In response to our numerous publications, our podcast, and the training we provided via the Fasken Institute on December 8 of last year, "Changements à la Loi sur la protection des renseignements personnels : Comment se préparer à 2022, 2023 et 2024?", many of you have had questions for us. We have assembled the questions and prepared our answers in the form of three weekly bulletins:
- The first bulletin covered questions related to the definition and retention of personal information and the penalties imposed by the Act 25 for breach of the obligations.
- The second bulletin covers the more specific obligations governing transparency, consent and communication.
- The third and last bulletin will relate to governance within organizations in relation to personal information protection.
Our Resource Centre is still active and contains a series of bulletins and documents devoted to the Act 25. So that you don't miss our next upcoming bulletins and any other information relating to this subject, put your name on our distribution list in order to receive all communications in connection with the new law.
BULLETIN 2 (Transparency, Consent, Communication)
1. Transparency and Consent
Does the consent of minors 14 years of age or over have to be verified with the parent or legal tutor?
For minors 14 years of age or over, the consent of the parents or legal tutor is not required (Private Sector Act, s. 14; Act respecting documents held by public bodies and the Protection of personal information ("Access Act"), s. 53.1).
To learn more:
Bill 64 – C as in Consent - An oversimplification?
May consent be obtained orally or must it be collected in writing?
Consent may be obtained orally or in writing (Private Sector Act, s. 14). The advantage of written consent is that proof of consent may be kept.
Is it possible to obtain implicit consent for personal information that is not sensitive information?
Implicit consent will be expressly recognized under sections 12 and 13 of the Private Sector Act starting on September 22, 2023.
To learn more:
Bill 64 – C as in Consent - An oversimplification?
The purpose of the transparency for which the Act 25 aims is to ensure better control by the persons concerned of their personal information. Is that not defeated by the large volume of information provided to the persons concerned, which could result in their not reading the terms governing the collection of their information?
The Act 25 provides that consent must be requested in clear and simple language (new s. 14). It will now be necessary to summarize the information to be given, to allow for better understanding.
To learn more:
2. Online Publication
What information must be published on the website of an enterprise or public body?
Contrary to what the initial version of the bill provided, enterprises are no longer required to publish their governance policies regarding personal information in their entirety. They may simply publish detailed information about their policies in clear and simple language.
To learn more:
Are these obligations more onerous than the obligations imposed by the General Data Protection Regulation ("GDPR")?
These obligations seem to go further than the obligations imposed by the GDPR, which includes an obligation for individuals to be informed at the time personal information is collected. The GDPR does not expressly provide a list of policies to be implemented.
To learn more:
3. Release of Personal Information Outside Quebec
Does hosting personal information on servers located outside Quebec, for example by using cloud services, constitute release outside Quebec and require an assessment of privacy-related factors ("PIA")?
Yes, it does; a PIA is required by new section 17 of the Act respecting the protection of personal information in the private sector ("Private Sector Act") when personal information is hosted outside Quebec. The PIA must take into account the sensitivity of the information, the purposes for which it is to be used, the protection measures that would apply to it, and the legal framework applicable in the destination country.
A majority of large data hosting enterprises must also apply the GDPR, which also provides for an impact assessment to be conducted before any transfer of personal information to non-adequate countries.
To learn more:
Bill 64 and The Exportation of Personal Data From Quebec: Complications In Sight
For the purposes of releasing personal information outside Quebec, how is it determined, in practice, whether the legal framework applicable in a State to which the information will be released offers adequate protection? Can the adequacy decisions of the European Union be relied on?
The PIA takes into account the sensitivity of the information, the purposes for which it is to be used, the protection measures that would apply to it, and the legal framework applicable in the destination State. Yes, if the European Union has made an adequacy decision regarding the destination country, that will be relevant information regarding the legal framework of the destination country.
To learn more:
Bill 64 and The Exportation of Personal Data From Quebec: Complications In Sight
4. Release of Personal Information to a Third Party
When personal information is released to a third party, does the Act 25 allow contractual measures, such as confidentiality or non-disclosure agreements, to be taken into account?
Yes, section 17 of the Private Sector Act refers to "the protection measures, including those that are contractual, that would apply to it." The same is true for release to a third party service provider, even where it is located in Quebec.
Confidentiality agreements are only one of several indicators, and should be supplemented by an agreement setting out the parties' obligations from the standpoint, in particular, of individuals' rights, the rules that apply in the event of security incidents, and so on (see the Private Sector Act, s. 18.3). Data processing agreements under the GDPR could provide a working base.
When personal information is released between two enterprises, is an undertaking by the enterprise that holds the personal information that it has obtained the requisite consents sufficient for the information to be released?
In the case of release between two enterprises, the enterprise that releases the information must satisfy itself that the personal information is adequately protected. A statement that the requisite consents have been obtained is necessary, where that is the case, but is not the only factor to be considered.
To learn more:
Bill 64 and The Exportation of Personal Data From Quebec: Complications In Sight
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
