On September 22, 2022, several provisions of the Act to Modernize Legislative Provisions as Regards the Protection of Personal Information (hereinafter "Bill 64" or "Law 25"), which amends the Act Respecting the Protection of Personal Information in the Private Sector ("Quebec Privacy Law") will come into force.
New obligations include the requirement to have a Privacy Officer and to establish an incident response plan.
1. THE PRIVACY OFFICER
Any person carrying on an enterprise must designate in writing a person in charge of the protection of personal information (the "Privacy Officer"). If not designated, the position defaults to the person with the highest authority in the organization.
The Privacy Officer will be responsible for ensuring compliance with and implementation of the Amended Quebec Privacy Law. The Privacy Officer will be responsible for, among other things of : (1) managing personal information data; (2) establishing policies and practices governing the protection of personal information; and (3) enforcing these policies and practices within the organization; (4) establishing the roles and responsibilities of his or her team members; (5) implementing a privacy complaint process; (6) assessing privacy factors and risks for any proposed transmission or mailing of information; and (7) participating in the development of a privacy incident response plan. In short, it will coordinate the transition of the enterprise's internal practices to the new requirements of Bill 64.
The title and contact information of the Privacy Officer must be published on the Website or any other publicly accessible platform used by the enterprise, so that users can easily contact the Privacy Officer in case of any questions regarding the protection of their personal information.
2. PRIVACY INCIDENT RESPONSE PLAN
As of September 22, 2022, enterprises will have to update their privacy incident response plan and have an obligation to keep a register of confidentiality incidents.
Henceforth, the response plan will have to be applied when a confidentiality incident occurs, which is defined as one of the following four (4) situations:
"1° access not authorized by law to personal information;
2° use not authorized by law of personal information;
3° communication not authorized by law of personal information ; or
4° loss of personal information or any other breach of the protection of such information.1"
All such confidentiality incidents must be recorded in the enterprise's register of confidentiality incidents. On July 29, 2022, the Government published a draft regulation entitled the Privacy Incident Regulation (the "Draft Regulation") to further clarify these requirements. It is not yet in force.
Under the Draft Regulation, following a privacy incident, the enterprise must include in its register of confidentiality incidents a description of the personal information involved in such incident, the circumstances surrounding it, the date of such incident and the date which it was discovered, the number of persons involved, whether the incident poses a risk of serious injury, and the measures taken by the enterprise to reduce the risk of injury resulting from the incident.
When a privacy incident occurs, the enterprise must have in place a risk assessment process for determining whether the incident poses a risk of serious injury, in which case further steps must be taken. Although the Amended Quebec Privacy Law does not define the notion of "risk of serious injury ", some guidelines have been provided to assist businesses. Indeed, to evaluate the risk, businesses will need to consult with their Privacy Officer, who will make an assessment based on: (1) the sensitivity of the information concerned, (2) the anticipated consequences of the use of the information concerned, and (3) the likelihood that such information will be used for injurious purposes.
If following the risk assessment, the Privacy Officer established that there is a privacy incident causing a risk of serious injury, the enterprise must notify the Commission d'accès à l'information in writing, as well as the person concerned. Such notification must contain all relevant information specified in the regulation that is in force.
The Draft Regulation specifies that the notice sent to the Commission d'accès à l'information will contain the same information as for the enterprise's register of confidentiality incidents, together with other information such as the name and contact details of the person to be contacted in the event of a confidentiality incident. As well, a notice must be sent to the persons affected by the incident and must contain (1) suggestions for actions that the person can take to reduce the risk of injury to him or her or to lessen the impact of the injury, and (2) contact information for the enterprise's Privacy Officer.
The information in the enterprise's register of confidentiality incidents should be kept for at least 5 years after the date of the incident, after which it may be destroyed.
3. DISCLOSURE OF PERSONAL INFORMATION IN THE CONTEXT OF COMMERCIAL TRANSACTIONS
Another important development is that the Amended Quebec Privacy Act will now allow the disclosure of personal information collected by one enterprise to another enterprise, when necessary for concluding a commercial transaction between them, without the consent of the person concerned. These rules on commercial transactions apply in the context of a merger or acquisition, the sale or lease of part or all of the enterprise or its assets, the obtaining of a loan or any other form of financing, and the taking of security to guarantee one's obligations.
However, it will be necessary to prepare an agreement between the enterprises involved in the business transaction to ensure that the other party receiving the information undertakes:
- To use personal information only for the purpose of concluding the transaction;
- To not disclose personal information without the consent of the person concerned if it is outside the scope of the transaction;
- To take the measures required to ensure the protection of the confidentiality of personal information;
- To destroy personal information as soon as the commercial transaction no longer takes place, or as soon as its use is no longer necessary for the purpose of concluding the commercial transaction;
- To notify the person that they hold the personal information once the business transaction is completed, if the enterprise decides not to destroy the personal information and continue its use.
A similar agreement will also be required if the personal information is disclosed to an individual or organization for study, research or statistical purposes.
As of September 22, 2023, failure to comply with these obligations could result in penal fines and penalties ranging from $5,000 up to $25,000,000 (or if greater, the amount corresponding to 4% of worldwide turnover for the preceding fiscal year) depending on whether they are granted to an individual or to the enterprise. Monetary administrative penalties may also be imposed, the maximum amount of the penalty being $5,000 for an individual and $10,000,000 (or if greater, the amount corresponding to 2% of worldwide turnover for the preceding fiscal year) for organizations. Courts may also award punitive damages of not less than $1,000 where an infringement causes an injury and is intentional or results from a gross fault. Not to mention that failure to comply with these obligations can damage an enterprise's reputation with its customers and with consumers. Therefore, enterprises should not delay in updating their internal privacy policies to comply with these new provisions.
The following amendments to Quebec Privacy Act come into force on 22 September 2022:
3.1, 3.5 à 3.8, 18, 18.4, 21 à 21.02, 46, 52, 56, 58, 61, 63, 64, 65, 67, 80, 80.1, 81.1 à 81.4, 83, 83.1, 86, 87, 90.
1. Section 3.6 of the Amended Quebec Privacy Law.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.