Bill 64 and the Fables of Jean de la Fontaine: Why You Should Consider Adopting the Tortoise Strategy
Bill 64 and the Fables of Jean de la Fontaine: Why You Should Consider Adopting the Tortoise Strategy
Vanessa Deschênes and Jules Gaudin 
Lawyers, Patent and Trademark Agents
“There’s no point in running, you have to start at the right time.” This was the lesson to be learned from Jean de La Fontaine’s famous fable, The Tortoise and the Hare. How this fable from 1668 is relevant to Bill No. 64 (“Bill 64“), introduced June 12, will you ask? That is precisely what this short article will try to answer!
The tortoise’s strategy: It’s better to start at the right time, anticipate and plan ahead!
As you could noticed in our previous articles on Bill 64, the bill constitutes a major reform of Quebec’s privacy laws. While some businesses that already comply with the General Data Protection Regulation (“GDPR“) will see no major distinctions between Quebec law and European law, and therefore will not have to plan major upgrade projects, businesses that have not already followed suit in implementing certain practices may find the pace a bit high.
Although we have no certainty as to the exact timing of the adoption of Bill, we would find it surprising if the bill changes substantively, given that Canada (and therefore, Quebec) stands to gain from maintaining its adequacy status under the GDPR.
Pursuant to our analysis of Bill 64, and given our experience in upgrading practices to comply with the GDPR, we believe that the tortoise’s strategy could be advised, namely to start your internal reflection rather sooner than later to anticipate the scope of the work that could be required to comply with the proposed amendments to the Act respecting the protection of personal information in the private sector (the “Privacy Act“).
By adopting the tortoise’s strategy and getting a comfortable head start, you’ll be even more prepared when the time comes!
Bill 64: A Quebec GDPR?
As mentioned in our previous articles, Bill 64 is strongly inspired by the GDPR, which came into force on May 25, 2018. With this in mind, we would like to inform you of the lessons to be learned from our European friends and save you some unnecessary headaches!
A. Compliance will take longer than you think.
One should not underestimate the volume of changes in mindsets, processes and technologies that may be involved in upgrading to the new provisions of the Privacy Act put forward by Bill 64. With the digitalization of business models and the increasing volume of data held by organizations, there is sometimes a lack of understanding by businesses of how much personal information (“PI“) they hold, why they hold it and how it is used.
Based on the statistics available under the GDPR, despite a two-year transition period, 40-50% of businesses were still non-compliant at the time this legislation came into force. Why?
The most obvious explanation is that several new provisions inserted in European legislation implied a complete overhaul of the way companies managed their data. In addition, for many small and medium-sized organizations that did not have well-established privacy protection programs, full compliance with the GDPR easily required 6 to 12 months of preparation. For larger organizations, or those handling large and complex volumes of data, the process took even longer – sometimes more than two years!
Thus, despite a transition period currently set in Bill 64 at one year – and three years on the issue of data portability – being compliant will probably take longer than you might think.
B. Knowing where your data is is not as easy as it seems, especially with legacy systems.
Many organizations are beginning to realize that PI is ubiquitous in their systems. To comply with the new provisions, they will need to be able to label and search everything in their IT environment, from existing applications to e-mail systems. To be able to manage or delete PI, they must first know where they are located.
Thus, tackling already existing systems that do not have automatic deletion capabilities can be a daunting task. In addition, many existing database systems containing PI about your customers may not be able to automatically delete data based on expiration dates or requests from individuals (such as exercising the right to erasure). Without automation, your company may find this type of management excessively burdensome and costly. At the very least, companies should create interim solutions to help automate these deletion practices so that things don’t fall through the cracks.
Imagine an erasure request: if you have multiple legacy systems and customer PI are stored in multiple databases within your organization, will you be able to find out where all the data is stored? In Europe, we have seen that many organizations are struggling to support the “right to be forgotten” because of the complexity and wide distribution of data in different databases, backups, etc.
C. Privacy by Design and Privacy Impact Assessment
Successful implementation of “privacy by design” and “privacy by default” programs requires that employees – particularly those involved in the development of new products and services – have a sufficient basic knowledge of privacy. In practical terms, this also means that PI and individual privacy issues are no longer exclusively within the legal sector of your company and must be integrated into all departments, including marketing, business intelligence, human resources and any other departments that use data.
Clear policies, guidelines and procedures on the protection of PI must be developed, and the development method used within your company (agile, waterfall, etc.) must be taken into account in order to apply the concepts throughout the development process. This will enable your development teams to take appropriate action in the relevant phases.
In addition, companies often mistakenly believe that security equals privacy, thinking that they are compliant because information security is already a well-established element in their business processes. However, information security is only one of the principles to be respected in privacy and data protection legislation. Integrating the principles of “privacy by design and by default” into all business processes can be a work in progress!
Also, keep in mind that under the new version of the Privacy Act, organizations will not only be responsible for compliance with privacy principles, but will also have to be able to demonstrate that they are adhering to them, as discussed in our second article. A good tool for doing so is the completion of a Privacy Impact Assessment, which is required under Bill 64. This assessment will help you identify privacy risks in your new design and allow you to adjust accordingly. Remember to keep the results of this assessment, as this will allow you to demonstrate the reasons for certain decisions, if needed.
D. Right to PI Portability
The reason why the right to data portability may have a significant impact on your business is because it changes the relationship you have with individuals and your customers. Indeed, individuals can manage their data on different platforms, for example via a direct download tool or application. The platform that the user prefers will ultimately receive all PI. If you are not the preferred platform – read here the individual’s preferred platform – you may be forced to transfer your data to a competitor and possibly be asked to delete the (so valuable) data you have collected over the years. This leads to greater competition between companies and should therefore be taken into account when determining your business strategy.
From a technical point of view, companies will need to ensure that their systems, connected products, applications and devices that collect and store PI also have the functionality to transmit data to individuals (and not just give them access). In some cases, this will require you to readjust or reconfigure certain systems, products, applications and devices. In addition, the new right to data portability means that you will need to be able to export data in a structured, commonly used, machine-readable format so that data can be reused. Be aware, however, that this right has certain limitations and its exercise by an individual should not create an additional burden or obstacle for you.
In practice, this means that you must not only have the possibility to provide your client with a copy of all the PI you hold about him or her, but also the possibility to transfer the PI to another company or service provider. The data you hold about a client is interpreted as all data that the individual actively and knowingly provided. This includes information that the individual has provided to you using the service or device (for example, location data or heartbeats from a fitness monitoring device). It may therefore involve extensive data collection. In addition, the data should be provided in a manner that facilitates its reuse. For example, e-mail should be provided in a format that preserves all metadata to allow efficient reuse. The provision of e-mails in PDF format would not be sufficient, as this format is not sufficiently structured to allow reuse. Responding to a demand for data portability could be time-consuming and costly for many organizations that have not yet adopted a “privacy by design” approach to the design and construction of their systems and digital products and proposals. It is not by chance that Bill 64 currently provides for an additional 2 years (3 years in total) to comply with this new provision.
E. Starting Early Saves Money for Later
In addition to avoiding costly fines and lawsuits related to potential violations of data protection legislation, businesses that develop an early and intentional compliance strategy in preparation for the new the Privacy Act will likely be able to reduce their overall transition costs. For example, organizations that have given their teams sufficient time to plan and implement appropriate compliance measures are more likely to avoid unnecessary and ineffective efforts resulting from a rushed transition. In addition, strategic planning of future advertising campaigns, applications and products to meet the new provisions of the Privacy Act can help avoid the need for costly changes to these future investments.
As you can see, companies that put the necessary effort into the protecting of PI upstream will be best positioned to prepare for the reform of the Privacy Act. By developing documentation processes, building cross-departmental alliances and viewing compliance as a marathon, not as a sprint, these “turtle companies” will avoid many headaches and other concerns when the time comes.
Want to adopt the tortoise strategy, but don’t know where to start? Our Data Protection, Privacy and Cybersecurity sector is here for you!
OUR DATA PROTECTION, PRIVACY AND CYBER SECURITY PROFESSIONALS
© CIPS, 2020.
 Vanessa Deschênes and Jules Gaudin are Lawyers for ROBIC, LLP, a firm of Lawyers, Patent and Trademark Agents.
 An Act to modernize legislative provisions as regards to the protection of personal information. For more information, please see our publication: Bill 64 – How will Modernizing the Legislative Provisions on the Protection of Personal Information Affect your Company?
 In December 2001, the European Commission issued a Decision that stated that Canada was considered as providing an adequate level of protection of personal data transferred from the European Union to recipients subject to the Personal Information Protection and Electronic Documents Act (PIPEDA). The adequacy decision was reaffirmed in 2006 and has yet to be reviewed in regard of the GDPR.
 Ch. P-39.1.
 Digital Guardian, 2018, online: https://digitalguardian.com/blog/52-percent-organizations-ready-gdpr#:~:text=According%20to%20a%20recent%20survey,goes%20into%20effect%20next%20month.&text=The%20research%20and%20advisory%20firm,t%20be%20in%20full%20compliance.
 Being compliant is good, but being able to demonstrate it is even better! : A look at Bill 64 and the concept of privacy management program.
 This includes, for example, fines of up to 4% of the company’s annual worldwide sales or $25,000,000, whichever is greater.