This article is part of our Bill 64 Blog Series, which will provide readers with a 360° view on Bill 64 and its sweeping amendments to Quebec's Act Respecting the Protection of Personal Information in the Private Sector (the "Private Sector Act"). To view other blog posts in the series, please visit this page.
In the context of the adoption of the Act to Modernize Legislative Provisions respecting the Protection of Personal Information ("Bill 64") on September 22, 2021, the Commission d'accès à l'information du Québec ("CAI") has announced the creation of a workspace dedicated to Bill 64 compliance, in which it will publish various support and awareness tools. Presently, the two tools offered on the workspace are (i) an entry into force guide and (ii) a thematic overview of Bill 64's amendments to the Private Sector Act and other statutes.
As this workspace is only available in French, this blog offers a summary in English of the key information contained in the workspace.1 The themes below mirror those found on the workspace.
The Private Sector Act will require businesses to destroy personal information once the purpose for which it was collected or used has been achieved, subject to statutory retention periods. Alternatively, businesses will also be able to anonymize personal information for use, but only for serious and legitimate purposes.2
The Act to Establish a Legal Framework for Information Technology ("AELFIT") will provide a new 60-day deadline for disclosing to the CAI the creation of a biometric feature or measure bank before it is put into use. It will also be mandatory after that date to notify the CAI before using any biometric technique to verify or confirm a person's identity. Such technology may not be used without the express consent of the individual.3
Biometric information is considered to be sensitive personal information under the Private Sector Act, as amended.4
New rules will govern the consent of individuals to the collection, use and disclosure of their personal information. For example:
- it will now be formally stated in the Act respecting Access to documents held by public bodies and the Protection of personal information5 ("Public Sector Act") that public bodies must ensure the consent they obtain is manifest, free and informed and given for specific purposes.6 These criteria already apply to businesses;
- consent must be requested for each purpose in simple, clear language, and where consent is requested in writing, it must be presented separately from any other information provided to the individual;7 and
- subject to exceptions, personal information shall not be used by an organization for any other purpose without the consent of the individual. However, sensitive personal information always requires express consent.8
The CAI will have new powers and responsibilities, including the creation of guidelines, new enforcement mechanisms, and assessing confidentiality incidents reported to the CAI by law.9
New rules will allow businesses, under certain conditions, to disclose personal information without consent, including (i) when necessary to complete a commercial transaction10 and (ii) for study, research or statistical purposes.11
Privacy impact assessments ("PIA") are required before disclosing personal information outside of Quebec. Such disclosures will be permitted if the assessment demonstrates that the information would be adequately protected and will be subject to a written agreement that meets certain terms and conditions.12
Public bodies will be required to establish a committee on access to information and the protection of personal information. The committee will be responsible for supporting the body in the exercise of its responsibilities and the performance of its obligations under the Public Sector Act.13
An organization will be entitled to disclose personal information about a deceased individual to a spouse or close relative of the deceased if the information would assist the spouse or close relative in the grieving process, unless the deceased has recorded in writing their refusal to grant access.14
Individuals will be able to ask companies to stop disclosing their personal information or to de-index any hyperlink to their name that provides access to information if the disclosure is harmful to them or contravenes the law or a court order.15
If requested by the individual, organizations will be required to disclose computerized personal information collected from the individual in a structured, commonly used technological format. This disclosure may also be made to a person or body authorized to collect the information, at the request of the individual.16
Organizations will be required to conduct a PIA before disclosing personal information without consent for study, research or statistical purposes.17
Organizations will also be required to conduct a PIA for any project to acquire, develop, or overhaul an information system or electronic service delivery system involving the handling of personal information.18 and before disclosing personal information outside Quebec.19
In all cases, the PIA must be proportionate to the sensitivity of the information concerned, the purpose for which it is to be used, its quantity, its distribution and its medium.20
Organizations will be required to notify the CAI and affected individuals of any confidentiality incident involving personal information in their possession that poses a risk of serious harm. Organizations will also be required to maintain a register of confidentiality incidents that must be made available to the CAI upon request.21
The Commission will have the authority to develop certain guidelines to assist in the administration of the Private Sector Act.22
Organizations will be required to ensure that, by default, the privacy settings of any publicly available technology product or service provide the highest level of privacy without any user intervention. This provision will not apply to the privacy settings of a cookie.25
The Private Sector Act will also apply in part to personal information held by a political party, independent member or independent candidate to the extent provided by the Election Act.26
This section does not address the exceptions to the Private Sector Act set out in the Election Act. The CAI will produce a specific tool for this clientele in the coming months.
Businesses will be required to:27
- Establish and implement policies and practices to guide their governance of personal information. These policies and practices must include:
- rules for the retention and destruction of personal information;
- roles and responsibilities of staff members throughout the life cycle of personal information; and
- a process for handling privacy complaints.
- Publish detailed information about their policies and practices on their website. If they do not have a website, they shall make this information available through other appropriate means.
While the obligations described above apply exclusively to businesses, similar obligations will apply to public bodies.28
The Private Sector Act will define profiling as the collection and use of personal information to assess certain characteristics of an individual, including for the purpose of analyzing the individual's job performance, economic status, health, personal preferences, interests or behaviour.30
See "Identification, tracking or profiling technology" below.
The Private Sector Act will specify that personal information is considered sensitive when, due to its intimate nature (i.e. medical or biometric) or the context of its use or disclosure, the personal information gives rise to a high reasonable expectation of privacy.31
See "Biometrics" and "Consent" above.
Every person carrying on a business will be responsible for the protection of personal information held by that person. This will be done via the PCPI, who will be accountable for compliance and implementation of the Private Sector Act.
The Private Sector Act provides that the PCPI will be the person with the highest authority by default, but that the role may be delegated writing, in whole or in part, to any person. The title and contact information of the PCPI must be published on the company's website or, if the company does not have a website, made available by any other appropriate means.32
The CAI will have the power to impose administrative monetary penalties. For example, administrative penalties could be as high as 2% of annual worldwide turnover or $10 million, whichever is greater.
Following a violation of the Private Sector Act that is subject to such a penalty, a person will be able to give an undertaking to the CAI to take the necessary steps to remedy or mitigate the consequences of the violation. The CAI may impose conditions or require the payment of a sum of money. If the CAI approves the undertaking and it is complied with, the person will not be subject to an administrative monetary penalty for the acts or omissions set out in the undertaking.
The CAI will develop and make public a general framework for the application of administrative monetary penalties.33
Note that although not discussed on the workspace, there are penal provisions that introduce fines, of up to 8% of annual worldwide turnover or $50 million (whichever is greater) for a repeat offender.
Organizations collecting personal information from the individual using technology that includes features that identify, locate, or profile the individual must first inform the individual (i) of the use of such technology and (ii) the means available to activate the identification, location or profiling functions. In other words, these technologies cannot be activated by default; it will be up to the person concerned to activate them if they so wish.34
Organizations will be required to, among other things, inform the individual when a decision is made based solely on automated processing of their personal information, no later than the time the organization informs the individual of that decision.
Organizations shall also give the individual the opportunity to make representations to a member of their staff who is in a position to review the decision.35
The Private Sector Act will set out new transparency obligations for organizations. When collecting personal information, they will have to provide individuals with information such as:
- the purpose of the collection;
- the means of collection;
- rights of access and rectification; and
- the right of individuals to withdraw their consent.
As applicable, they will also be required to inform the person of:
- the name of the third party for whom the collection is made;
- the names or categories of the third parties to whom the information is to be disclosed;36
- the possibility that the information may be communicated outside Quebec.
Upon request, organizations will also have to inform the individual of:
- the personal information collected from the individual;
- the categories of persons who have access to this information within the organization;
- how long the information will be retained; and
- the contact information for the Privacy Officer.
Finally, organizations shall convey this information to the individual in plain language, regardless of the means by which the information is collected.37
26. Web (Internet)
Companies will be required to post the title and contact information of the PCPI on their website. If they do not have a website, they will have to make this information available by any other appropriate means.38
Bill 64 imposes new obligations on businesses regarding the protection of personal information. Private sector businesses should anticipate the entry into force of these obligations over the next three years by taking concrete steps to ensure that processes are compliant, and seek expert advice when necessary.
To learn more about how the Cyber/Data Group can assist you in navigating Bill 64's requirements and effectively prepare you for compliance with new cross-border data transfer obligations, please contact national co-leaders Charles Morgan and Daniel Glover for more information.
1 Please note that the CAI workspace does not contain legislative references. We have added these to provide further background.
2Act respecting the protection of personal information in the private sector, CQLR c P-39.1, as amended by Bill 64, section 23 [the "Amended Private Sector Act"] (September 22, 2023).
3Act to establish a legal framework for information technology, CQLR, c C-1.1, as amended by Bill 64, section 45 [the "Amended AELFIT"] (September 22, 2022).
4 Amended Private Sector Act, section 12 (September 22, 2022).
5Act respecting access to documents held by public bodies and the protection of personal information, CQLR c A-2.1 [the "Amended Public Sector Act"].
6 Amended Public Sector Act , section 65.1 (September 22, 2023).
7 Amended Private Sector Act, section 14 (September 22, 2023) ; Amended Public Sector Act, section 53.1 (September 22, 2023).
8 Amended Private Sector Act, section 12 (September 22, 2023).
9 Amended Private Sector Act, section 90.1 and seq. (September 22, 2023) ; Amended Public Sector Act, section 123 (September 22, 2022).
10 Amended Private Sector Act, section 18.4 (September 22, 2022).
11 Amended Private Sector Act, section 21, 21.0.1 et 21.0.2 (September 22, 2022).
12 Amended Private Sector Act, section 17 (September 22, 2023).
13 Amended Public Sector Act, section 8.1 (September 22, 2023).
14 Amended Private Sector Act, section 40.1 (September 22, 2023).
15 Amended Private Sector Act, section 28.1 (September 22, 2023).
16 Amended Private Sector Act, section 27 (September 22, 2024).
17 Amended Private Sector Act, section 21 (September 22, 2022).
18 Amended Private Sector Act, section 3.3 (September 22, 2023).
19 Amended Private Sector Act, section 17 (September 22, 2023).
20 Amended Private Sector Act, section 3.3 (September 22, 2023).
21 Amended Private Sector Act, section 3.5 to 3.8 (September 22, 2022).
22 Amended AELFIT, section 123 (September 22, 2022).
23 A "tutor" is a person responsible for the care of a minor, as described in the Civil Code of Quebec, sections 177 et seq.
24 Amended Private Sector Act, section 4.1 (September 22, 2023).
25 Amended Private Sector Act, section 9.1 (September 22, 2023).
26 Amended Private Sector Act, section 1 (September 22, 2023).
27 Amended Private Sector Act, section 3.2 (September 22, 2023).
28 Amended Public Sector Act, section 63.3 (September 22, 2023).
29 Amended Private Sector Act, section 8.2 (September 22, 2023).
30 Amended Private Sector Act, section 8 (September 22, 2023).
31 Amended Private Sector Act, section 12 (September 22, 2023).
32 Amended Private Sector Act, section 3.1 (September 22, 2022).
33 Amended Private Sector Act, section 90.1 et seq.(September 22, 2023)
34 Amended Private Sector Act, section 8.1 (September 22, 2023).
35 Amended Private Sector Act, section 12.1 (September 22, 2023).
36 Note that the CAI made an error in the workspace by adding "categories" to the disclosure of in whose name the organization is collecting personal information (as applicable) rather than to the names of third parties who will necessarily be communicated the information.
37 Amended Private Sector Act, section 8 (September 22, 2023).
38 Amended Private Sector Act, section 3.1 (September 22, 2022).
To view the original article click here
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.