In our blog published October 12, 2021, we reported that Québec's Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, had received assent. As we wrote at the time, a majority of the changes made by Bill 64 will come into force on September 22, 2023. However, certain provisions will come into effect on September 22, 2022.
Some of these changes are less critical, including adjustments to the operations and powers of the Commission d'accès à l'information (the "Commission"), which is the regulatory body responsible for enforcing the various provisions of Québec's privacy legislation.
This newsletter outlines four important changes taking effect September 22, 2022 that will have an impact on businesses operating in Québec (also referred to as "persons carrying on an enterprise").
1. Privacy officer
The person exercising the highest authority in the organization is now responsible for ensuring implementation of and compliance with the Act respecting the protection of personal information in the private sector.
This individual will exercise the function of the person in charge of the protection of personal information (privacy officer) unless he or she delegates this function in writing, in whole or in part, to another person. The delegate need not be a member of the organization's personnel.
The privacy officer's title and contact information must be published on the organization's website, or made available by any other appropriate means if there is no website.
2. Privacy breaches
The new provisions regarding privacy breaches, called "confidentiality incidents" in the legislation, also take effect on September 22, 2022. Similar provisions are already contained in the federal privacy legislation (PIPEDA) and Alberta's Personal Information Protection Act. The new provisions in Québec are similar but not identical to the federal provisions (the federal privacy legislation uses the expression "breaches of security safeguards").
A confidentiality incident is a case of unauthorized access, use or communication of personal information. A confidentiality incident may also be the loss of personal information or any other breach of the protection of such information.
Any organization that has cause to believe that a confidentiality incident involving personal information the organization holds has occurred must take "reasonable" measures to reduce the risk of injury and to prevent new incidents of the same nature.
Further, if the incident presents a "risk of serious injury," the organization that sustained the breach:
- must "promptly" notify the Commission;
- must notify any person whose personal information is concerned by the incident, but no time limit is specified (and the person need not be notified if doing so could hamper an investigation); and
- may notify any other person or organization that could reduce the risk, but this is not an obligation, and any such communication must be kept in the organization's records.
Where the federal privacy legislation refers to a "real risk of significant harm," the new Québec provisions use the concept of a "risk of injury." In assessing the risk of injury, the organization must consider the sensitivity of the information concerned, the anticipated consequences of its use and the likelihood that the information will be used for injurious purposes.
Even if a privacy breach does not present a risk of serious injury, the organization is still required to record it in a register of confidentiality incidents, which the Commission may consult.
On June 29, 2022, the Government of Québec released a draft Regulation respecting confidentiality incidents. As of the date of this newsletter, the final version has yet to be published.
The draft Regulation sets out the content that must be included in the following documents in case of a confidentiality incident:
- notices to the Commission;
- notices to the persons concerned; and
- the organization's register of confidentiality incidents (this register must be retained for at least five (5) years after the organization becomes aware of the incident, compared to a minimum retention period of two (2) years in the federal privacy legislation).
The details of the draft regulation are quite similar to those of the federal privacy legislation, but there are certain differences. Consequently, if a privacy breach occurs, it will be necessary to distinguish the organization's obligations under Québec and federal law.
Also note that when the Commission is made aware of a privacy breach, it may – after giving the organization the opportunity to present its own observations – order the organization to take any measures the Commission deems necessary to protect the rights of those whose personal information may be compromised.
3. Sharing personal information in commercial transactions
The federal privacy legislation already allows the disclosure of personal information in connection with "business transactions" but there was previously no similar provision in Québec legislation. As part of the Bill 64 amendments, the communication of personal information necessary for concluding a "commercial transaction" are now permitted without the consent of the persons involved, effective September 22, 2022.
The rules are similar to those in the federal privacy legislation, with a few nuances. In both jurisdictions, the law requires a prior agreement between the parties, stipulating several obligations on the part of the organization receiving the information.
Under both the federal privacy legislation and the new Québec provisions, if the transaction is finalized, the people whose information is being shared must be notified, within a reasonable time, that the new party now holds their personal information.
A "commercial transaction" means the alienation or leasing of all or part of an enterprise or of its assets, a modification of its legal structure by merger or otherwise, the obtaining of a loan or any other form of financing by the enterprise or of a security taken to guarantee any of its obligations.
4. Biometric characteristics and measurements
Some provisions regarding biometric characteristics and measurements are already included in the existing Act to establish a legal framework for information technology.
Effective September 22, 2022, the creation of a database of biometric characteristics and measurements must be disclosed to the Commission promptly, and in all cases at least sixty (60) days before the database is brought into service.
In addition, it is now mandatory to notify the Commission before beginning to verify or confirm a person's identity by using a process that can record biometric characteristics and measurements.
According to the Commission, there are three (3) main categories of biometrics: (1) morphological biometrics (e.g. fingerprints, facial recognition or the shape of the hands, retina or iris); (2) behavioural biometrics (e.g. signature, voice print, gait and keyboard strokes); and (3) biological biometrics (e.g. DNA, blood, saliva, urine and odours).
As noted above, a much larger set of changes affecting businesses will come into force on September 22, 2023. Organizations that do business in Québec will need to make plans for meeting their new obligations between now and the implementation date. The Commission has begun to produce documents about the new legislation (mostly in French only). These have been somewhat limited so far, but we can expect more information to be published over the next few months to help businesses with their compliance processes.
It is also important to keep in mind that beginning on September 22, 2023, steep fines and administrative monetary penalties will be in place for failure to comply with the Québec law.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.