Bill 64 – How will Modernizing the Legislative Provisions on the Protection of Personal Information Affect your Company?

2020-06-23

Other articles on the subject:

Being compliant is good, but being able to demonstrate it is even better! : A look at Bill 64 and the concept of privacy management program
Bill 64 and the Fables of Jean de la Fontaine: Why You Should Consider Adopting the Tortoise Strategy

Vanessa Deschênes and Jean-François Normand [1]
ROBIC, LLP
Lawyers, Patent and Trademark Agents

On Friday June 12, the National Assembly of Québectabled Bill 64, An Act to modernize legislative provisions as regards to the protection of personal information (the”Bill“). This reform, which targets particular the Act respecting the protection of personal information in the private sector (“APRPPS“), is intended to establish a stricter regime, particularly in response to the highly publicized events of recent years (breach of confidentiality) and in order to set up higher standards by following in the footsteps of Europe, which established the European General Data Protection Regulation (“GDPR“).

It is worth recalling that Québec was one of the first jurisdiction in North America to introduce a legislation for the protection of personal Information (“PPI“) in the private sector. Dating back to1994, and with the explosive growth of new technologies and the craze surrounding data, a major overhaul was not only expected, but was inevitable.

To clarify the practical applications that will have to be put in place within your company should the bill be adopted as is, you will find in this short article highlights of the key proposed amendments and their implications and impacts on the commercial activities of businesses.

Preliminary Notes:

We note that many of the newly proposed provisions reflect concepts introduced in the GDPR or guidelines, recommendations or policy proposals that had already been issued by privacy commissioners, particularly at the federal level. Thus, companies that have already implemented these elements as part of their internal practices and procedures will already have a head start, especially if they have already started documenting these practices. Indeed, we note a desire on the part of our Government to ensure that companies will take issues related to PPI seriously by requiring them to document their practices so that they can demonstrate compliance.

Obligation to Appoint a Privacy Officer.

The Bill provides that companies will have to appoint an officer who will be responsible for ensuring the implementation of practices that comply with the APRPPS and for maintaining a relationship with the individuals for whom the information was collected. Although this may appear to be a major change, a similar provision is already included in the federal legislation; namely under the Privacy and Electronic Documents Act (“ PIPEDA“) as well as the GDPR.

What does this mean for your company? Each company must appoint a PRD officer and provide contact information to individuals for whom personal information is collected. Generally, this information is available in the company’s privacy policy.

If your business is already subject to PIPEDA and/or the GDPR, this obligation should already be in place within your organization and therefore should not require additional measures.

2. Increased Powers of the Commission on Access to Information (“CAI“) and Sanctions

The Bill introduces new powers to the CAI, which have been requested for many years in order to allow the legislation to have a real impact. Accordingly, the CAI will now be able to issue non-compliance notices and impose monetary administrative penalties in the event of (i) failure to inform concerned persons with respect to the purpose of the file, the use that will be made of the personal information, the categories of persons who will have access to the information, the location and duration of the retention of the personal information as well as the rights to access and rectify the information (ii) collection or use of personal information in contravention of the provisions of the APRPPS (iii) failure to report a confidentiality incident to the CAI or the person concerned (iv) failure to inform the person concerned by a decision based exclusively on an automated processing or failure to give the person an opportunity to submit observations. .

Administrative penalties can amount to a maximum of $50,000 for a natural person and $10,000,000 for an organization or, if greater, the amount corresponding to 2% of worldwide turnover for the preceding fiscal year. As for penal sanctions, it can amount to a maximum of $50,000 for a natural person and $25,000,000 for an organization or, if greater, the amount corresponding to 4% of worldwide turnover for the preceding fiscal year. With the introduction of these increased powers and the staggering increase in penalties, the proposed amendments are in no way consistent with the provisions of the GDPR.

What does this mean for your company? The legal risk of non-compliance with the rules surrounding the PRD should, if not already, become a priority for the organization as the monetary consequences can be considerable. Moreover, given that the CAI now has the power to force companies to change their practices, companies may be subject to delays imposed by the CAI. This is where the adage “better safe than sorry” takes all its meaning!

3.Obligation to put in place policies governing PPI

The Bill requires all companies to have internal governance policies in place for the management of personal information. This obligation, similar to the one set out in the GDPR, ensures, in a sense, the compliance of the APRPPS. It should be noted that CAI may require, at any time, evidence of compliance with the APRPPS and its regulations.

What does this mean for your company? Each company must publish on its website its policies, approved beforehand by the officer responsible. These policies should include guidelines for the retention and destruction of personal information, the roles and responsibilities of staff members, and an explanation of the complaint mechanism. This information may also be found in the PPI policy.

With respect to the “evidence of compliance” component, this means that companies will need to keep records of their processes and procedures and implement what we often refer to in the industry as a Compliance Management Program or Privacy Management Program. For instance, as early as in 2012, the Alberta, British Colombia and federal privacy commissioners had issued a guide [2] to this effect. This guide is therefore a starting point for businesses.

4. Obligation to conduct privacy impact assessments

Businesses will be required to undertake an assessment of the privacy-related factors prior any information system project or electronic service delivery project that involves the collection, use, release, keeping or destruction of personal information. While this is a significant change, this obligation is similar to the one found in the GDPR and was already part of recommendations made by the Privacy Commissioner of Canada (“OPC“).

What does this mean for your company? Any new system requiring the use of personal information must be the subject to this preliminary step. In addition, this requirement also provides that personal information must be available “in a structured, commonly used technological format.”

In practical terms, this means that processes and procedures will have to be put in place within the organization to ensure and be able to demonstrate that such an assessment was carried out and that the person appointed within the organization to ensure the PPI is consulted as early as the start of the project, in order to ensure in can intervene at any times to suggest PPI measures. This obligation allows for the introduction of the concept of privacy by design and privacy by default which is found in the GDRP.

5. Alterations to cross-border transfer of personal information

In modulating the European vision, as well as the OPC guidelines, legislator now predicts that companies will have to conduct an assessment before each disclosure of personal information outside Québec in order to determine whether the receiving province has equivalent protections.

In an interesting fact, the Government will produce a list of provinces whose legal regimes surrounding personal information are deemed to be equivalent to the PPI principles applicable in Québec.

What does this mean for your company? The company will have to put in place an evaluation framework and carry out such assessment before the transfer. The latter will have to take into consideration the sensitive nature of the personal information, the purpose of its use, the safeguards in place and, in particular, the legal framework applicable to the receiving jurisdiction. In this assessment, the company will have to establish and demonstrate the legal equivalence as to allow for the transfer of personal information. Such findings must be made available through a written contract.

It should be noted that companies that are currently complying GDPR or that have already implemented the OPC’s cross-border transfer guidelines should consider themselves compliant with these new requirements. Although the requirement for a written contract is not stipulated in the APRPPS, the CAI has found for its necessity in a decision rendered in 2000 [3].

6. Enhanced individual rights and additional rights

The Bill enhances or brings forward new rights granted to individuals. For instance, it is now clearly stated that an individual has the right to be informed in clear and simple language, regardless of the means used. In addition, when an individual makes a request in this regard, a company must now inform the individual of the original source which collected the personal information, if it is collected by another company. Inspired by a similar European obligation, the Québec legislator wishes to give those involved an additional means of understanding who actually collected the information.

Other changes, which we would describe as major and heavily influenced by the GDPR, include data portability, in a structured and commonly used technological format, the right to forget, as well as the right, and therefore the company’s requirement, before the collection of personal information, to inform individuals of the use of technologies enabling identification, location or profiling and the fact that it is possible to disable these options. The same is true of the right to be informed, at the time of a decision or before the decision is made, that they are the subject of an automated decision.

What does this mean for your company? In practical terms, companies should implement measures such as personal information inventories, data flow mapping, or measures such as creating “tags” or metadata in order to meet these additional requirements. Without such tools, it may be difficult for businesses to meet these new obligations. In addition, companies will need to enhance the mechanisms by which they inform individuals of their PPI practices. In our opinion, a simple mention embedded within the privacy policy will not be sufficient. We believe that the bill is intended to allow for company transparency as well as force them to become proactive in the way they inform individuals.

7. Consent of a child under the age of 14

Much like the GDPR, the Bill adds the restriction on obtaining consent for children under the age of 14. In order for such consent to be considered valid, it must be obtained by the holder of parental authority.

What does this mean for your company? It should be noted that children over the age of 14 can give consent. However, companies must adopt stricter security guidelines and provide a mechanism for obtaining the consent of parental authority, when required.

8. Destruction or anonymization of personal information

A significant change from the current regime, the Bill now formally requires businesses to destroy or anonymize the personal information collected once the purposes for which it was collected are completed. While this requirement was already one of good practice, this addition to the legislation clearly demonstrates the legislator’s intention to put an end to certain companies’ practices to archive data “for life”. In making this legislative change, there is no doubt left as to which practices ought to be implemented.

What does this mean for your company? Companies should put in place archiving schedules and data management measures. In doing so, companies will be notified of the disposition of personal information once the purpose for which it was collected has been fulfilled, and thus meet their obligations.

9. Managing Privacy Incidents

As this is already the case in Alberta and provided by PIPEDA and the GDPR, the bill introduces a new system of notification in the event of a leak or other security breach.

What does this mean for your company? In practical terms, a company subject to PIPEDA should already have put in place mechanisms to meet this new requirement. Indeed, the proposed additions in the requirement to notify and maintain a registry as well as the involvement of the PPI officer are similar to what was originally introduced in 2018 through federal jurisprudence.

In simple terms, should the company not already be in compliance with PIPEDA, it must create a registry in order to record each incident. It must also prepare internal procedures, not only to deal with the incident, but also develop a set of criteria which will determine when a notification is required.

In February 2020, Minister Lebel announced wanting to give back Quebec citizens control over their data. In achieving its goal, the Government would let itself be inspired by the worlds’ “best standards” in terms of data protection.

She mentioned, “We are moving towards European models, and this is what is recognized to be the most advanced.” It must be noted that the Bill is strongly inspired by the GDPR and will now allow citizens to be better informed of company practices. It also allows for a better understanding of the extent and the use that is made of their data. In Minister Lebel’ opinion, this is was the root of the problem.

Do you already want to assess the realistic impact of these changes for your organization should the Bill be adopted as is? Our Data Protection, Privacy and Cybersecurity department is here for you.

Other articles on the subject: