Bill 64’s adoption confirms overhaul of Québec private sector privacy law

September 22, 2022

Designate a privacy officer

Description

Committee changes adopted

Operational considerations

Organizations will be authorized to delegate “the function of person in charge of the protection of personal information” to any person, whether or not that person works for the organization.

This function may be delegated to any person, without being limited to a personnel member.

According to comments made during the detailed review of the Bill, this approach would allow a group of organizations to designate a unique person for that function or to retain the services of a person specialized in protecting personal information.

Organizations will have to:

• designate a privacy officer; and
• publish the contact information of the privacy officer on their website.

Breach response and reporting

Description

Committee changes adopted

Operational considerations

Organizations will need to:

i) Notify the CAI and impacted individuals of a breach (referred to as a “confidentiality incident”³) presenting a “risk of serious injury”;

ii) take all necessary measures to prevent the breach from causing any injury; and

iii) keep a record of breaches and send a copy of it to the CAI at its request.

N/A

Organizations will have to:

• establish a policy for handling breaches; and
• keep a record of breaches.

September 22, 2023

Consent and notice

Description

Committee changes adopted

Operational considerations

Consent must now be requested for each of the purposes identified by the organization, in clear and simple language and separately from any other information provided to the individual.

When collecting personal information and subsequently on request, organizations will need to inform individuals of:

i) the purposes for which the information is collected;

ii) the means by which the information is collected;

iii) their rights of access and rectification; and

iv) their right to withdraw consent.

Organizations will also need to inform individuals of the possibility that the information could be disclosed outside Québec, if applicable.

Organizations will also need to inform individuals of the names of the third parties or categories of third parties to whom it is necessary to disclose the information in order to carry out the purposes of the collection.

Organizations should review privacy notices and consent flows for necessary updates, taking into account applicable consent exceptions.

Collection from third parties

Description

Committee changes adopted

Operational considerations

Organizations that collect personal information from a third party must, at the request of the individual, inform them of the source of the information. This may include organizations that acquire lists of data or databases.

N/A

Organizations must ensure that they have processes in place to identify and record personal information collected from third parties and its source. One means of doing so is by maintaining a robust data inventory that tracks how and why personal information is collected, used and shared, including to and from third parties.

Privacy by design

Description

Committee changes adopted

Operational considerations

Organizations collecting personal information through a technological product or service that has privacy options must ensure that by default those options are set to the highest confidentiality (i.e., most privacy protective) settings. Note cookies are explicitly excluded from this requirement.

This requirement was introduced in the committee stage.

Organizations should review their technological means of collecting personal information (such as apps) to ensure that settings by default collect the least amount of personal information.

Technologies allowing a person to be identified, located or profiled

Description

Committee changes adopted

Operational considerations

If an organization uses technology that includes functions allowing a person to be identified, located or “profiled,” it will need to inform individuals of the use of such technology when collecting information.

“Profiling” is very broadly defined and includes any use of personal information to assess certain characteristics of a natural person, in particular for the purpose of analyzing that person’s work performance, economic situation, health, personal preferences, interests or behaviour.

An amendment adopted during the parliamentary committee proceedings also requires all organizations using such technology to inform individuals of the means available to activate the technology.

Organizations must review and record the ability of current technologies to profile individuals (including through the use of cookies) and ensure that they have processes in place to provide individuals the option to activate or opt-in to these functions where required.

Additionally, organizations must update their privacy notices to inform individuals of the use of technology that includes functions of identification, location or profiling, if applicable.

Consent exceptions for secondary uses

Description

Committee changes adopted

Operational considerations

The existing principle regarding the use of personal information remains the same: consent is required to use personal information for any purpose beyond the purposes for which it was originally collected. However, several exceptions have been added.

There were initially three exceptions included in the bill:

i) If the information is used for purposes consistent with the purposes for which it was collected, which means that the new purposes must have a direct and relevant connection with the purposes for which the information was collected⁴.

ii) If the information is clearly used for the benefit of the individual.

iii) If the use of the information is necessary for study or research purposes or for the production of statistics and if the information is de-identified.

The two following exceptions were added:

i) when the use of the information is necessary for the supply or delivery of a product or the provision of a service requested by the individual; and

ii) when the use of the information is necessary for the prevention and detection of fraud or the evaluation and improvement of protection and security measures.

Organizations should:

• update privacy notices and consent flows to streamline consent requirements were practicable; and
• maintain records that identify instances where a consent exception is relied upon.

Commercial transaction exemption

Description

Committee changes adopted

Operational considerations

Consent is not required for the disclosure of personal information for the purpose of concluding a commercial transaction, but only if an agreement has been entered into with the other party in advance and that the other party undertakes in writing to:

i) use the information only for the purposes of concluding the commercial transaction;

ii) not to disclose the information to a third party;

iii) protect the confidentiality of the information; and

iv) destroy the information if the commercial transaction is not concluded or if using the information is no longer necessary.

Amendments expanded the meaning of “commercial transaction” to include a range of transactions, including the sale or lease of all or part of a business or assets, a corporate change, reorganization or amalgamation, and lending and financing agreements (including obtaining a security interest).

Organizations should review M&A and related transaction procedures to ensure NDAs are signed in advance of a transaction and meet these requirements.

Organizations already compliant with PIPEDA’s parallel requirements will need to take minimal steps to ensure compliance here given the substantial alignment between the two.

Mandatory PIAs

Description

Committee changes adopted

Operational considerations

Organizations are required to conduct privacy impact assessments (PIAs) of any initiative (acquisition, development or redesign) related to an information system or electronic service delivery project that involves the processing of personal information.

Amendments added that the PIA must be proportionate to the sensitivity of information, the purpose for which it is to be used and the amount, distribution and format of the information.

Organizations should develop appropriate policies and procedures to ensure PIAs are conducted as required. Organizations may also consider developing a PIA template to ensure the appropriate factors are considered.

Transfers outside Québec

Description

Committee changes adopted

Operational considerations

Before transferring or disclosing personal information outside Québec, an organization will need to conduct a PIA in order to assess whether the information will receive an “adequate protection” in compliance with “generally accepted data protection principles”. Such an evaluation must take into account:

i) the sensitivity of the information;

ii) the purposes for which it is to be used;

iii) the protection measures (including contractual protections) that would apply to it; and

iv) the legal framework applicable in the destination State. The transfer of the information must also be the subject of a written agreement that takes into account the PIA.

The parliamentary committee moved away from the more stringent requirement of limiting transfers of personal information outside of Québec to jurisdictions with "equivalent protection" to a less onerous standard of permitting data transfers to jurisdictions where they would receive "an adequate protection in compliance with generally accepted data protection principles".

Organizations must, prior to transferring personal information outside Québec:

• document the relevant consent exemption or otherwise confirm consent is obtained;
• conduct a PIA confirming an adequate level of protection; and
• conclude a written agreement regarding the transfer of the information, taking into consideration the results of the PIA and the terms agreed upon to mitigate the risks identified in the PIA.

Retention, destruction and anonymization

Description

Committee changes adopted

Operational considerations

Organizations will need to destroy or anonymize the personal information that they hold when the purposes for which it was collected or used are achieved.

Personal information can in fact be anonymized but only for serious and legitimate purposes.

Organizations should:

• update their records retention; and
• review contracts that allow third parties to anonymize personal information to ensure they are able to meet the new anonymization requirements.

Minors

Description

Committee changes adopted

Operational considerations

For minors under 14 consent must be obtained from the person having parental authority.

Amendments clarified that consent can also be obtained from the minor’s guardian.

Organizations should review consent procedures for products and services offered to minors to ensure compliance.

Right to be forgotten

Description

Committee changes adopted

Operational considerations

An individual can request an organization to de-index or cease disseminating information about them if the dissemination of the information is illegal, or if the following conditions are met:

i) the dissemination of the information causes serious injury to the individual’s reputation or privacy;

ii) the injury is greater than the public interest in knowing the information or the associated freedom of expression (seven considerations informing this determination are enumerated in the bill); and

iii) the requested remedy does not exceed what is necessary to prevent the perpetuation of the injury.

Amendments clarified that i) one of the seven enumerated considerations under the second factor is whether the information relates to an individual who was a minor at the time, and ii) that a response must be provided to the request, including, if the request is granted, a confirmation of the requested remedy being provided.

Organizations should consider whether they disseminate personal information that is likely to make them subject to requests under this new right to be forgotten.

If so, they should develop processes and criteria to evaluate and respond to such requests.

Privacy program and policy

Description

Committee changes adopted

Operational considerations

Organizations will need to establish and implement a privacy program designed to protect personal information. The program must, in particular, include:

i) the rules applying to retention and destruction;

ii) the roles and responsibilities of personnel throughout the life cycle of the information; and

iii) the process for dealing with complaints regarding the protection of the information.

Detailed information about the program (including the information above) must be posted on the organization’s website or be made available by any other appropriate means.

The privacy policy must be published, in clear and simple terms on the organization’s website, or made available by any other appropriate means.

These requirements are mostly aligned with existing industry practices. Organizations should, however, consider reviewing the information they currently make public to ensure that it can be said to provide “detailed information” on each of the stipulated content points.

Enforcement

Description

Committee changes adopted

Operational considerations

Three different mechanisms have been set up to ensure that organizations comply with the new requirements: i) an administrative monetary penalty regime consisting of a maximum penalty of $50,000 in the case of a natural person and $10,000,000 or the amount corresponding to 2% of worldwide turnover for the preceding fiscal year in the case of an organization. The capacity of the organization to pay will be considered when determining the amount of the penalty⁵;

ii) new penal proceedings ranging, in the case of an individual, from a fine of $5,000 to $100,000 and, in the case of an organization, from a fine of $15,000 to $25,000,000, or the amount corresponding to 4% of worldwide turnover for the preceding fiscal year for a first offence, and the double of these amounts for a subsequent offence; iii) the possibility for a court to award punitive damages of not less than $1,000 when an unlawful infringement of a right conferred by the Act or by sections 35 to 40 of the Québec Civil Code causes an injury and the infringement is intentional or results from gross negligence.

The maximum fine that could be imposed in the case of an individual has been changed from $50,000 initially to $100,000.

The amendment related to punitive damages was adopted during parliamentary commission proceedings, and is intended to ensure that the remedy offered in this section falls under the general rules of civil liability. However, the Act does not specify the conditions that need to be met before pursuing such a remedy.

Update any risk frameworks to include the potential impact of these new penalties and fines.

September 22, 2024

Data portability

Description

Committee changes adopted

Operational considerations

On request, and unless doing so raises serious practical difficulties, organizations will be required to provide an individual, or any other organization the individual chooses, with the individual’s computerized personal information in a structured and commonly used technological format.

The committee provided additional clarity that this requirement applies only to computerized personal information collected from the individual, and not information created or derived from personal information about the individual.

Organizations should plan to ensure they have the technological and organizational capacities necessary to satisfy data portability requests.

Organizations should also consider labelling or otherwise distinguishing between the personal information that is and is not subject to this requirement.