Chronique du CTI – Bill 64 : Quebec Seeks to Dramatically Reform the Province’s Privacy Policy

Par Itai Azerrad, articling student

Erin Schachter, Lawyer
 

 

 

Itai Azerrad, articling student

Bill 64, An Act to modernize legislative
provisions as regards the protection of personal information, approved unanimously by the Quebec
National Assembly in its first reading on June 12, 2020 will, if enacted, enhance the
protection of data that is collected by public bodies and businesses within the
province of Quebec. While the legislation may still be heavily amended, the
bill in its current form includes many changes to Quebec’s existing framework
for using, obtaining, maintaining and destroying data.  

 

Using Data:

One of the changes that may be enacted is an
increase in the comprehensiveness of consent required to use data within the
province.[1]

According to clauses 9 and 102 of the bill,
amending section 53.1 of the Act respecting Access to documents held by
public bodies and the Protection of personal information, CQLR c A-2.1 and section 14 of the
Act respecting the protection of
personal information in the private sector, CQLR c P-39.1, respectively, consent for using
an individual’s data must be obtained each time for each  purpose.[2]
In addition to having specific consent, the language used to obtain consent must
be drafted in a manner that is easy to understand.[3]
The bill also places a positive obligation on organizations to help individuals
understand the scope of the consent they are providing.[4]
The extent of help or assistance required under the bill is not clear at this
point. It will be noteworthy to see how this provision will be applied to
businesses and what level of assistance will be required, should this section
be enacted in its current form.

The required level of consent rises to express
consent when the data in question is labeled as sensitive personal
information.[5] Information
is designated as sensitive “if due to its nature or the context of its use or
release, it entails a high level of reasonable expectation of privacy.”[6]
While we do not know how the term sensitive will be interpreted by the courts,
the meaning of the term may be elucidated by the interpretation of this same
term in the federal privacy law, The Personal Information Protection
and Electronic Documents Act (PIPEDA).

While PIPEDA does not provide an exhaustive
list of what could constitute sensitive information, it does mention in Schedule
1 that income information and medical information are generally considered sensitive
information.[7]  Additionally, the Supreme Court of Canada has
affirmed that financial data is normally considered to be sensitive.[8]

To further illustrate what kind of information may
likely be considered as sensitive by Bill 64, the Privacy Commissioner of
Canada has also stated in regard to PIPEDA that information
regarding sexual interests are sensitive, when, for example, taken by a dating service
(ex: Ashley Madison).[9]
The bill states that information can be either intrinsically or situationally sensitive.[10]
If one reads this in conjunction with the PIPEDA, which contains similar
flexibility, this provision could mean that some information that is generally
not sensitive, could be viewed as such depending on the context.[11]
PIPEDA gives the example of how a magazine’s subscriber list can be considered
as sensitive information depending on the nature of the magazine.[12]
A more modern example could be found in returning to the Privacy Commissioner’s
decision regarding Ashley Madison. Whereas email addresses and names can
in some cases be found to be unimportant personal information, they become
highly sensitive if associated with an online dating platform such as Ashley
Madison.[13]
Sensitivity may also decrease depending on the context; while financial
information is usually quite sensitive, it may, depending on the context, be
regarded as less sensitive.[14]
For instance, financial information, such as a balance of an outstanding
mortgage, which has related information already available in the public domain
for a legitimate purpose, may be considered less sensitive depending on the
circumstances and other factors.[15]

In terms of distinguishing between express and
implied consent, the Federal Privacy Commissioner has suggested that an opt-in
system can represent express consent, whereas an opt-out system can represent
implied consent.[16] A
similar framework could be integrated into the interpretation of Bill 64.

In addition to the new requirements for more
explicit consent, the bill would institute special rules for using and
collecting data from individuals under the age of 14.[17]
Parental consent would generally, barring some exceptions, become necessary for
collecting this data.[18]
Furthermore, consent is only valid for the time necessary to achieve the
purposes for which it was requested.[19]

Holding Data:

The bill as it is currently written includes a
new conditional right for individuals to demand that a person carrying on an
enterprise cease disseminating information or de-index any hyperlink attached
to the individual.[20]
This order can be compelled in circumstances where dissemination of the
information is in violation of the bill or where the following three
requirements are met:

“(1) the dissemination of the information causes the person concerned
serious injury in relation to his right to the respect of his reputation or
privacy;

(2) the injury is clearly greater than the interest of the public in
knowing the information or the interest of any person in expressing himself
freely; and

(3) the cessation of dissemination, re-indexation or de-indexation
requested does not exceed what is necessary for preventing the perpetuation of
the injury.” [21]

The bill also provides additional information
for assessing these criteria. It appears that this list is not exhaustive and
other factors may be considered.[22]
It may be relevant to see whether these criteria undergo any modifications
before the bill gains force of law.

Organizations should either destroy or
anonymize information that they no longer have a reason to maintain.[23]
To anonymize data means to go through a procedure whereby the information can
continue to exist, but can no longer be associated with a specific individual.[24]
Specifically, the bill states that “information [..] is anonymized if it
irreversibly no longer allows the person to be identified directly or
indirectly”.[25] For
information to be “irreversibly” anonymized, the process cannot be reverse
engineered.[26] The
process should be based on “generally accepted best practices.” [27]
Undoubtedly, the courts will be involved in defining this standard of “generally
accepted best practices” if further information is not provided by the
legislature.

Furthermore, individuals can request that a
business share the information they are holding on them.[28]
The businesses receiving such requests must confirm if they hold any
information.[29]
Organizations must be prepared, where applicable, to provide a copy of the data
they hold on an individual in a technological format.[30]
Moreover, it specifies that at the request of the individual, the technological
format of the information should be one that is commonly used. [31]

Transferring Data

Another major component of the bill is the
inclusion of enhanced protection for data that is
transferred outside of Quebec. According to the proposed piece of
legislation, when seeking to transfer data outside of the province, a privacy
assessment must be done to determine whether the data exported from the
province will receive a similar level of protection outside of Quebec as it
does within Quebec.[32]
Should the potential transfer be found not to provide an equivalent level of
protection, the data would be barred from transfer.[33]
Where transfers are permitted following the assessment, they must be
accompanied by a written agreement between the parties.[34]
This requirement is far more stringent than the federal legislation, which has
a general requirement to use agreements or other methods to provide comparable
levels of protection to data transferred to third parties, without necessarily conducting
a preliminary assessment.[35]

Administrative Requirements

The bill proposes several changes to the
culture of data collection, utilization and dissemination. One way it seeks to
do this is to compel organizations to complete a privacy assessment on
information systems and delivery systems, projects that utilize, disseminate,
hold or destroy personal information.[36]
Furthermore, absent delegation, there is a presumption that those exercising
the highest authority within an organization are responsible for protecting the
data held by the organization and ensuring their organization’s compliance with
the law.[37]  Transferring such obligations to another
person can be done in writing.[38]
The requirement of identifying an individual to ensure adherence to the law is
also found in PIPEDA; however, there is no assumption that the individual with
the highest level of authority is responsible for implementing PIPEDA.[39]
If this section is enacted, it will be necessary for businesses dealing with
personal information to ensure they delegate this responsibility to the
appropriate individual within their organization. At present, this task can
only be delegated to a “personnel member”.[40]
Our interpretation of this provision would indicate that an organization cannot
outsource this responsibility of protecting personal information to any third
party.[41]

Penalties for Non-Compliance

Businesses that do not follow certain requirements
set forth in the bill could be forced to pay large sums. For example,
administrative penalties created by the proposed law can be as high as 10
million dollars or 2% of the company’s global turnover, whichever is the highest.[42]
Penal penalties are even higher with a maximum fine of 25 million dollars or 4%
of the company’s global turnover, whichever is the highest.[43]

In addition to these legislative penalties, there
is also an avenue for individuals whose rights have been violated and who have
suffered as a result of that violation, to sue the business responsible for
damages.[44]
In circumstances where the violation can be proven to be the result of
deliberate or gross fault, punitive damages can be awarded, starting at a minimum
of $1,000.[45]

The monetary penalty structure proposed is far
harsher than PIPEDA, which has a maximum of only $100,000.[46]

Incident

The bill also imposes legal requirements on
organizations that are the victims of security incidents relating to personal
information.[47] An
incident, is defined as the access, use, release or loss of personal
information that is not permitted under law or any other violation to the
security of the data.[48]
In these circumstances, the organization must:

a.      Take steps to reduce the harm caused
by the incident

b.      Inform the person, whose information
is involved in the incident if there is a chance of serious harm as a result of
the incident

c.      Notify the Commission d’accès à
l’information if there is a chance of serious harm as a result of the
incident.[49] 

This section also provides that a government
regulation may determine the content and terms of the notice.[50]
These provisions resemble the regime in place under PIPEDA and the notion of
“serious harm”. One can imagine the regulations under the bill will mirror the
regulations enacted under PIPEDA, which set out the content, manner, and form
of the notices to be provided to individuals.[51]

Conclusion:

Bill 64, in its current form will update
Quebec’s privacy regime in a dramatic and significant way. While the
legislation may still be heavily altered before it comes into force, the
overall trajectory of the legislation is clear: Quebec wants to provide
stronger protections for personal information.

 

	PIPEDA	Bill 64
Consent	Consent and Knowledge is needed to use, collect or disseminate information.[52]	Free and informed and for specific reasons.[53]
Consent of Minors	No explicit statement, but notes that seeking consent from someone may be impossible if the individual is a minor. .[54]   A 2017 Privacy Commissioner report states however that under the age of 13, barring extraordinary circumstances, consent should be given by the one exercising parental authority. Adolescents between the ages of 13 and 18 are able to give meaningful consent if the organization has considered their level of maturity when putting into place their consent procedures, and then making the necessary modifications.[55]	Parental consent required for all minors under 14 as general rule.[56]
Sensitive Information	The form of consent sought may be different based on the sensitivity of the information. [57]   Sensitivity can be established intrinsically or situationally.[58]	Consent needs to be explicit when the information is sensitive.   Information becomes sensitive if there is a reasonable belief that the information would be generally expected to be very private. This can be assessed by the nature of   the situation or the information itself. [59]
Right to be De-indexed	A right to be de-indexed by search engines has not been explicitly recognized by the courts[60], but the issue may be sufficiently addressed by a case currently  being litigated  in the federal courts.[61]	Depending  on the circumstances, an individual does have the right to be de-indexed.[62]
Appointing an officer	Someone is designated, but no presumption of those who are exercising at the highest authority as being responsible.[63]	Designation  of someone responsible for protecting personal information  is required, but if no personnel is expressly delegated the role, the person exercising the highest amount of authority is presumed to be responsible. [64]
Transfer of data	Exporting of data for processing outside of Canada to 3rd parties is permitted, where there is the utilisation of contracts or other tools to give the data in question a comparable level of protection. The organization remains responsible for the information that is transferred.[65]	Data can only be transferred outside of Quebec, where an assessment attests to the fact that the information will be given an equivalent level of protection to that of the Act..[66]

 

---

[1] Bill 64, An Act to modernize legislative
provisions as regards the protection of personal information, 1st Sess, 42nd Leg, Quebec, 2020,
cls 9, 102 (first reading 12 June 2020) [Bill 64].

[2] Ibid.

[3] Ibid.

[4] Ibid.

[5] Ibid at cls 19, 102.

[6] Ibid at cls 12, 102.

[7] Personal Information
Protection and Electronic Documents Act, SC 2000, c
5, Schedule 1 at 4.3.4 [PIPEDA].

[8] Royal Bank of Canada v
Trang, 2016
SCC 50 at para 36 [RBC].

[9] Canada, Joint
Investigation of Ashley Madison by the Privacy Commissioner of Canada and the
Australian Privacy Commissioner/Acting Australian Information Commissioner,
PIPEDA Report of Findings #2016-005, (Ottawa: Office of the Privacy
Commissioner of Canada, 2016), at para 47 [Ashley Madison Investigation].

[10] Bill 64, supra note 1
at cls 12, 102.

[11] PIPEDA, supra note 7.

[12] Ibid.

[13] Ashley Madison
Investigation, supra note 9.

[14] RBC, supra note 8 at paras 36-42.

[15] Ibid.

[16] Canada, Facebook did not
get non-member’s consent to use email addresses to suggest friends, investigation
finds, PIPEDA Report of Findings #2012-002, (Ottawa: Office of the Privacy
Commissioner of Canada, 2012), at para 37.

[17] Bill 64 supra note 1 at
cls 9, 16, 96, 102.

[18] Ibid.

[19] Bill 64 supra note 1 at
cl 9, 102.

[20] Ibid at cl 113.

[21] Ibid.

[22] Ibid.

[23] Ibid at cls 28, 111.

[24] Ibid.

[25] Ibid.

[26] Ibid.

[27] Ibid.

[28] Ibid at cls 112.

[29] Ibid.

[30] Ibid at cls 14 , 30, 95, 112.

[31] Ibid at cls 30, 112

[32] Ibid at cls 27, 103.

[33] Ibid.

[34] Ibid.

[35] PIPEDA, supra note 7 at Schedule 1, 4.1.3; see also: Canada,
Investigation into Equifax Inc. and Equifax Canada Co.’s compliance with
PIPEDA in light of the 2017 breach of personal information, PIPEDA Report of Findings #2019-001, (Ottawa: Office of the Privacy
Commissioner of Canada, 2019), at para 74 (though the Privacy Commissioner does
state that there should be a structured program for monitoring).

[36] Bill 64, supra note 1
at cls 14, 95.

[37] Ibid at cls 1, 95.

[38] Ibid.

[39] PIPEDA, supra note 7 at Schedule 1, 4.1.

[40] Bill 64, supra note 1
at cls 1, 95

[41] Ibid.

[42] Ibid at cl 150.

[43] Ibid at cl 151.

[44] Ibid at cl 152.

[45] Ibid.

[46] PIPEDA, supra note 7 at s28.

[47] Bill 64, supra note
1 at cls 14, 95.

[48] Ibid.

[49] Ibid.

[50] Ibid.

[51] Breach of Security Safeguards
Regulations,
SOR/2018-64, ss 2-5.

[52] PIPEDA, supra note 7 Schedule 1 at 4.3.

[53] Bill 64, supra note
cls 9, 102.

[54] PIPEDA, supra note 7 Schedule 1 at 4.3.

[55] Canada,
Real fears,
real solutions: A plan for restoring confidence in Canada’s privacy regime, (Ottawa: Office of
the Privacy Commissioner of Canada, 2017) at 21.

[56] Bill 64, supra note 9, cls 9,
16, 96, 102.

[57] PIPEDA, supra note 7 Schedule 1 at 4.3.4.

[58] Ibid.

[59] Bill 64, supra note 9, cls 12, 19, 102.

[60] Andrea Slane, “Search Engines and the Right to
be Forgotten: Squaring the Remedy with Canadian Values on Personal Information
Flow” (2018) 55 Osgoode Hall LJ 349 at 350-351. See also: Canada, Draft OPC Position on
Online Reputation (Ottawa: Office of the Privacy Commissioner of Canada,
2018). The OPC argues that PIPEDA does apply to search engines and that
there are legal obligations to deal with de-indexing requests.

[61] Canada, A Pathway to Respecting
Rights and Restoring Trust in Government and the Digital Economy, (Ottawa:
Office of the Privacy Commissioner of Canada, 2019) at 20, Reference re
Subsection 18.3(1) of the Federal Courts Act, Ottawa T-1779-18 (FC).

[62] Bill 64, supra note 9,
cls 113.

[63]PIPEDA, supra note 7 schedule 1 at 4.1.

[64] Bill 64, supra note 9,
cls 1 and 95.

[65] PIPEDA, supra note 7 Schedule 1 at 4.1.3, Canada, Office
of the Privacy Commissioner of Canada, Processing Personal Data Across
Borders Guidelines, (Ottawa: OPC).

[66] Bill 64, supra note 9,
cls 27 and 103.