In January 2021, we published a series of four articles on An Act to modernize legislative provisions as regards the protection of personal information (hereinafter “Bill 64”).[1] Bill 64 represents a major overhaul of the obligations imposed on public bodies and private sector enterprises as regards the protection of personal information. In our articles, we discussed the main amendments made by Bill 64 to the Act respecting the protection of personal information in the private sector (hereinafter the “APPIPS”).[2]

Bill 64, which was initially tabled in the National Assembly in June 2020, was passed on September 21, 2021 and assented to on September 22, 2021. It should be noted that a number of amendments were made to Bill 64 following legislative committee debates.

This article discusses the coming into force of the main provisions of the APPIPS. A second article will discuss the major amendments to Bill 64 with respect to the APPIPS.

Coming into force of the APPIPS 

The new APPIPS provisions will be phased in over three years. While this may seem like a long way off, private sector enterprises and the lawyers who advise them would be wise to take immediate steps to ensure they will comply with the new practices regarding the protection of personal information.

The following are the main provisions of the APPIPS that will come into force one year after Bill 64 was assented to:

• Appoint a person in charge of the protection of personal information (s. 3.1);

• Notify the Commission d’accès à l’information, as well as any person whose personal information is concerned, of the occurrence of a confidentiality incident that presents a risk of serious injury. The enterprise may also notify any person or body that could reduce the risk, by releasing to the person or body only the personal information necessary for that purpose, without the consent of the person concerned. Enterprises also have the obligation to keep a register of confidentiality incidents (ss. 3.5 to 3.8);

• Communicate personal information that is necessary for concluding a commercial transaction, without the consent of the person concerned, subject to the parties to the transaction first entering into an agreement to protect this personal information (s. 18.4);

• Subject to certain conditions, communicate personal information without the consent of the persons concerned to a person or body wishing to use the information for study or research purposes or for the production of statistics (ss. 21 to 21.0.2).

The following are the main provisions of the APPIPS that will come into force two years after Bill 64 was assented to:

• Establish and implement governance policies and practices regarding personal information that ensure the protection of such information (s. 3.2);

• Conduct a privacy impact assessment:
  • For any project to acquire, develop or overhaul an information system or electronic service delivery system involving the collection, use, communication, keeping or destruction of personal information (s. 3.3). Possibility for the person in charge of the protection of personal information to suggest, at any stage of the project, personal information protection measures applicable to the project (s. 3.4);
  • Before communicating personal information outside Québec (s. 17).

• Be transparent when collecting personal information and comply with the duty to inform:
  • Determine the purposes for collecting the information before doing so (s. 4);
  • Restrict the collection to the information necessary for the purposes determined before collecting it (s. 5);
  • Provide certain information to the person concerned at the time the information is collected and subsequently on request, including the use of technology that includes functions allowing the person concerned to be identified, located or profiled (ss. 8 and 8.1);
  • When a decision is based exclusively on an automated processing of personal information, inform the person concerned accordingly no later than at the time the person is informed of the decision (s. 12.1).

• When an enterprise collects personal information when offering a technological product or service having privacy settings, ensure that those settings provide the highest level of confidentiality by default, without any intervention by the person concerned. The foregoing requirement, however, does not apply to privacy settings for browser cookies (s. 9.1);

• Obtain the consent of the person concerned to the use of their personal information:
  • Use personal information within the enterprise for the purposes for which it was collected, unless the person concerned gives their consent. Such consent must be given expressly when it concerns sensitive personal information (s. 12 para.
  • Refrain from communicating to a third party personal information held about another person unless the person concerned consents or the APPIPS provides for it. Such consent must be given expressly when it concerns sensitive personal information (s. 13);
  • The consent provided for in the APPIPS must be clear, free and informed and be given for specific purposes. It must be requested for each such purpose, in clear and simple language. If the request for consent is made in writing, it must be presented separately from any other information provided to the person concerned. If the person concerned so requests, assistance must be provided to help him understand the scope of the consent requested (s. 14).

• Communicate personal information to any person or body, without the consent of the person concerned, if the information is necessary for carrying out a mandate or performing a contract of enterprise or for services entrusted to that person or body by the enterprise. In such a case, the enterprise must comply with certain requirements set out in the APPIPS (s. 18.3);

• Where the purposes for which personal information was collected or used are achieved, destroy the personal information, or anonymize it to use it for serious and legitimate purposes (s. 23);

• A person concerned by personal information that is inaccurate, incomplete or equivocal, or whose collection, communication or keeping is not authorized by law, may require that the information in question be rectified (s. 28);

• A person concerned by personal information may require the enterprise to cease disseminating that information or to de-index any hyperlink attached to his name that provides access to the information by a technological means, if the dissemination of the information contravenes the law or a court order (s. 28.1 para. 1). The person may also require that the hyperlink providing access to the information be re-indexed, subject to certain conditions (s. 28.1 para. 2).

Lastly, three years after Bill 64 was assented to, the following provision of the APPIPS will come into force:

• Unless doing so raises serious practical difficulties, computerized personal information collected from the applicant, and not created or inferred using personal information concerning him, must, at his request, be communicated to him in a structured, commonly used technological format. The information must also be communicated, at the applicant’s request, to any person or body authorized by law to collect such information (s. 27 para. 3).

In light of the foregoing, although the provisions of the APPIPS will be phased in gradually, the fact remains that lawyers who will have to assist their clients or employers in complying with these provisions will face a daunting task. It is therefore not futile to immediately consider what needs to be done in order to implement them.

This concludes the first part of our article on the coming into force of the main requirements set out in the APPIPS. Our second article, which will also be published in Maîtres@droits!, will focus on the amendments made to Bill 64 with respect to the APPIPS.

 

[1] Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, 42nd Leg. (QC), 1st Sess., 2020.

[2] Act respecting the protection of personal information in the private sector, CQLR, c. P-39.1.