03 Nov 2020

Chronique du CTI – Bill 64 : Quebec Seeks to Dramatically Reform the Province’s Privacy Policy

Par Itai Azerrad, articling student

Erin Schachter, Lawyer



Itai Azerrad, articling student

Bill 64, An Act to modernize legislative
provisions as regards the protection of personal information
, approved unanimously by the Quebec
National Assembly in its first reading
on June 12, 2020 will, if enacted, enhance the
protection of data that is collected by public bodies and businesses within the
province of Quebec. While the legislation may still be heavily amended, the
bill in its current form includes many changes to Quebec’s existing framework
for using, obtaining, maintaining and destroying data.  


Using Data:

One of the changes that may be enacted is an
increase in the comprehensiveness of consent required to use data within the

According to clauses 9 and 102 of the bill,
amending section 53.1 of the Act respecting Access to documents held by
public bodies and the Protection of personal information
, CQLR c A-2.1 and section 14 of the
Act respecting the protection of
personal information in the private sector
, CQLR c P-39.1, respectively, consent for using
an individual’s data must be obtained each time for each  purpose.[2]
In addition to having specific consent, the language used to obtain consent must
be drafted in a manner that is easy to understand.[3]
The bill also places a positive obligation on organizations to help individuals
understand the scope of the consent they are providing.[4]
The extent of help or assistance required under the bill is not clear at this
point. It will be noteworthy to see how this provision will be applied to
businesses and what level of assistance will be required, should this section
be enacted in its current form.

The required level of consent rises to express
when the data in question is labeled as sensitive personal
information.[5] Information
is designated as sensitive “if due to its nature or the context of its use or
release, it entails a high level of reasonable expectation of privacy.”[6]
While we do not know how the term sensitive will be interpreted by the courts,
the meaning of the term may be elucidated by the interpretation of this same
term in the federal privacy law, The Personal Information Protection
and Electronic Documents Act

While PIPEDA does not provide an exhaustive
list of what could constitute sensitive information, it does mention in Schedule
1 that income information and medical information are generally considered sensitive
information.[7]  Additionally, the Supreme Court of Canada has
affirmed that financial data is normally considered to be sensitive.[8]

To further illustrate what kind of information may
likely be considered as sensitive by Bill 64, the Privacy Commissioner of
Canada has also stated in regard to PIPEDA that information
regarding sexual interests are sensitive
, when, for example, taken by a dating service
(ex: Ashley Madison).[9]
The bill states that information can be either intrinsically or situationally sensitive.[10]
If one reads this in conjunction with the PIPEDA, which contains similar
flexibility, this provision could mean that some information that is generally
not sensitive, could be viewed as such depending on the context.[11]
PIPEDA gives the example of how a magazine’s subscriber list can be considered
as sensitive information depending on the nature of the magazine.[12]
A more modern example could be found in returning to the Privacy Commissioner’s
decision regarding Ashley Madison. Whereas email addresses and names can
in some cases be found to be unimportant personal information, they become
highly sensitive if associated with an online dating platform such as Ashley
Sensitivity may also decrease depending on the context; while financial
information is usually quite sensitive, it may, depending on the context, be
regarded as less sensitive.[14]
For instance, financial information, such as a balance of an outstanding
mortgage, which has related information already available in the public domain
for a legitimate purpose, may be considered less sensitive depending on the
circumstances and other factors.[15]

In terms of distinguishing between express and
implied consent, the Federal Privacy Commissioner has suggested that an opt-in
system can represent express consent, whereas an opt-out system can represent
implied consent.[16] A
similar framework could be integrated into the interpretation of Bill 64.

In addition to the new requirements for more
explicit consent, the bill would institute special rules for using and
collecting data from individuals under the age of 14.[17]
Parental consent would generally, barring some exceptions, become necessary for
collecting this data.[18]
Furthermore, consent is only valid for the time necessary to achieve the
purposes for which it was requested.[19]

Holding Data:

The bill as it is currently written includes a
new conditional right for individuals to demand that a person carrying on an
enterprise cease disseminating information or de-index any hyperlink attached
to the individual.[20]
This order can be compelled in circumstances where dissemination of the
information is in violation of the bill or where the following three
requirements are met:

“(1) the dissemination of the information causes the person concerned
serious injury in relation to his right to the respect of his reputation or

(2) the injury is clearly greater than the interest of the public in
knowing the information or the interest of any person in expressing himself
freely; and

(3) the cessation of dissemination, re-indexation or de-indexation
requested does not exceed what is necessary for preventing the perpetuation of
the injury.” [21]

The bill also provides additional information
for assessing these criteria. It appears that this list is not exhaustive and
other factors may be considered.[22]
It may be relevant to see whether these criteria undergo any modifications
before the bill gains force of law.

Organizations should either destroy or
anonymize information that they no longer have a reason to maintain.[23]
To anonymize data means to go through a procedure whereby the information can
continue to exist, but can no longer be associated with a specific individual.[24]
Specifically, the bill states that “information [..] is anonymized if it
irreversibly no longer allows the person to be identified directly or
indirectly”.[25] For
information to be “irreversibly” anonymized, the process cannot be reverse
engineered.[26] The
process should be based on “generally accepted best practices.” [27]
Undoubtedly, the courts will be involved in defining this standard of “generally
accepted best practices” if further information is not provided by the

Furthermore, individuals can request that a
business share the information they are holding on them.[28]
The businesses receiving such requests must confirm if they hold any
Organizations must be prepared, where applicable, to provide a copy of the data
they hold on an individual in a technological format.[30]
Moreover, it specifies that at the request of the individual, the technological
format of the information should be one that is commonly used. [31]

Transferring Data

Another major component of the bill is the
inclusion of enhanced protection for data that is
transferred outside of Quebec
. According to the proposed piece of
legislation, when seeking to transfer data outside of the province, a privacy
assessment must be done to determine whether the data exported from the
province will receive a similar level of protection outside of Quebec as it
does within Quebec.[32]
Should the potential transfer be found not to provide an equivalent level of
protection, the data would be barred from transfer.[33]
Where transfers are permitted following the assessment, they must be
accompanied by a written agreement between the parties.[34]
This requirement is far more stringent than the federal legislation, which has
a general requirement to use agreements or other methods to provide comparable
levels of protection to data transferred to third parties, without necessarily conducting
a preliminary assessment.[35]

Administrative Requirements

The bill proposes several changes to the
culture of data collection, utilization and dissemination. One way it seeks to
do this is to compel organizations to complete a privacy assessment on
information systems and delivery systems, projects that utilize, disseminate,
hold or destroy personal information.[36]
Furthermore, absent delegation, there is a presumption that those exercising
the highest authority within an organization are responsible for protecting the
data held by the organization and ensuring their organization’s compliance with
the law.[37]  Transferring such obligations to another
person can be done in writing.[38]
The requirement of identifying an individual to ensure adherence to the law is
also found in PIPEDA; however, there is no assumption that the individual with
the highest level of authority is responsible for implementing PIPEDA.[39]
If this section is enacted, it will be necessary for businesses dealing with
personal information to ensure they delegate this responsibility to the
appropriate individual within their organization. At present, this task can
only be delegated to a “personnel member”.[40]
Our interpretation of this provision would indicate that an organization cannot
outsource this responsibility of protecting personal information to any third

Penalties for Non-Compliance

Businesses that do not follow certain requirements
set forth in the bill could be forced to pay large sums. For example,
administrative penalties created by the proposed law can be as high as 10
million dollars or 2% of the company’s global turnover, whichever is the highest.[42]
Penal penalties are even higher with a maximum fine of 25 million dollars or 4%
of the company’s global turnover, whichever is the highest.[43]

In addition to these legislative penalties, there
is also an avenue for individuals whose rights have been violated and who have
suffered as a result of that violation, to sue the business responsible for
In circumstances where the violation can be proven to be the result of
deliberate or gross fault, punitive damages can be awarded, starting at a minimum
of $1,000.[45]

The monetary penalty structure proposed is far
harsher than PIPEDA, which has a maximum of only $100,000.[46]


The bill also imposes legal requirements on
organizations that are the victims of security incidents relating to personal
information.[47] An
incident, is defined as the access, use, release or loss of personal
information that is not permitted under law or any other violation to the
security of the data.[48]
In these circumstances, the organization must:

a.      Take steps to reduce the harm caused
by the incident

b.      Inform the person, whose information
is involved in the incident if there is a chance of serious harm as a result of
the incident

c.      Notify the Commission d’accès à
if there is a chance of serious harm as a result of the

This section also provides that a government
regulation may determine the content and terms of the notice.[50]
These provisions resemble the regime in place under PIPEDA and the notion of
“serious harm”. One can imagine the regulations under the bill will mirror the
regulations enacted under PIPEDA, which set out the content, manner, and form
of the notices to be provided to individuals.[51]


Bill 64, in its current form will update
Quebec’s privacy regime in a dramatic and significant way. While the
legislation may still be heavily altered before it comes into force, the
overall trajectory of the legislation is clear: Quebec wants to provide
stronger protections for personal information.




Bill 64


Consent and Knowledge is needed to use, collect or disseminate

Free and informed and for specific reasons.[53]

Consent of Minors

No explicit
statement, but notes that seeking consent from someone may be impossible if
the individual is a minor.



A 2017 Privacy
Commissioner report states however that under the age of 13, barring
extraordinary circumstances, consent should be given by the one exercising parental
authority. Adolescents between the ages of 13 and 18 are able to give
meaningful consent if the organization has considered their level of maturity
when putting into place their consent procedures, and then making the
necessary modifications.[55]

Parental consent
required for all minors under 14 as general rule.[56]

Sensitive Information

The form of consent sought may be different based on
the sensitivity of the information. [57]


Sensitivity can be established intrinsically or

Consent needs to be explicit when the information is


Information becomes sensitive if there is a
reasonable belief that the information would be generally expected to be very
private. This can be assessed by the nature of   the
situation or the information itself. [59]


Right to be De-indexed

A right to be de-indexed by search engines has not been
explicitly recognized by the courts[60],
but the issue may be sufficiently addressed by a case currently  being litigated  in the federal courts.[61]

Depending  on
the circumstances, an individual does have the right to be de-indexed.[62]

Appointing an officer

Someone is designated, but no presumption of those
who are exercising at the highest authority as being responsible.[63]

Designation  of someone responsible for protecting
personal information  is required, but
if no personnel is expressly delegated the role, the person exercising the
highest amount of authority is presumed to be responsible. [64]

Transfer of data

Exporting of data for processing outside of Canada
to 3rd parties is permitted, where there is the utilisation of
contracts or other tools to give the data in question a comparable level
of protection. The organization remains responsible for the information that
is transferred.[65]

Data can only be transferred outside of Quebec,
where an assessment attests to the fact that the information will be given an
equivalent level of protection to that of the Act..[66]


[1] Bill 64, An Act to modernize legislative
provisions as regards the protection of personal information
, 1st Sess, 42nd Leg, Quebec, 2020,
cls 9, 102 (first reading 12 June 2020) [Bill 64].

[2] Ibid.

[3] Ibid.

[4] Ibid.

[5] Ibid at cls 19, 102.

[6] Ibid at cls 12, 102.

[7] Personal Information
Protection and Electronic Documents Act
, SC 2000, c
5, Schedule 1 at 4.3.4 [PIPEDA].

[8] Royal Bank of Canada v
, 2016
SCC 50
at para 36 [RBC].

[9] Canada, Joint
Investigation of Ashley Madison by the Privacy Commissioner of Canada and the
Australian Privacy Commissioner/Acting Australian Information Commissioner
PIPEDA Report of Findings #2016-005, (Ottawa: Office of the Privacy
Commissioner of Canada, 2016), at para 47 [Ashley Madison Investigation].

[10] Bill 64, supra note 1
at cls 12, 102.

[11] PIPEDA, supra note 7.

[12] Ibid.

[13] Ashley Madison
, supra note 9.

[14] RBC, supra note 8 at paras 36-42.

[15] Ibid.

[16] Canada, Facebook did not
get non-member’s consent to use email addresses to suggest friends, investigation
, PIPEDA Report of Findings #2012-002, (Ottawa: Office of the Privacy
Commissioner of Canada, 2012), at para 37.

[17] Bill 64 supra note 1 at
cls 9, 16, 96, 102.

[18] Ibid.

[19] Bill 64 supra note 1 at
cl 9, 102.

[20] Ibid at cl 113.

[21] Ibid.

[22] Ibid.

[23] Ibid at cls 28, 111.

[24] Ibid.

[25] Ibid.

[26] Ibid.

[27] Ibid.

[28] Ibid at cls 112.

[29] Ibid.

[30] Ibid at cls 14 , 30, 95, 112.

[31] Ibid at cls 30, 112

[32] Ibid at cls 27, 103.

[33] Ibid.

[34] Ibid.

[35] PIPEDA, supra note 7 at Schedule 1, 4.1.3; see also: Canada,
Investigation into Equifax Inc. and Equifax Canada Co.’s compliance with
PIPEDA in light of the 2017 breach of personal information
, PIPEDA Report of Findings #2019-001, (Ottawa: Office of the Privacy
Commissioner of Canada, 2019), at para 74 (though the Privacy Commissioner does
state that there should be a structured program for monitoring).

[36] Bill 64, supra note 1
at cls 14, 95.

[37] Ibid at cls 1, 95.

[38] Ibid.

[39] PIPEDA, supra note 7 at Schedule 1, 4.1.

[40] Bill 64, supra note 1
at cls 1, 95

[41] Ibid.

[42] Ibid at cl 150.

[43] Ibid at cl 151.

[44] Ibid at cl 152.

[45] Ibid.

[46] PIPEDA, supra note 7 at s28.

[47] Bill 64, supra note
1 at cls 14, 95.

[48] Ibid.

[49] Ibid.

[50] Ibid.

[51] Breach of Security Safeguards
SOR/2018-64, ss 2-5.

[52] PIPEDA, supra note 7 Schedule 1 at 4.3.

[53] Bill 64, supra note
cls 9, 102.

[54] PIPEDA, supra note 7 Schedule 1 at 4.3.

[55] Canada,
Real fears,
real solutions: A plan for restoring confidence in Canada’s privacy regime
, (Ottawa: Office of
the Privacy Commissioner of Canada, 2017) at 21.

[56] Bill 64, supra note 9, cls 9,
16, 96, 102.

[57] PIPEDA, supra note 7 Schedule 1 at 4.3.4.

[58] Ibid.

[59] Bill 64, supra note 9, cls 12, 19, 102.

[60] Andrea Slane, “Search Engines and the Right to
be Forgotten: Squaring the Remedy with Canadian Values on Personal Information
Flow” (2018) 55 Osgoode Hall LJ 349 at 350-351. See also: Canada, Draft OPC Position on
Online Reputation
(Ottawa: Office of the Privacy Commissioner of Canada,
2018). The OPC argues that PIPEDA does apply to search engines and that
there are legal obligations to deal with de-indexing requests.

[61] Canada, A Pathway to Respecting
Rights and Restoring Trust in Government and the Digital Economy
, (Ottawa:
Office of the Privacy Commissioner of Canada, 2019) at 20, Reference re
Subsection 18.3(1) of the Federal Courts Act,
Ottawa T-1779-18 (FC).

[62] Bill 64, supra note 9,
cls 113.

[63]PIPEDA, supra note 7 schedule 1 at 4.1.

[64] Bill 64, supra note 9,
cls 1 and 95.

[65] PIPEDA, supra note 7 Schedule 1 at 4.1.3, Canada, Office
of the Privacy Commissioner of Canada, Processing Personal Data Across
Borders Guidelines
, (Ottawa: OPC).

[66] Bill 64, supra note 9,
cls 27 and 103.

Commentaires (0)

L’équipe du Blogue vous encourage à partager avec nous et nos lecteurs vos commentaires et impressions afin d’alimenter les discussions sur le Blogue. Par ailleurs, prenez note du fait qu’aucun commentaire ne sera publié avant d’avoir été approuvé par un modérateur et que l’équipe du Blogue se réserve l’entière discrétion de ne pas publier tout commentaire jugé inapproprié.

Laisser un commentaire