Quebec’s new privacy legislation, An Act respecting the protection of personal information the privacy sector (AKA Bill 64), passed into law in September 2021. It updates and modernizes their privacy law, and brings in new requirements for the protection of personal information (“PI”). The previous legislation was
outdated as it has not kept up with technology, and is intended to ensure that all entities collecting PI have safeguards to protect PI. The Covid-19 pandemic accelerated the transition for businesses to move online, and with it came increased obligations on organizations to collect, use, disclose, and store PI.
Bill 64 applies to all private-sector entities based in Quebec, as well as to any out-of-province companies that do business involving the PI of Quebecois residents (AKA “data subjects”). Therefore, its reach includes not only other domestic entities, but also foreign entities that do business in the province.
The passage of this law did not occur in a sociopolitical vacuum, as cross-border data flows mean that laws must modernize and protect PI for foreign nationals. The EU’s General Data Protection Regulation (GDPR) first passed into law in Europe in 2016, and is considered the de facto global standard in data privacy regulation. GDPR sets out strict parameters on how entities process PI, classifies PI by sensitivity (the processing of which requires additional consent), and restricts or even outright prohibits the transfer of PI across international borders.
However, a select number of countries have been recognized by the European Commission to have adequate legislative schemes to protect the PI within those borders, thereby allowing some cross-border transfer of PI. Canada has long been one of these countries with an adequacy decision, which is reviewed on a quadrennial basis by the European Commission. Part of the reason why Bill 64 was introduced was a desire to align provincial legislation with a recognized international standard like the GDPR. It is therefore unsurprising that a number of new requirements under Bill 64 mimic or closely resemble those in GDPR.
What remains the same under Bill 64?
Every entity, no matter what kind of business they have, must collect a certain amount of PI to conduct normal business operations. They must still provide notice of collection of PI, or obtain the consent of the customers prior to the commencement of processing PI. Entities must also state the purpose for which they collect PI in a written notice to data subjects. Additionally, if obtaining consent, it must be meaningful, freely given and unencumbered. Consent cannot be coerced if is to be meaningful.
A robust notice of collection of PI under Bill 64 should include, at minimum, the following:
- Plain, easy-to-read language that explains the PI being collected (this should not be overly complicated legalese);
- A list of the PI that is being collected, and the purpose (i.e., why) for collection;
- Brief description of how the entity processes PI, and any disclosure of PI to other service providers or partner organizations;
- The law(s) that permit the collection the PI;
- The contact information of the privacy officer, in case the consumer has question.
The above is not intended to be an exhaustive list of requirements for a privacy policy or notice.
Bill 64 does not divide PI by sensitivity in the same way GDPR does, and an organization must therefore evaluate the proportionality and necessity of the PI being collected: in other words, the business must determine how much PI they require to conduct operations, and be able to justify the reasons why. There is no “one-size-fits-all” test to determine the necessity of collection. The only way to determine if collecting and processing PI is compliant is to evaluate a business’s practices against Bill 64.
As it was before, there must be no “secondary use” of the PI being processed. This means an entity cannot use the PI for purposes other than the stated reason(s) that were given to data subjects when their PI was first collected. For example, it is reasonable and necessary for an online retailer to collect the credit card, home address, email address, and phone number for a customer, as these are required for payment and delivery. However, additional consent or notice must be provided if they intend to use customer PI for marketing purposes, as that is beyond the initial purpose of collection.
No matter how an entity processes PI, they must always ensure that the following are in place:
- Have an up-to-date privacy policy
- Ensure that the notice of collection of PI complies with the applicable laws
- Ensure that consent is obtained if they intend to collect, process, or use PI in a way that differs from the original purpose of its collection or if the law requires it
- Establish clear internal parameters about the use of PI and educate all departments on the access to and use of that PI
- If required, contact a privacy consultant to assist with the creation of solid external and internal facing policies, notices, and consents to achieve compliance. A road map to compliance, in accordance with guidance and recommendations from the privacy regulator, should be in place.
Additionally, while not enshrined in Bill 64, Quebec’s Official Language Act requires all legal notices to be written in French.
What are the new requirements under Bill 64?
The requirements for Bill 64 will be implemented over a three-year cycle, with some needing to be compliant earlier than later in the three-year transition to the new legislation. These include the following new requirements for all entities doing business in the province of Quebec:
Appointing a privacy officer
This is a simple requirement for most organizations. Often, the role can be combined with another position if it is not yet a full-time endeavour. Usually the role of privacy officer is given to someone in IT security (such as a CIO or CISO), at the executive level (e.g., CEO in a small business), within finance (e.g., CFO, or to in-house legal counsel. If an entity processes considerable amounts of PI from customers, and frequently has to deal with privacy-related issues, it may make sense to hire a privacy officer on a full-time basis. Alternatively, retaining a privacy professional on a consultancy basis to provide advice on an ongoing basis would help fulfil this requirement, as long as the entity also designates internal personnel as a privacy officer to respond to inquiries from the public or from the regulator.
Mandatory Breach Response
Bill 64 would make breach reporting a requirement for entities that suffer a significant cybersecurity incident where PI was compromised. The protocol should include the following:
Identifiable triggers to invoke the protocol;
Methodology (including technology) to track the life of the breach, from the initial incident to resolution;
Stakeholders, and their roles and responsibilities in handling the breach;
Internal record-keeping, for auditing and investigation purposes;
Risk matrix or similar methodology to evaluate the real risk of significant harm to individuals affected by the breach;
Chain of communication to determine if privacy regulator and / or law enforcement should be involved in handling the breach;
Template documentation to notify the affected person(s) and to the regulator to report the breach.
While incident response protocols (IRP) may have some of the above-note requirements in place, a dedicated privacy breach handling protocol should be created. Ideally, such a process would run concurrently with the IRP. It is critical to appoint roles and responsibilities to ensure that both the IT security and compliance / legal teams are fully apprised of the life cycle of the breach, and made aware of the risks involved. This also fosters cooperation to ensure that all required teams participate in risk mitigation. Additionally, notification may include notifying the Quebec privacy commissioner, the Commission d’accès à l’information du Québec (or CAI), of the breach, and seeking guidance from them.
Privacy Impact Assessments / Privacy by Design
Most organizations purchase or consume SaaS solutions intended to automate their business activities, such as HR software, project management trackers, payroll and invoicing processors, video conferencing solutions, and direct messaging apps. While most vendors have privacy controls well in place, it is not always the case that the vendor or the solution is compliant with the local jurisdiction of the end user or customer. In particular, vendors whose solutions are compliant with their US state laws may not have accounted for the privacy concerns or requirements for the province of Quebec.
Therefore, Bill 64 mandates that businesses must conduct a privacy impact assessment (“PIA”) when software is purchased from an external source, or if
the business is developing it internally. This requirement has been implemented to ensure that if a program is being developed where PI is involved, that the entity understands the impact to individuals whose PI they are using to power the solution. A PIA helps ensure that organizations remain compliant with Bill 64 in processing PI. This is critical because when an entity collects PI, they are permitted to do so under Bill 64, and may only use PI beyond that initial use if they have obtained proper consent from customers. This also has the added benefit of ensuring a business understands the risk to themselves as an organization, if they decide to create solutions that may use PI beyond the purpose for which it was initially collected.
Additionally, Privacy by Design (or “PdB”) elements should be incorporated into the organization. This can be taken to mean that the following must be put into place in an organization:
- Workflow procedures or processes supporting such any system must follow pre-set PbD requirements;
- Access points into such systems need to be regulated, audited, and periodically reviewed;
- All permissions to access PI must, by default, be set at a level where the least amount of PI possible is visible, without the end user having to choose those settings;
- PI should be anonymized or pseudonymized (and aggregated, depending on the situation) wherever possible, if it is not necessary to process it in an identifiable form.
In other words, even if an entity does not complete a PIA, there should be PbD elements in place to ensure a full privacy program is in place. Starting with an internal privacy policy governing the use and access to PI would provide overall direction applicable to the entire organization. Having the privacy officer review and respond to any privacy queries, and involving them in any initiative where PI is involved, will help to cultivate PbD throughout a company.
Data Portability
Under GDPR, a data subject has the right to request a copy of all of their PI in a common, machine-readable format. In Canada, the right to data portability currently exists only in Bill 64, with requirements almost identical to the GDPR.
As a practical solution, businesses have a self-serve option on their external-facing websites allowing customers to download a copy of all the PI they provided to an entity. This option exists for companies that process considerable amounts of PI (e.g., social media outlets), and is an efficient option to partially meet the data portability requirement. From a practical perspective, this means that businesses have the ability to tag the PI belonging to customers and automating the request. However, it is unclear at this time if Quebec’s right of data portability applies to any information that is derived from the PI a customer provides to an entity.
In other words, the scope of the right of data portability may also include copies of any PI beyond what a customer provides to an organization.
Practically speaking, an entity operating in Quebec should have a formal workflow to accept, track, and process requests for data portability. Ideally, PI should be tagged for ease of retrieval, and the privacy officer should review these to ensure that only the PI pertaining to the customer is captured within the scope of the request. Effectively, this means that any extraneous information (such as PI belonging to another individual that was not supplied by the customer) should be removed or redacted prior to the information being sent out. While there is no formal time frame for response, it is not unreasonable to process these requests within 30 days (calendar or business days is undefined at this time).
Deletion Requests
Another GDPR right that has a Bill 64 cohort is the right of erasure, where an individual can request that an entity delete their PI. Called the right of “de-indexation” in Bill 64, this means that an entity should have a formal process to review and respond to such requests. Ideally, the organization should already have tagged the data for ease of retrieval and review.
The reason for a formalized process to process deletion requests is due to the fact that the right to delete PI is not inviolate. There are perfectly valid and compelling reasons why an organization may say that they cannot delete PI, and must actually retain some PI. These include the following:
- To continue to provide goods and services: this includes contact information, payment information, and purchase history (to effect returns or to provide warranties on eligible products);
- Employment law requirements: this pertains to company employee EI only. Data may not be deleted here due to the company being compelled to retain copies of employee records for ongoing due diligence and regulatory requirements.
- Legal reasons: this includes employee data as well as any ongoing disputes or litigation that involves a customer. In these circumstances, the right to erasure cannot override an entity’s requirement to retain PI if it would be considered evidence in a court of law.
A formalized process would help the privacy officer review the requests, determine what can be deleted or retained, and respond to the requester. As with the right to data portability, erasure requests should ideally be processed within 30 days (calendar or business, which is not yet defined under Bill 64).
What are the risks of not complying with privacy laws?
Bill 64 introduces new fines which are strikingly similar to GDPR:
- For administrative violations, fines are up to 2% of annual turnover or C$10 million;
- For penal violations (those with a criminal element), fines are up to 4% of annual turnover or C$25 million;
- Sections 158 & 159 allow fines to be levied against individuals as well as companies: “anyone who commits an offence and is liable to a fine of $5,000 to $50,000 in the case of a natural person and of $15,000 to $150,000 in all other cases.”
- The above fines can be levied by the Quebecois privacy regulator (CAI) and do not need to be pursued through the courts via conventional litigation. These fines also do not preclude anyone from commencing legal proceedings against a company for invasion of privacy, which may include class actions if a large number of customers are similarly affected by the same breach.
Finally, in addition to the above-noted fines, there is potential loss of trust or reputation to an organization, which may be incalculable as it would lead to loss of business or a drop in the company stock price. This does not include any out-of-pocket costs to mitigate damage, such as retaining IT security breach response teams, external legal counsel, crisis management firms, and publicists and marketing firms to work on the messaging to repair the damage to the corporate brand. It should be noted that the insurer may not always cover these additional costs.
How can I be compliant with Bill 64?
The best way to be compliant with legislation is to perform a proper privacy gap analysis, measuring an entity’s privacy program against Bill 64. Here is a short checklist that may be used as a starting point for any privacy program:
- Appoint a privacy officer to respond to queries, concerns, and complaints on behalf of the entity;
- If the privacy office cannot do so, hire an external consultant, to develop a privacy program for the organization;
- Conduct a data inventory, with data sets listing all types of PI collected;
- Perform a privacy gap assessment to determine how the org processes PI;
- Complete privacy impact assessments as a risk mitigation and due diligence exercise;
- Implement sufficient IT security measures and safeguards to ensure your environment is secure;
- Operationalize a privacy breach response protocol (in addition to an incident response protocol);
- Train staff on privacy on a regular (e.g., annual) basis to help foster a culture of privacy awareness throughout the organization;
- Create a privacy road map to compliance, including an assessment of the applicable laws and the current practices in place;
- Consult with legal counsel and insurers to ensure there is sufficient coverage and risk mitigation steps in place.
Some or all of the activities listed above may be more appropriate to larger rather than smaller operations. However, if even a small start-up with a handful of employees starts gathering considerable PI (especially sensitive kinds such as health or financial information), then having a privacy roadmap to compliance is a critical due diligence requirement. The size of the org does not recuse or absolve the business of liability in the event of a privacy breach or a major security incident.