

Description

Committee changes adopted

Operational considerations

If an organization uses technology that includes functions allowing a person to be identified, located or “profiled,” it will need to inform individuals of the use of such technology when collecting information.

“Profiling” is very broadly defined and includes any use of personal information to assess certain characteristics of a natural person, in particular for the purpose of analyzing that person’s work performance, economic situation, health, personal preferences, interests or behaviour.

An amendment adopted during the parliamentary committee proceedings also requires all organizations using such technology to inform individuals of the means available to activate the technology.

Organizations must review and record the ability of current technologies to profile individuals (including through the use of cookies) and ensure that they have processes in place to provide individuals the option to activate or opt-in to these functions where required.

Additionally, organizations must update their privacy notices to inform individuals of the use of technology that includes functions of identification, location or profiling, if applicable.

Consent exceptions for secondary uses

Description

Committee changes adopted

Operational considerations

The existing principle regarding the use of personal information remains the same: consent is required to use personal information for any purpose beyond the purposes for which it was originally collected. However, several exceptions have been added.

There were initially three exceptions included in the bill:

i) If the information is used for purposes consistent with the purposes for which it was collected, which means that the new purposes must have a direct and relevant connection with the purposes for which the information was collected4.

ii) If the information is clearly used for the benefit of the individual.

iii) If the use of the information is necessary for study or research purposes or for the production of statistics and if the information is de-identified.

The two following exceptions were added:

i) when the use of the information is necessary for the supply or delivery of a product or the provision of a service requested by the individual; and

ii) when the use of the information is necessary for the prevention and detection of fraud or the evaluation and improvement of protection and security measures.

Organizations should:

  • update privacy notices and consent flows to streamline consent requirements were practicable; and
  • maintain records that identify instances where a consent exception is relied upon.

Commercial transaction exemption

Description

Committee changes adopted

Operational considerations

Consent is not required for the disclosure of personal information for the purpose of concluding a commercial transaction, but only if an agreement has been entered into with the other party in advance and that the other party undertakes in writing to:

i) use the information only for the purposes of concluding the commercial transaction;

ii) not to disclose the information to a third party;

iii) protect the confidentiality of the information; and

iv) destroy the information if the commercial transaction is not concluded or if using the information is no longer necessary.

Amendments expanded the meaning of “commercial transaction” to include a range of transactions, including the sale or lease of all or part of a business or assets, a corporate change, reorganization or amalgamation, and lending and financing agreements (including obtaining a security interest).

Organizations should review M&A and related transaction procedures to ensure NDAs are signed in advance of a transaction and meet these requirements.

Organizations already compliant with PIPEDA’s parallel requirements will need to take minimal steps to ensure compliance here given the substantial alignment between the two.

Mandatory PIAs

Description

Committee changes adopted

Operational considerations

Organizations are required to conduct privacy impact assessments (PIAs) of any initiative (acquisition, development or redesign) related to an information system or electronic service delivery project that involves the processing of personal information.

Amendments added that the PIA must be proportionate to the sensitivity of information, the purpose for which it is to be used and the amount, distribution and format of the information.

Organizations should develop appropriate policies and procedures to ensure PIAs are conducted as required. Organizations may also consider developing a PIA template to ensure the appropriate factors are considered.

Transfers outside Québec

Description

Committee changes adopted

Operational considerations

Before transferring or disclosing personal information outside Québec, an organization will need to conduct a PIA in order to assess whether the information will receive an “adequate protection” in compliance with “generally accepted data protection principles”. Such an evaluation must take into account:

i) the sensitivity of the information;

ii) the purposes for which it is to be used;

iii) the protection measures (including contractual protections) that would apply to it; and

iv) the legal framework applicable in the destination State. The transfer of the information must also be the subject of a written agreement that takes into account the PIA.

The parliamentary committee moved away from the more stringent requirement of limiting transfers of personal information outside of Québec to jurisdictions with "equivalent protection" to a less onerous standard of permitting data transfers to jurisdictions where they would receive "an adequate protection in compliance with generally accepted data protection principles".

Organizations must, prior to transferring personal information outside Québec:

  • document the relevant consent exemption or otherwise confirm consent is obtained;
  • conduct a PIA confirming an adequate level of protection; and
  • conclude a written agreement regarding the transfer of the information, taking into consideration the results of the PIA and the terms agreed upon to mitigate the risks identified in the PIA.

Retention, destruction and anonymization

Description

Committee changes adopted

Operational considerations

Organizations will need to destroy or anonymize the personal information that they hold when the purposes for which it was collected or used are achieved.

Personal information can in fact be anonymized but only for serious and legitimate purposes.

Organizations should:

  • update their records retention; and
  • review contracts that allow third parties to anonymize personal information to ensure they are able to meet the new anonymization requirements.

Minors

Description

Committee changes adopted

Operational considerations

For minors under 14 consent must be obtained from the person having parental authority.

Amendments clarified that consent can also be obtained from the minor’s guardian.

Organizations should review consent procedures for products and services offered to minors to ensure compliance.

Right to be forgotten

Description

Committee changes adopted

Operational considerations

An individual can request an organization to de-index or cease disseminating information about them if the dissemination of the information is illegal, or if the following conditions are met:

i) the dissemination of the information causes serious injury to the individual’s reputation or privacy;

ii) the injury is greater than the public interest in knowing the information or the associated freedom of expression (seven considerations informing this determination are enumerated in the bill); and

iii) the requested remedy does not exceed what is necessary to prevent the perpetuation of the injury.

Amendments clarified that i) one of the seven enumerated considerations under the second factor is whether the information relates to an individual who was a minor at the time, and ii) that a response must be provided to the request, including, if the request is granted, a confirmation of the requested remedy being provided.

Organizations should consider whether they disseminate personal information that is likely to make them subject to requests under this new right to be forgotten.

If so, they should develop processes and criteria to evaluate and respond to such requests.

Privacy program and policy

Description

Committee changes adopted

Operational considerations

Organizations will need to establish and implement a privacy program designed to protect personal information. The program must, in particular, include:

i) the rules applying to retention and destruction;

ii) the roles and responsibilities of personnel throughout the life cycle of the information; and

iii) the process for dealing with complaints regarding the protection of the information.

Detailed information about the program (including the information above) must be posted on the organization’s website or be made available by any other appropriate means.

The privacy policy must be published, in clear and simple terms on the organization’s website, or made available by any other appropriate means.

These requirements are mostly aligned with existing industry practices. Organizations should, however, consider reviewing the information they currently make public to ensure that it can be said to provide “detailed information” on each of the stipulated content points.

Enforcement

Description

Committee changes adopted

Operational considerations

Three different mechanisms have been set up to ensure that organizations comply with the new requirements: i) an administrative monetary penalty regime consisting of a maximum penalty of $50,000 in the case of a natural person and $10,000,000 or the amount corresponding to 2% of worldwide turnover for the preceding fiscal year in the case of an organization. The capacity of the organization to pay will be considered when determining the amount of the penalty5;

ii) new penal proceedings ranging, in the case of an individual, from a fine of $5,000 to $100,000 and, in the case of an organization, from a fine of $15,000 to $25,000,000, or the amount corresponding to 4% of worldwide turnover for the preceding fiscal year for a first offence, and the double of these amounts for a subsequent offence; iii) the possibility for a court to award punitive damages of not less than $1,000 when an unlawful infringement of a right conferred by the Act or by sections 35 to 40 of the Québec Civil Code causes an injury and the infringement is intentional or results from gross negligence.

The maximum fine that could be imposed in the case of an individual has been changed from $50,000 initially to $100,000.

The amendment related to punitive damages was adopted during parliamentary commission proceedings, and is intended to ensure that the remedy offered in this section falls under the general rules of civil liability. However, the Act does not specify the conditions that need to be met before pursuing such a remedy.

Update any risk frameworks to include the potential impact of these new penalties and fines.

September 22, 2024

Data portability

Description

Committee changes adopted

Operational considerations

On request, and unless doing so raises serious practical difficulties, organizations will be required to provide an individual, or any other organization the individual chooses, with the individual’s computerized personal information in a structured and commonly used technological format.

The committee provided additional clarity that this requirement applies only to computerized personal information collected from the individual, and not information created or derived from personal information about the individual.

Organizations should plan to ensure they have the technological and organizational capacities necessary to satisfy data portability requests.

Organizations should also consider labelling or otherwise distinguishing between the personal information that is and is not subject to this requirement.


  1. CQLR c P-39.1.
  2. CQLR c P-39.1.
  3. A “confidentiality incident” is defined as “any access to, use or communication of personal information not authorized by law, the loss of personal information or any other breach in the protection of such information”.
  4. This might include a situation where a financial institution uses existing personal information of a customer to facilitate the opening of additional accounts or in the acquisition of financial products with the same company.
  5. Furthermore, the CAI is expected to develop and make public a general framework for the application of monetary administrative penalties that will specify the purpose of the penalties, the criteria that must guide designated persons in the decision to impose a penalty and the circumstances in which priority will be given to penal proceedings.

 To discuss these issues, please contact the author(s).

This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.

For permission to republish this or any other publication, contact Janelle Weed.

© 2024 by Torys LLP.

All rights reserved.

Subscribe and stay informed

Stay in the know. Get the latest commentary, updates and insights for business from Torys.

Subscribe Now