On June 12, 2020, An Act to modernize legislative provisions as regards the protection of personal information, also known as Bill 64 (hereinafter the “Bill”),[1] was tabled in Québec’s National Assembly. The Bill represents a major overhaul of the obligations imposed on public bodies and private sector enterprises as regards the protection of personal information. These amendments will undoubtedly impact business lawyers and in-house counsel, who will have to advise their clients or employers about these new requirements.

While the Bill amends several statutes, we propose, via a series of four (4) articles, to provide an overview of the principal amendments that would be made to the Act respecting the protection of personal information in the private sector[2] if the current version of the Bill is enacted.

A New Participant Within Private Enterprises 

Section 95 of the Bill expressly sets out the principle of accountability of an enterprise that collects and holds personal information.[3] The Legislature has also added a new function within every enterprise: the person in charge of the protection of personal information. This title is vested in the person exercising the highest authority in the enterprise. However, all or part of this function may be delegated in writing to a personnel member.[4]

The title and contact information of the person in charge of the protection of personal information must be published on the enterprise’s website or, if the enterprise does not have a website, be made available by any other appropriate means.[5]

Moreover, the Bill requires the person in charge of the protection of personal information to see to ensuring that An Act to modernize legislative provisions as regards the protection of personal information is implemented and complied with. In concrete terms, this obligation involves several functions:[6]

• Establishing and implementing governance policies and practices within the enterprise regarding the protection of personal information. These policies must be published on the enterprise’s website or, if the enterprise does not have a website, made available by any other appropriate means;

• Ensuring that the policies and practices govern the keeping and destruction of personal information;

• Defining the roles and responsibilities of personnel members throughout the life cycle of the information;

• Providing a process for dealing with complaints regarding the protection of such information;

• Conducting an assessment of the privacy-related factors of any information system project or electronic service delivery project involving the collection, use, communication, keeping or destruction of personal information;

• The person in charge of the protection of personal information may, at any stage of the project, suggest personal information protection measures applicable to the project;

• Being involved in the management of any “confidentiality incident”.

Obligation to Report a “Confidentiality Incident”

The Bill defines a “confidentiality incident” as follows:[7]

• The access, use or communication not authorized by law of personal information;

• The loss of personal information or any other breach in the protection of such information.

Any person carrying on an enterprise who has cause to believe that a “confidentiality incident” has occurred must take reasonable measures to reduce the risk of injury and to prevent new incidents of the same nature.[8]

In addition, the Bill imposes the obligation to promptly inform certain persons and bodies if the “confidentiality incident” presents a risk of serious injury:[9]

• The Commission d’accès à l’information (hereinafter the “CAI”);

• Any person whose personal information is concerned by the “confidentiality incident”, failing which the CAI may order him to do so;

• Any person or body that could reduce the risk, by communicating to the person or body only the personal information necessary for that purpose without the consent of the person concerned and, in the latter case, the person in charge of the protection of personal information must record the communication of the information.

However, an enterprise need not notify a person whose personal information is concerned by a “confidentiality incident” so long as doing so could hamper an investigation conducted by a person or body responsible by law for the prevention, detection or repression of crime or statutory offences.[10]

The Bill also sets out the criteria to be considered in assessing the risk of injury:[11]

• The sensitivity of the information concerned;

• The anticipated consequences of its use;

• The likelihood that such information will be used for injurious purposes.

Moreover, a person carrying on an enterprise must keep a register of “confidentiality incidents” and provide a copy of the register to the CAI at its request.[12]

Collection of Personal Information

Section 96 of the Bill stipulates that any person carrying on an enterprise who, for a serious and legitimate reason, collects personal information on another person must determine the purposes for collecting the information before doing so.[13] 

Moreover, when the personal information concerns a minor under 14 years of age, such information may not be collected from him without the consent of the person having parental authority, unless collecting the information is clearly for the minor’s benefit.[14] 

Furthermore, the Bill specifies that any person collecting personal information on another person must limit that collection to the information necessary for the purposes determined before collecting it.[15]

The Bill also provides that any person who collects personal information from the person concerned must, when the information is collected and subsequently on request, inform that person:[16]

• Of the purposes for which the information is collected;

• Of the means by which the information is collected;

• Of the rights of access and rectification provided by law;

• Of the person’s right to withdraw consent to the communication or use of the information collected;

• Of the name of the third person for whom the information is being collected and of the possibility that the information could be communicated outside Québec;

• On request, the person concerned is also informed of the personal information collected from him, the categories of persons who have access to the information within the enterprise, the duration of the period of time the information will be kept, and the contact information of the person in charge of the protection of personal information.

This information must be provided in clear and simple language, regardless of the means used to collect the personal information.[17]

In addition to the aforementioned information, any person who collects personal information using technology that includes functions allowing the person concerned to be identified, located or profiled must first inform the person:[18]

• Of the use of such technology;
• Of the means available, if any, to deactivate the functions that allow a person to be identified, located or profiled.

For purposes of the Bill, profiling “means the collection and use of personal information to assess certain characteristics of a natural person, in particular for the purpose of analyzing that person’s work performance, economic situation, health, personal preferences, interests or behaviour”.[19]

The Bill also introduces the obligation for any person who collects personal information through technological means to publish on the enterprise’s website, if applicable, a confidentiality policy drafted in clear and simple language and disseminate it by any appropriate means to reach the persons concerned. The same requirement applies to the notice required for any amendment to such a policy.[20]

Lastly, any enterprise that uses a technological product or service to collect personal information must ensure that the parameters of the product or service provide the highest level of confidentiality by default, without any intervention by the person concerned.[21]

This concludes the first part of this article dealing with the principal changes and requirements described in Bill 64 with respect to the protection of personal information. In an upcoming text in Maîtres@droits, we will continue our overview of Bill 64 by discussing consent to the collection and use of personal information as well as the cross-border communication of such information.

 

[1] Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, 42nd Leg. (QC), 1st Sess., 2020.

[2] Act respecting the protection of personal information in the private sector, CQLR, c. P-39.1.

[3] Bill 64, supra, note 1, s. 95.

[4] Id.

[5] Id.

[6] Id.

[7] Id.

[8] Id.

[9] Id.

[10] Id.

[11] Id.

[12] Id.

[13] Bill 64, supra, note 1, s. 96.

[14] Id.

[15] Bill 64, supra, note 1, s. 97.

[16] Bill 64, supra, note 1, s. 99.

[17] Id.

[18] Id.

[19] Id.

[20] Id.

[21] Bill 64, supra, note 1, s. 100.