Technology, Intellectual Property and Communications
Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, approved unanimously by the Quebec National Assembly in its first reading on June 12, 2020 will, if enacted, enhance the protection of data that is collected by public bodies and businesses within the province of Quebec. While the legislation may still be heavily amended, the bill in its current form includes many changes to Quebec’s existing framework for using, obtaining, maintaining and destroying data.
One of the changes that may be enacted is an increase in the comprehensiveness of consent required to use data within the province.1
According to clauses 9 and 102 of the bill, amending section 53.1 of the Act respecting Access to documents held by public bodies and the Protection of personal information, CQLR c A-2.1 and section 14 of the Act respecting the protection of personal information in the private sector, CQLR c P-39.1, respectively, consent for using an individual’s data must be obtained each time for each purpose.2 In addition to having specific consent, the language used to obtain consent must be drafted in a manner that is easy to understand.3 The bill also places a positive obligation on organizations to help individuals understand the scope of the consent they are providing.4 The extent of help or assistance required under the bill is not clear at this point. It will be noteworthy to see how this provision will be applied to businesses and what level of assistance will be required, should this section be enacted in its current form.
The required level of consent rises to express consent when the data in question is labeled as sensitive personal information.5 Information is designated as sensitive “if due to its nature or the context of its use or release, it entails a high level of reasonable expectation of privacy.”6 While we do not know how the term sensitive will be interpreted by the courts, the meaning of the term may be elucidated by the interpretation of this same term in the federal privacy law, The Personal Information Protection and Electronic Documents Act (PIPEDA).
While PIPEDA does not provide an exhaustive list of what could constitute sensitive information, it does mention in Schedule 1 that income information and medical information are generally considered sensitive information.7 Additionally, the Supreme Court of Canada has affirmed that financial data is normally considered to be sensitive.8
To further illustrate what kind of information may likely be considered as sensitive by Bill 64, the Privacy Commissioner of Canada has also stated in regard to PIPEDA that information regarding sexual interests are sensitive, when, for example, taken by a dating service (ex: Ashley Madison).9 The bill states that information can be either intrinsically or situationally sensitive.10 If one reads this in conjunction with the PIPEDA, which contains similar flexibility, this provision could mean that some information that is generally not sensitive, could be viewed as such depending on the context.11 PIPEDA gives the example of how a magazine’s subscriber list can be considered as sensitive information depending on the nature of the magazine.12 A more modern example could be found in returning to the Privacy Commissioner’s decision regarding Ashley Madison.Whereas email addresses and names can in some cases be found to be unimportant personal information, they become highly sensitive if associated with an online dating platform such as Ashley Madison.13 Sensitivity may also decrease depending on the context; while financial information is usually quite sensitive, it may, depending on the context, be regarded as less sensitive.14 For instance, financial information, such as a balance of an outstanding mortgage, which has related information already available in the public domain for a legitimate purpose, may be considered less sensitive depending on the circumstances and other factors.15
In terms of distinguishing between express and implied consent, the Federal Privacy Commissioner has suggested that an opt-in system can represent express consent, whereas an opt-out system can represent implied consent.16 A similar framework could be integrated into the interpretation of Bill 64.
In addition to the new requirements for more explicit consent, the bill would institute special rules for using and collecting data from individuals under the age of 14.17 Parental consent would generally, barring some exceptions, become necessary for collecting this data.18 Furthermore, consent is only valid for the time necessary to achieve the purposes for which it was requested.19
The bill as it is currently written includes a new conditional right for individuals to demand that a person carrying on an enterprise cease disseminating information or de-index any hyperlink attached to the individual.20 This order can be compelled in circumstances where dissemination of the information is in violation of the bill or where the following three requirements are met:
“(1) the dissemination of the information causes the person concerned serious injury in relation to his right to the respect of his reputation or privacy;
(2) the injury is clearly greater than the interest of the public in knowing the information or the interest of any person in expressing himself freely; and
(3) the cessation of dissemination, re-indexation or de-indexation requested does not exceed what is necessary for preventing the perpetuation of the injury.” 21
The bill also provides additional information for assessing these criteria. It appears that this list is not exhaustive and other factors may be considered.22 It may be relevant to see whether these criteria undergo any modifications before the bill gains force of law.
Organizations should either destroy or anonymize information that they no longer have a reason to maintain.23 To anonymize data means to go through a procedure whereby the information can continue to exist, but can no longer be associated with a specific individual.24 Specifically, the bill states that “information [..] is anonymized if it irreversibly no longer allows the person to be identified directly or indirectly”.25 For information to be “irreversibly” anonymized, the process cannot be reverse engineered.26 The process should be based on “generally accepted best practices.”27 Undoubtedly, the courts will be involved in defining this standard of “generally accepted best practices” if further information is not provided by the legislature.
Furthermore, individuals can request that a business share the information they are holding on them.28 The businesses receiving such requests must confirm if they hold any information.29 Organizations must be prepared, where applicable, to provide a copy of the data they hold on an individual in a technological format.30 Moreover, it specifies that at the request of the individual, the technological format of the information should be one that is commonly used.31
Another major component of the bill is the inclusion of enhanced protection for data that is transferred outside of Quebec. According to the proposed piece of legislation, when seeking to transfer data outside of the province, a privacy assessment must be done to determine whether the data exported from the province will receive a similar level of protection outside of Quebec as it does within Quebec.32 Should the potential transfer be found not to provide an equivalent level of protection, the data would be barred from transfer.33 Where transfers are permitted following the assessment, they must be accompanied by a written agreement between the parties.34 This requirement is far more stringent than the federal legislation, which has a general requirement to use agreements or other methods to provide comparable levels of protection to data transferred to third parties, without necessarily conducting a preliminary assessment.35
The bill proposes several changes to the culture of data collection, utilization and dissemination. One way it seeks to do this is to compel organizations to complete a privacy assessment on information systems and delivery systems, projects that utilize, disseminate, hold or destroy personal information.36 Furthermore, absent delegation, there is a presumption that those exercising the highest authority within an organization are responsible for protecting the data held by the organization and ensuring their organization’s compliance with the law.37 Transferring such obligations to another person can be done in writing.38 The requirement of identifying an individual to ensure adherence to the law is also found in PIPEDA; however, there is no assumption that the individual with the highest level of authority is responsible for implementing PIPEDA.39 If this section is enacted, it will be necessary for businesses dealing with personal information to ensure they delegate this responsibility to the appropriate individual within their organization. At present, this task can only be delegated to a “personnel member”.40 Our interpretation of this provision would indicate that an organization cannot outsource this responsibility of protecting personal information to any third party.41
Penalties for Non-Compliance
Businesses that do not follow certain requirements set forth in the bill could be forced to pay large sums. For example, administrative penalties created by the proposed law can be as high as 10 million dollars or 2% of the company’s global turnover, whichever is the highest.42 Penal penalties are even higher with a maximum fine of 25 million dollars or 4% of the company’s global turnover, whichever is the highest.43
In addition to these legislative penalties, there is also an avenue for individuals whose rights have been violated and who have suffered as a result of that violation, to sue the business responsible for damages.44 In circumstances where the violation can be proven to be the result of deliberate or gross fault, punitive damages can be awarded, starting at a minimum of $1,000.45
The monetary penalty structure proposed is far harsher than PIPEDA, which has a maximum of only $100,000.46
The bill also imposes legal requirements on organizations that are the victims of security incidents relating to personal information.47 An incident, is defined as the access, use, release or loss of personal information that is not permitted under law or any other violation to the security of the data.48In these circumstances, the organization must:
- Take steps to reduce the harm caused by the incident
- Inform the person, whose information is involved in the incident if there is a chance of serious harm as a result of the incident
- Notify the Commission d’accès à l’information if there is a chance of serious harm as a result of the incident.49
This section also provides that a government regulation may determine the content and terms of the notice.50 These provisions resemble the regime in place under PIPEDA and the notion of “serious harm”. One can imagine the regulations under the bill will mirror the regulations enacted under PIPEDA, which set out the content, manner, and form of the notices to be provided to individuals.51
Bill 64, in its current form will update Quebec’s privacy regime in a dramatic and significant way. While the legislation may still be heavily altered before it comes into force, the overall trajectory of the legislation is clear: Quebec wants to provide stronger protections for personal information.
Consent and Knowledge is needed to use, collect or disseminate information.52
Free and informed and for specific reasons.53
Consent of Minors
No explicit statement, but notes that seeking consent from someone may be impossible if the individual is a minor.54
A 2017 Privacy Commissioner report states however that under the age of 13, barring extraordinary circumstances, consent should be given by the one exercising parental authority. Adolescents between the ages of 13 and 18 are able to give meaningful consent if the organization has considered their level of maturity when putting into place their consent procedures, and then making the necessary modifications.55
Parental consent required for all minors under 14 as general rule.56
The form of consent sought may be different based on the sensitivity of the information.57
Sensitivity can be established intrinsically or situationally.58
Consent needs to be explicit when the information is sensitive.
Information becomes sensitive if there is a reasonable belief that the information would be generally expected to be very private. This can be assessed by the nature of the situation or the information itself.59
Right to be De-indexed
A right to be de-indexed by search engines has not been explicitly recognized by the courts60, but the issue may be sufficiently addressed by a case currently being litigated in the federal courts.61
Depending on the circumstances, an individual does have the right to be de-indexed.62
Appointing an officer
Someone is designated, but no presumption of those who are exercising at the highest authority as being responsible.63
Designation of someone responsible for protecting personal information is required, but if no personnel is expressly delegated the role, the person exercising the highest amount of authority is presumed to be responsible. 64
Transfer of data
Exporting of data for processing outside of Canada to 3rd parties is permitted, where there is the utilisation of contracts or other tools to give the data in question a comparable level of protection. The organization remains responsible for the information that is transferred.65
Data can only be transferred outside of Quebec, where an assessment attests to the fact that the information will be given an equivalent level of protection to that of the Act.66
1 Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, 1st Sess, 42nd Leg, Quebec, 2020, cls 9, 102 (first reading 12 June 2020) [Bill 64].
5 Ibid at cls 19, 102.
6 Ibid at cls 12, 102.
7 Personal Information Protection and Electronic Documents Act, SC 2000, c 5, Schedule 1 at 4.3.4 [PIPEDA].
8 Royal Bank of Canada v Trang, 2016 SCC 50 at para 36 [RBC].
9 Canada, Joint Investigation of Ashley Madison by the Privacy Commissioner of Canada and the Australian Privacy Commissioner/Acting Australian Information Commissioner, PIPEDA Report of Findings #2016-005, (Ottawa: Office of the Privacy Commissioner of Canada, 2016), at para 47 [Ashley Madison Investigation].
10 Bill 64, supra note 1 at cls 12, 102.
11 PIPEDA, supra note 7.
13 Ashley Madison Investigation, supra note 9.
14 RBC, supra note 8 at paras 36-42.
16 Canada, Facebook did not get non-member’s consent to use email addresses to suggest friends, investigation finds, PIPEDA Report of Findings #2012-002, (Ottawa: Office of the Privacy Commissioner of Canada, 2012), at para 37.
17 Bill 64 supra note 1 at cls 9, 16, 96, 102.
19 Bill 64 supra note 1 at cl 9, 102.
20 Ibid at cl 113.
23 Ibid at cls 28, 111.
28 Ibid at cls 112.
30 Ibid at cls 14 , 30, 95, 112.
31 Ibid at cls 30, 112
32 Ibid at cls 27, 103.
35 PIPEDA, supra note 7 atSchedule 1, 4.1.3; see also: Canada, Investigation into Equifax Inc. and Equifax Canada Co.’s compliance with PIPEDA in light of the 2017 breach of personal information, PIPEDA Report of Findings #2019-001, (Ottawa: Office of the Privacy Commissioner of Canada, 2019), at para 74 (though the Privacy Commissioner does state that there should be a structured program for monitoring).
36 Bill 64, supra note 1 at cls 14, 95.
37 Ibid at cls 1, 95.
39 PIPEDA, supra note 7 atSchedule 1, 4.1.
40 Bill 64, supra note 1 at cls 1, 95
42 Ibid at cl 150.
43 Ibid at cl 151.
44 Ibid at cl 152.
46 PIPEDA, supra note 7 at s28.
47 Bill 64, supra note1 at cls 14, 95.
51 Breach of Security Safeguards Regulations, SOR/2018-64, ss 2-5.
52 PIPEDA, supra note 7 Schedule 1 at 4.3.
53 Bill 64, supra note cls 9, 102.
54 PIPEDA, supra note 7 Schedule 1 at 4.3.
55 Canada, Real fears, real solutions: A plan for restoring confidence in Canada’s privacy regime, (Ottawa: Office of the Privacy Commissioner of Canada, 2017) at 21.
56 Bill 64, supra note 9, cls 9, 16, 96, 102.
57 PIPEDA, supra note 7 Schedule 1 at 4.3.4.
59 Bill 64, supra note 9, cls 12, 19, 102.
60 Andrea Slane, “Search Engines and the Right to be Forgotten: Squaring the Remedy with Canadian Values on Personal Information Flow” (2018) 55 Osgoode Hall LJ 349 at 350-351. See also: Canada, Draft OPC Position on Online Reputation (Ottawa: Office of the Privacy Commissioner of Canada, 2018). The OPC argues that PIPEDA does apply to search engines and that there are legal obligations to deal with de-indexing requests.
61 Canada, A Pathway to Respecting Rights and Restoring Trust in Government and the Digital Economy, (Ottawa: Office of the Privacy Commissioner of Canada, 2019) at 20, Reference re Subsection 18.3(1) of the Federal Courts Act, Ottawa T-1779-18 (FC).
62 Bill 64, supra note 9, cls 113.
63PIPEDA, supra note 7 schedule 1 at 4.1.
64 Bill 64, supra note 9, cls 1 and 95.
65 PIPEDA, supra note 7 Schedule 1 at 4.1.3, Canada, Office of the Privacy Commissioner of Canada, Processing Personal Data Across Borders Guidelines, (Ottawa: OPC).
66 Bill 64, supra note 9, cls 27 and 103.