Search
Français

2021/11/15 Articles

Bill 64: What’s new? (Part 2)

In this second article on recent developments regarding Bill 64 (hereinafter “Bill 64”),[1] which was assented to on September 22, 2021, we continue by looking at some of the amendments to the provisions of Bill 64, again with respect to the main changes that will be made to the Act respecting the protection of personal information in the private sector (hereinafter the “APPIPS”).[2] Subject to these amendments, the four articles we published in January 2021 with respect to Bill 64 are still relevant.

Amendments to the main provisions of Bill 64 

It should be noted that this is not a comprehensive review of all the amendments made to Bill 64 with respect to the APPIPS. We have focused on the amendments to the provisions of Bill 64 that were discussed in our four articles published in January 2021.

Amended section of Bill 64 Amended section of the APPIPS Subject of the sections Description of the amendment
95 3.1 Appoint a person in charge of the protection of personal information Initially, Bill 64 provided that the person exercising the highest authority in the enterprise would exercise the function of person in charge of the protection of personal information. All or part of this function could be delegated in writing to a personnel member. Now, this function can be delegated to any person, not just a personnel member.
95 3.2 Establish and implement governance policies and practices regarding personal information It is no longer necessary to publish these policies and practices on the enterprise’s website. Only detailed information about those policies and practices, in particular as concerns the content required under the first paragraph, must be published in simple and clear language on the enterprise’s website or, if the enterprise does not have a website, made available by any other appropriate means.
95 3.3 Conduct a privacy impact assessment First, the amendment specifies the situations in which a privacy impact assessment is required. Such an assessment must be carried out for any project to acquire, develop or overhaul an information system or electronic service delivery system involving the collection, use, communication, keeping or destruction of personal information. Second addition: Proportionality test in conducting the privacy impact assessment. “The conduct of a privacy impact assessment must be proportionate to the sensitivity of the information concerned, the purposes for which it is to be used, the quantity and distribution of the information and the medium on which it is stored”.
99 8 Be transparent when collecting personal information and comply with the duty to inform Section 99 of Bill 64 provides for a number of elements that the person concerned must be informed of when personal information is collected, and subsequently on request. Previously, Bill 64 provided that any person who collects personal information from the person concerned was required to inform that person of the name of the third person for whom the information was being collected.

The amendment to Bill 64 adds that the person concerned must also be informed of the name of the third persons or categories of third persons to whom it is necessary to communicate the information for the purposes referred to in subparagraph 1 of the first paragraph of section 8.
99 8.1 Be transparent when collecting personal information and comply with the duty to inform Previously, Bill 64 provided that a person carrying on an enterprise who uses technology that includes functions allowing the person concerned to be identified, located or profiled had to inform the person of the means available to deactivate those functions. Now, the amendment mentions that the enterprise must inform the person of the means for activating these functions. In other words, the default settings for technology that allows for identification, location or profiling must be the deactivation of these functions.
99 8.3 Be transparent when collecting personal information and comply with the duty to inform The amendment to this section establishes that any person who provides his personal information in accordance with section 8 consents not only to its use, but also to its communication for the purposes referred to in subparagraph 1 of the first paragraph of that section.
100 9.1 Privacy settings for a technological product or service offered to the public Section 9.1 of the APPIPS is replaced by the following:

“Any person carrying on an enterprise who collects personal information when offering to the public a technological product or service having privacy settings must ensure that those settings provide the highest level of confidentiality by default, without any intervention by the person concerned.

The first paragraph does not apply to privacy settings for browser cookies”.
102 12 Obtain consent to the use of personal information Bill 64 provided that consent regarding the use of personal information must be given expressly when it concerns sensitive personal information. The amendment specifies what constitutes sensitive personal information, namely: information that, due to its nature, in particular its medical, biometric or otherwise intimate nature, or the context of its use or communication, entails a high level of reasonable expectation of privacy.

Previously, Bill 64 set out three instances in which personal information could be used for a purpose other than that for which it was collected. The amendment adds two other instances:

• If its use is necessary for the purpose of preventing and detecting fraud or of assessing and improving protection and security measures;

• If its use is necessary for the purpose of providing or delivering a product or providing a service requested by the person concerned.

Furthermore, Bill 64 is amended to provide that a person carrying on an enterprise who uses de-identified information must take reasonable measures to limit the risk of someone identifying a natural person using de-identified information.
102 12.1 Be transparent when collecting personal information and comply with the duty to inform Amended Bill 64 provides that any person carrying on an enterprise who uses personal information to render a decision based exclusively on an automated processing of such information must inform the person concerned accordingly not later than at the time it informs the person of the decision, rather than at the time of or before the decision.
102 14 Obtain consent to the use of personal information The amendment to Bill 64 specifies that if the request for consent is made in writing, it must be presented separately from any other information provided to the person concerned.

Now, in addition to the person having parental authority, the tutor of a minor can give consent for a minor under 14 years of age. For minors over 14 years of age, consent may be given by the minor, the person having parental authority or the tutor.
103 17 Conduct a privacy impact assessment Bill 64 required a person carrying on an enterprise who wishes to communicate personal information outside Québec to first conduct a privacy impact assessment and consider several elements. The amendment to Bill 64 modifies certain elements that must be taken into account, such as the protection measures, including those that are contractual, that would apply to the personal information. The person must also take into account the legal framework applicable in the state in which the information would be released, including the personal information protection principles applicable in that state.

Moreover, in order to communicate information outside Québec, it is no longer necessary to demonstrate that the information would receive protection equivalent to that afforded under the APPIPS. The protection must be adequate.
103 17.1 Conduct a privacy impact assessment Removal of the publication in the Gazette officielle du Québec of a list of states whose legal framework governing personal information is equivalent to the personal information protection principles applicable in Québec. Section 17.1 is therefore withdrawn.
107 18.4 Communicate personal information to a third person without the consent of the person concerned Bill 64 provided that personal information that is necessary for concluding a commercial transaction could be communicated by a person carrying on an enterprise who is a party to the transaction, subject to the parties to the transaction first entering into an agreement to protect this personal information.

The amendment modifies and expands the definition of a commercial transaction. It involves the alienation or leasing of all or part of an enterprise or of its assets, a modification of its legal structure by merger or otherwise, the obtaining of a loan or any other form of financing by the enterprise or of a security taken to guarantee any of its obligations.
111 23 Right to destruction or anonymization Initially, once the purposes for which personal information was collected or used had been achieved, the person carrying on an enterprise could either destroy or anonymize the information. The amendment states that “where the purposes for which personal information was collected or used are achieved, the person carrying on an enterprise must destroy the information, or anonymize it to use it for serious and legitimate purposes, subject to any preservation period provided for by an Act.”

This section of Bill 64 has also been amended in order to change the definition of anonymized information by stating that information concerning a natural person is anonymized if it is, at all times, reasonably foreseeable in the circumstances that it irreversibly no longer allows the person to be identified directly or indirectly.

Lastly, information must be anonymized according to generally accepted best practices and according to the criteria and terms determined by regulation.
112 27 Right of access by the persons concerned The amendment provides that the right to obtain computerized personal information in a structured, commonly used technological format or to request that such information be communicated to any person or body authorized by law to collect such information does not apply to information created or inferred using personal information concerning the applicant.
113 28.1 Right to request the cessation of dissemination or the de-indexation or re-indexation of a hyperlink In assessing a request to stop disseminating information, or to de-index or re-index any hyperlink attached to a person’s name, the person’s age is no longer taken into account, but rather the fact that the information concerns the person at the time the person is a minor.

The amendment also adds the following: “When granting such a request, the person in charge of the protection of personal information shall attest, in his written reply under section 32, to the cessation of the dissemination of the personal information or to the de-indexation or the re-indexation of the hyperlink.”
132 64 Filing of the proceeding to contest an order issued by the Commission’s oversight division Bill 64 provided that the filing of the proceeding to contest an order issued by the Commission’s oversight division did not suspend the execution of the order.

The amendment adds the following: “However, on a motion heard and judged on an urgent basis, a judge of the Court of Québec may order otherwise because of the urgency of the situation or the risk of serious and irreparable injury.”
150 90.1 Monetary administrative penalties The article lists the situations that give rise to monetary administrative penalties. As a result of an amendment, a penalty may be imposed on anyone who collects, uses, communicates, keeps or destroys personal information in contravention of the law (APPIPS).

A penalty may also be imposed where a person does not take the security measures necessary to ensure the protection of personal information in accordance with section 10 of the APPIPS.

In addition, an administrative penalty may be imposed on a personal information agent who contravenes any of ss. 70, 70.1, 71, 72, 78, 79 and 79.1.

Moreover, two other paragraphs have been added to section 90.1, namely:

“Following a failure referred to in the first paragraph, a person may, at any time, enter into an undertaking with the Commission to take the measures necessary to remedy the failure or mitigate its consequences. The undertaking must identify the acts or omissions constituting a failure and the provisions involved. It may also include the conditions the Commission considers necessary and contain a requirement to pay a sum of money.

If the undertaking is accepted by the Commission and is complied with, no monetary administrative penalty may be imposed on the person carrying on an enterprise with regard to the acts or omissions mentioned in the undertaking.”
150 90.2 Monetary administrative penalties Bill 64 states that “[t]he Commission shall develop and make public a general framework for the application of monetary administrative penalties” in which it shall specify a number of elements.

In the first version of Bill 64, paragraph 2 mentioned the following element to be specified: “the criteria that must guide designated persons in the decision to impose a penalty when a failure occurs…”.

The section now reads as follows: “the criteria that must guide designated persons in the decision to impose a penalty when a failure occurs and in the determination of the amount of the penalty…”.

A criterion has also been added in paragraph 2(g) to guide designated persons in the decision to impose a penalty and in the determination of the amount of the penalty, namely: “the ability to pay of the person in default, given such considerations as the person’s assets, turnover and revenues”.
151 91 Penal provisions In the first version of Bill 64, the fine for a natural person who committed an offence was between $5,000 and $50,000. Amended Bill 64 now provides that the fine for a natural person is between $5,000 and $100,000.

Amended Bill 64 also adds three penal offences:

• Anyone who collects, uses, communicates, keeps or destroys personal information in contravention of the law (APPIPS);

• Anyone who contravenes the prohibition set out in section 8.4 (of the APPIPS) (by reason of s. 108 of the Credit Assessment Agents Act);

• Anyone who does not take the security measures necessary to ensure the protection of personal information in accordance with section 10.
151 92.2 Penal provisions Initially, Bill 64 provided that all penal proceedings had to be instituted within three years of the commission of the offence. The final version of Bill 64 now provides for a time limit of five years from the commission of the offence.
151 92.3 Penal provisions Addition of this section in the final version of Bill 64 to specify the factors the judge must take into account in determining the penalty.
152 93.1 Damages Section 93.1 of the final version of Bill 64 states: “Where the unlawful infringement of a right conferred by this Act or by articles 35 to 40 of the Civil Code causes an injury and the infringement is intentional or results from a gross fault, the court shall award punitive damages of not less than $1,000.”

This amendment subjects the recourse for damages to the general rules of civil liability.

This concludes our second article on recent developments regarding Bill 64 with respect to the APPIPS. As lawyers, it’s a good idea to be proactive and update your knowledge on the protection of personal information now. Your clients will appreciate having enough time to develop a framework that will allow them to comply with the new requirements, which are admittedly considerable.

 

References:

Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, 42nd Leg. (QC), 1st Sess., 2020 (assented to on September 22, 2021).

Antoine Aylwin, Kateri-Anne Grenier and Julie Uzan-Naulin, Act to modernize legislative provisions as regards the protection of personal information | Special Series - Bill 64 & Act to modernize legislative provisions as regards the protection of personal information, October 2021, online:

https://www.fasken.com/en/knowledge/projet-de-loi-64/2021/10/loi-sur-la-protection-des-renseignements-personnels-dans-le-secteur-prive

Jennifer Stoddart, Julie Uzan-Naulin and Mathilde Romano, The Beginning of a New Era for the Private Sector: Bill 64 on the Protection of Personal Information Has Been Adopted, Bulletin #32, | Special Series - Bill 64 & the reforms of Québec laws, An Act as regards the protection of personal information, September 2021, online:

https://www.fasken.com/en/knowledge/projet-de-loi-64/2021/09/23-debut-temps-nouveau-secteur-prive-pl-64-adopte.

Raymond Doray, Guillaume Laberge, Roxane Fortin Lecompte and Marc-Antoine Bigras, Amendments to Privacy Laws: What Businesses Need to Know, Lavery Lawyers / Publications, October 2021, online:

https://www.lavery.ca/en/publications/our-publications/4276-amendments-to-privacy-laws-what-businesses-need-to-know.html.