On June 12, 2020, Quebec tabled its proposed update to its public and private sector privacy laws, and it lives up to the promise of the “GDPR-style legislation” first announced this spring. There are a number of elements that echo other federal and provincial privacy laws in Canada, but there is a very strong European flavor. (Please note that Quebec follows a civil code legal system as opposed to its common law counterparts in the rest of Canada, and forthcoming guidance from Quebec lawyers will certainly be more definitive than this analysis. I am not a Quebec lawyer; this is intended only to provide a comparative view.)
Quebec was one of the first jurisdictions in North America to introduce a private sector privacy law (1993), but it has grown long in the tooth, with periodic challenges from Europe as to its adequacy. This legislation represents a significant update and may initiate a national conversation on privacy as the federal government has promised changes to the federal regime, as well. Given our competitive federal-provincial relationships, it may be optimistic, but one hopes for collaboration to ensure that one of the principal purposes behind the EU General Data Protection Regulation (the free flow of data within the EU) is mirrored within our own Canadian common market.
The tabled legislation updates a number of provincial laws, including those affecting the public sector; however, the focus here will be on the update to the “Act Respecting the Protection of Personal Information in the Private Sector.” The sections referred to below are to the proposed amendments.
The following sections reflect the amendment’s GDPR-like components:
- Governance: There is a requirement to have a person in charge of personal information (Section 3.1), equivalent to a data protection officer, and privacy policies and framework for the protection of PI (Section 3.2). Section 81.2 provides for on-demand demonstration of compliance.
- Enforcement: Quebec’s Commission may make an order to “take any measure to protect the rights of the persons concerned,” including an order to order the return or destruction of any PI. Sanctions can be levied for failures to provide notice, collection or use of PI in contravention of the act, failure to report a confidentiality incident (Section 90.1). The Commission can issue notices of noncompliance (Section 90.3) or administer a monetary penalty not exceeding $50,000 for an individual — but in all other cases, penalties may reach $25 million or if greater, an amount corresponding to 4% of worldwide turnover for the previous year (Section 90.12) ($10 million and 2% respectively for administrative sanctions).
- Legal grounds for processing: Section 4 requires a determination of the purposes for collecting PI, and Section 5 requires that only the information necessary for that purpose may be collected. Processing of PI without consent is permissible for the purposes of carrying out a contract (Section 18.3). PI concerning a minor under 14 may not be collected without consent of a parental authority unless clearly for a minor’s benefit.
- Processors: An equivalent to Article 28 of the GDPR is found in Section 18.3(2), which provides for contractual requirements to ensure the confidentiality of PI, as well as limitations on use and retention.
- Privacy impact assessment: Numerous PIA requirements are contemplated within the amendments. For instance, the introduction of technology for any information systems or electronic service delivery (Section 3.3) requires a PIA. Privacy by default is mandated (Section 9.1) to ensure the highest level of confidentiality by default without any intervention by the person concerned, and the PICOPI must be contacted before a project commences or may intervene to suggest privacy-enhancing measures. For transborder flows and incidents, formal risk assessments are also mandated (below).
- Transborder data flows: An assessment is mandated if PI is communicated outside Quebec or is collected or used under the organization’s authority and must address sensitivity of PI, the purposes for its use, protections and — quite importantly — the legal framework applicable to the jurisdiction to which it is being communicated (Section 17). “Equivalence” must be established in this assessment to permit the transfer and may be based on a written agreement that addresses the results of the assessment. Interestingly, there will be a published list of jurisdictions deemed as equivalent (s. 17.1).
- Individual rights: There are a number of rights set out, including the right upon collection or request that the individual be told in clear and simple language, the purposes and means for information collection (Section 8), and of their rights of access, rectification and withdrawal of consent. Section 8 also provides for notice if the information could be communicated outside Quebec. Anyone collecting PI from another enterprise must, at the request of the person concerned, inform the latter of the source of the information (Section 7). Other rights include data portability (Section 3.3) and the obligation in the case of marketing (“prospection”) to communicate to a person the identity of the party using the PI and the right to withdraw consent. Section 27 obligates organizations to confirm the existence of PI, communicate and provide a copy. Section 32 provides that an individual rights request must be addressed within 30 days.
- Right to be forgotten: Section 28.1. provides for a right to be forgotten by deindexing any hyperlink attached to an individual’s name, where dissemination causes serious injury to reputation or privacy, and the injury is greater than the interest of the public in freedom of expression or public knowledge. Several detailed criteria are set out for this assessment.
- Profiling: A concept introduced with this law and defined in Section 8.1 and means person’s work performance, economic situation, health, personal preferences, interests or behavior. It requires advance notice of the use of technology that creates a profile, as well as the means to deactivate that function, if available.
- Automated processing: This is also defined (Section 12.1). Individuals must be informed of the PI being used to render a decision about them, the reasons and principal factors and their right to have the decision corrected.
The following elements of the amendments echo Canadian legal developments:
- Notable is the breach section, which uses the term “serious injury” as the threshold, but in looking at the factors identified to determine that, appears quite similar to the “reasonable risk of substantial risk of harm” test enunciated in Canada’s federal law (as with Alberta’s), as well as in notification to the Commission, the individual(s), and third parties who can reduce the risk. Section 3.6 defines a “confidentiality incident” as unauthorized access, use, loss or communication of PI. Section 3.7’s criteria for assessing serious injury requires that factors, including the sensitivity of the PI, anticipated consequences, and the likelihood of injurious use. There is also a requirement to consult with the PICOPI. Section 3.8 also requires a register of confidentiality incidents, which echoes the federal requirement for a record of breaches of security safeguards.
- Notice and consent provisions continue and amplify Quebec’s existing requirements. Quebec notably did not join the joint statement by the federal and provincial commissioners on informed and meaningful consent because these requirements already existed within Quebec’s law. Consent requests must be made separately from other information requests and “consent must be clear, free and informed” and must be expressed when it comes to sensitive PI (Section 14).
- As with Alberta’s Personal Information Protection Act, there is an express obligation to destroy information no longer required for the purposes for which it was collected; this can be satisfied through anonymization (Section 23).
What I think is interesting or unique in Quebec’s law:
- A “lessons learned” or remediation exercise for confidentiality incidents (Section 3.5) with the PICOPI’s input is mandated to prevent new incidents of the same nature.
- There is an explicit law enforcement exemption for notification (Section 3.5) to avoid hampering investigations, which is reflected in some U.S. legislation but not Canadian; what is not addressed is how long this should last or how this should be balanced against notification.
- Section 12 requires, as with GDPR in the case of reliance on legitimate interests, an articulation of the benefits to the individual in the case of secondary uses of information.
- There has always been a category of “personal information agents” or data brokers, and going beyond data broker-type laws in the U.S., extends and includes further obligations expressed upon them to reflect the data subject access rights in the amendments to this category (Section 74 and on). There is a clear retention period of seven years for any data held by PI agents.
- As noted, transborder flows require a PIA under Section 17. What is interesting is how the “white list” of jurisdictions considered equivalent under Section 17.1 removes or reduces the assessment required to determine the equivalence test but leaves the PIA obligation.
- Express protection is articulated in Section 81.1 that prohibits reprisals for someone bringing a complaint or cooperating in an investigation. This echoes the California Consumer Privacy Act in prohibiting discrimination but also presumably encompasses whistleblower protection for employees.
The legislation is of course not final, and timing is not certain given the ongoing pandemic, but given the great attention on the use of PI at this time, it seems that privacy reform is top-of-mind for the public, and therefore for legislators.