2021 will be remembered as an important year in terms of data protection and privacy in Québec.
After a lengthy legislative process, the National Assembly of Québec adopted a new privacy law, formally titled An Act to modernize legislative provisions as regards the protection of personal information. Known as Bill 64, the legislation updates and modernizes the Act respecting the protection of personal information in the private sector (the Private Sector Act) as well as the Act respecting Access to documents held by public bodies and the Protection of personal information.
On December 3, the Québec legislature also introduced a new bill aiming at modernizing the legal framework applicable to health and social services data, An Act respecting health and social services informationand amending various legislative provisions. On the same day, the Québec Ministry of Cybersecurity and Digital bill was adopted creating the first in its kind in North America which is now charged with a portfolio of digital tech, electronic services and security.
Québec courts have also been busier than ever dealing with litigation matters resulting from security breaches in various contexts including cyberattacks, loss of devices or other types of theft of personal information and have issued some significant decisions in privacy class actions.
This article provides an overview of the recent privacy case law developments and practical tips for organizations to adequately protect personal data and respond to security incidents in light of the new requirements set out in the new version of the Private Sector Act.
Case study: Facebook and third-party access
In the recent case Thiel v. Facebook, the Superior Court certified a class action against the tech giant which allegedly allowed third parties to access the personal data of its users, without first obtaining informed consent in contravention of the Charter of Human Rights and Freedoms, the Civil Code of Québec and the provisions of the Consumer Protection Act. It was alleged that Facebook has reached data-sharing partnerships with at least 60 device makers—including Apple, Amazon, BlackBerry, Microsoft and Samsung.
Organizations collecting personal information will be required to inform the individual concerned of the “name of the third persons” to whom the information may be communicated at the time of the collection.
Plaintiffs argued that not only had the class members not given consent to the impugned third-party data sharing practices, but that they could not have done so because Facebook never informed its users of the impugned practices. As such they had no knowledge of these practices which were not authorized by law.
Given the challenges of establishing a claim of compensatory damages, the plaintiffs’ claim was limited to punitive damages for an amount to be determined by the Court based on the evidence to be presented at trial.
In this case, the Court found that while it was objectively impossible for the plaintiffs to determine which of its users' data was inappropriately shared, the factual allegations were sufficient to demonstrate a potentially significant breach of privacy rights and thus, punitive damages may be in order.
While standalone punitive damages claims have long been recognized by Québec courts, Bill 64 now provides for the possible award of punitive damages of at least $1,000 in case of an intentional or grossly negligent infringement of a right protected under the Private Sector Act and under articles 35 to 40 of the Civil Code of Québec. In order to comply to their obligations, organizations collecting personal information will be required to inform the individual concerned of the “name of the third persons” to whom the information may be communicated at the time of the collection.
Case study: Nissan and data ransom
In the same line, the Québec Court of Appeal allowed an appeal in part and reinstated the plaintiffs’ class action claim for punitive damages resulting from a “bitcoin ransom” privacy breach where three officers of Nissan Canada received a threatening email suggesting that the personal information of their consumers would be used for malicious purposes if they refused to pay a bitcoin ransom.
Although the first instance judge had not allowed this claim at the certification stage, the Court of Appeal considered that the one-month delay between the time the threat was received and the notification was made to Nissan’s customers could potentially be sufficient to justify a claim in punitive damages. The fact that Nissan undertook an internal investigation of the incident before it notified its customers was argued and it remains to be determined whether or not this will be enough to justify the notification delay.
While the former Private Sector Act sets no legal obligations to report personal information breaches, the new version of the Private Sector Act provides for new reporting requirements with respect to confidentiality incidents that will come into force in September 2022. No specific delay has been imposed for the new requirement. An organization will be required to notify promptly the Commission d’accès à l’information du Québec as well as any person whose personal information is impacted by the incident as if the incident presents a risk of serious injury.
Case study: IIROC and crisis response
2021 was the scene of the first Canadian data incident case to be tried on the merits and it was argued in Québec. The IIROC matter gave rise to a class action following the loss of a laptop computer on a train by an inspector working for the Investment Industry Regulatory Organization of Canada (IIROC). The device contained personal information relating to individuals which had been collected from securities brokers who were under inspection; despite IIROC’s efforts, the computer was never recovered.
Falling in line with leading case law, the Superior Court confirmed that it is not necessary for class members to have been victims of any unlawful use of their personal data to support their claims so long as compensable damages are proven. However, on this point, the Court reminded that mere fears, annoyances, stress and worries experienced by the affected individuals relating to the loss of their personal information were normal inconveniences that anyone living in society encounters and should be obliged to accept.
As for punitive damages, the Court concluded that the defendant’s unintentional fault did not justify a condemnation to punitive damages as it reacted diligently, in a timely fashion and according to standards expected in similar circumstances following the incident. The evidence revealed that the defendant had conducted investigations and carried out internal checks, promptly informed the authorities, retained a consultancy firm to perform computer forensic and investigative analysis, developed a privacy risk management strategy, and notified federal and provincial privacy commissioners as well as brokerage firms and class members. The organization also offered investors all necessary monitoring and protective measures by credit monitoring agencies.
Bill 64 requires that any person with cause to believe that a confidentiality incident has occurred must take reasonable measures to reduce the risk of injury and prevent new incidents. While it does not yet specify the nature of these “reasonable measures”, the IIROC case certainly provides helpful guidance for organizations to adequately respond to such an incident.
What lies ahead for organizations
Although the new requirements will be rolled out in phases over the next three years, one can certainly expect the provisions introduced by Bill 64 to have far-reaching consequences for how Canadian organizations will handle personal information and on the development and interpretation of privacy laws in Canada in the coming year, including in the context of privacy class actions.
Organizations which inappropriately share users’ data with third parties will now face, under the new Private Sector Act, punitive damages of at least $1,000 in case of intentional infringement or resulting from gross negligence. When collecting personal information, organizations should inform the individual concerned of the “name of the third persons” to whom the information may be communicated at the time of the collection.
New reporting requirements under the new Private Sector Act for personal information breaches are on the horizon. Organizations should ensure internal processes are appropriately updated to reflect these new requirements which come into force in September 2022.
Organizations facing a data breach will be required under the new Private Sector Act to take reasonable measures to reduce the risk of injury and prevent new incidents. While these measures have yet to be defined, examples of reasonable action may include conducting internal checks and forensic investigations, promptly informing the authorities, developing an appropriate privacy risk management strategy, and notifying the concerned parties, among others.
Beyond regulatory and legislative compliance, businesses will want to watch for evolving jurisprudence related to the new Private Sector Act and remain vigilant in maintaining a robust data and privacy governance framework that makes use of the most current best practices in privacy and data management.
To discuss these issues, please contact the author(s).
This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.
For permission to republish this or any other publication, contact Janelle Weed.