Protection of personal information: main takeaways one year later

Almost one year ago, two bills were introduced: one in the National Assembly of Quebec, Bill 64, An Act to modernize legislative provisions as regards the protection of personal information (“Bill 64”) in June 2020, and another in the House of Commons, Bill C-11, An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts (“Bill C-11”) in November 2020.

The purpose of these two bills is to modernize the laws applicable to the protection of personal information, particularly in the private sector, and more specifically, the Act respecting the protection of personal information in the private sector (the “PPIPS” – Quebec) and the Personal Information Protection and Electronic Documents Act  (the “PIPEDA” – Canada).

One year after their introduction, these bills still have not been adopted. At the federal level, the study of Bill C-11 has not progressed since April 2021. Several comments, some of them virulent, have been made about it, notably by the Office of the Privacy Commissioner of Canada. The future of Bill C-11 is uncertain given the election that will likely be called in the fall of 2021. At the provincial level, the detailed review of Bill 64 initiated in February 2021 has made significant progress, with only about 40 sections of Bill 64 remaining to be reviewed at the time the parliamentary session ended on June 11, 2021. Therefore, barring a reversal, it is reasonable to expect that a revised version of Bill 64 will be adopted when Parliament resumes in the fall.

While we wait for Parliament to reconvene in September 2021, it is appropriate to examine the provisions of Bill 64 in order to consider the changes that could be made to the framework for the protection of personal information in the private sector. Since certain provisions of Bill 64 have been amended since its introduction, we have identified the amended passages in italics in the text.

In the context of this analysis, we will consider the life cycle of personal information, taking into account the rights of the individuals concerned and the sanctions/fines envisaged. We will refer, where appropriate, to the PIPEDA and Bill C-11 to illustrate certain points.

Table of contents

1. Responsibility for the protection of personal information

2. Life cycle of personal information
a) Personal information
b) Consent and prior notice
c) Collection
d) Use
e) Disclosure
f) Retention and destruction

3. Rights of the persons concerned

4. Penalties and fines
a) Administrative monetary penalties
b) Fines

5. Conclusion

 

1. Responsibility for the protection of personal information

While the concepts of “responsibility” and “Privacy Officer” have been present in the PIPEDA since its adoption in 2000, these concepts are introduced into the Quebec legislation by Bill 64.

This does not mean that a person who operates a business is not currently responsible for the personal information relating to other persons that he or she holds, uses or discloses to others. Nor does it mean that they are not obligated to meet the requirements of the PPIPS or that they cannot be held liable for breaches of the PPIPS.

However, the introduction of these concepts into the Quebec legislation through Bill 64 enshrines the following principles:

  • The person with the highest authority within a company will be accountable for compliance with and implementation of the PPIPS and will act as the Privacy Officer. It is provided that:
    • this function may be delegated, in writing, to any person, whether internal or external. According to comments made by the Minister Responsible for Access to Information and the Protection of Personal Information during the detailed study of Bill 64, this possibility of designating an external person will allow for “a group of companies to appoint a single Privacy Officer.” This will also allow for the use of “the services of a person who specializes in the protection of personal information”;
    • the title and contact information of the Privacy Officer will be published on the company’s website or, if it does not have a website, made available by any other appropriate means;
  • Any person operating a business within the meaning of the PPIPS will be responsible for the protection of personal information held by the company. As such, he or she must:
    • Establish and implement policies and practices to guide the company’s governance of personal information and ensure the protection of such information. These policies and practices should be proportionate to the nature and scope of the company’s activities and must be approved by the Privacy Officer. Details of these policies and practices must be published on the company’s website or, if the company does not have a website, made available by any other appropriate means;

      This provision echoes Principle 4.1.4 of Schedule 1 of the PIPEDA and Bill C-11, which states that “every organization must implement a privacy management program that includes the organization’s policies, practices and procedures put in place to fulfil its obligations under [the PIPEDA]”; 
    • Conduct a privacy impact assessment of any planned information system acquisition, development, or redesign or any electronic service delivery project involving the collection, use, disclosure, retention or disposal of personal information. This assessment must:
      • be done in consultation with the Privacy Officer;
      • be proportionate to the sensitivity of the information concerned, the purpose for which it is to be used, the quality of the information, its distribution and the medium on which it is stored;
    • Report privacy incidents involving personal information in its possession that present a risk of serious harm. This report must be made promptly to the Commission d’accès à l’information (the “CAI”) and to the persons whose personal information is affected by the incident, failing which the CAI may order it. The company may also notify any person or organization that could reduce the risk of harm.

      By introducing this obligation, the Quebec government is echoing other Canadian legislation that already provides for it, such as PIPEDA. Bill C-11 maintains this obligation;
    • If the company collects personal information through technological means, publish a plain language privacy policy on its website.

 

2. Life cycle of personal information

Both Bill 64 and Bill C-11 change many of the requirements of the life cycle of personal information, starting with the definition of personal information itself.

 

a) Personal information

Bill 64 amends the definition of personal information by adding the words “directly or indirectly.” The concept of personal information will thus be understood as “any information which relates to a natural person and allows that person to be identified directly or indirectly.”

Bill 64 also clarifies what is meant by “sensitive information,” “anonymized information” and “de-identified information”:

  • information is sensitive when, due to its nature, particularly its medical, biometric or otherwise intimate nature, or because of the context of its use or disclosure, it entails a high level of reasonable expectation of privacy;
  • information is de-identified when it no longer allows the person concerned to be directly identified.

    In the discussions regarding this type of information, it was added that “any person operating a business and using de-identified information must take reasonable steps to limit the risks of anyone identifying a natural person from de-identified information.”

    A similar provision is found in Bill C-11, which provides that “an organization that de-identifies personal information must ensure that any technical and administrative measures applied to the information are proportionate to the purpose for which the information is de-identified and the sensitivity of the personal information” (s. 74). It also provides that “an organization must not use de-identified information alone or in combination with other information to identify an individual, except in order to conduct testing of the effectiveness of security safeguards that the organization has put in place to protect the information” (s. 75); 
  • information is anonymized when it is always reasonable to expect in the circumstances that it irreversibly no longer allows the person concerned to be identified directly or indirectly.

Bill 64 also proposes to recognize the public nature of information relating to a person’s functions within a company. However, this amendment is still under consideration.

 

b) Consent and prior notice

Consent remains the cornerstone of privacy protection. Bill 64, like the PPIPS, provides that consent:  

  • must be manifest, free and informed.

    It should be noted that in the case of sensitive information, such consent must be expressly given. Such consent must also be given when a company intends to verify or confirm the identity of a person by means of a process that captures biometric characteristics or measurements (s. 44 of the Act to establish a legal framework for information technology);
  • must be given for specific purposes.

    It is provided that consent must be sought for each of these purposes in clear and simple terms.

    In the discussions on this subject, it was added that when the request for consent is made in writing, it must be presented separately from any other information communicated to the person concerned;
  • is valid only for the time necessary to achieve the purposes for which it was requested.

Bill 64 specifies that any person who provides his or her personal information, after having obtained a certain amount of information, consents to its use and disclosure for the purposes that were communicated to him or her at the time of collection.

Regardless of the means used to collect the personal information, the person collecting the personal information from the person concerned must inform him or her, in clear and simple terms, of:

  • the purposes for which the information is collected;
  • the means by which the information is collected;

    For instance, if the information is collected using technology that includes functions to identify, locate or profile the individual, the individual must be informed in advance of:
    • the use of such technology;
    • the means available, if any, to activate (rather than deactivate) the identification, location or profiling functions;
  • the rights of access and rectification provided by law;
  • the right to withdraw consent to the disclosure or use of the information collected.

Where applicable, this information should also include third parties: the name of the third party for whom the information is being collected and the names of the third parties to whom it is necessary to disclose the personal information for the purposes [for which it is being collected]. It should be noted that this reference to third parties is also found in Bill C-11, which provides that consent will only be valid if

“[the organization first] provides the individual with the following information in plain language:

a) the purposes for the collection, use or disclosure of the personal information determined by the organization and recorded under subsection 12(3) or (4);

b) the way in which the personal information is to be collected, used or disclosed;

c) any reasonably foreseeable consequences of the collection, use or disclosure of the personal information;

d) the specific type of personal information that is to be collected, used or disclosed; and

e) the names of any third parties or types of third parties to which the organization may disclose the personal information.” (s. 15(3) Bill C-11).

The person operating a business must also, where applicable, indicate the possibility that the information could be released outside Quebec.

In addition, upon request, the person concerned should also be informed of:

  • the personal information collected from him or her;
  • the categories of persons who have access to it within the company;
  • the length of time the information will be kept;
  • the contact information of the Privacy Officer.

Bill 64 also governs the consent of minors. Thus, for a minor under the age of 14, consent will have to be given by the person with parental authority or by the guardian. For a minor of 14 years of age or older, consent may be given by the minor himself or herself, by the person with parental authority or by the guardian.

Bill 64 also provides for exceptions to consent to use and disclosure, which will be discussed below. 

 

c) Collection

While Bill 64 does not change the requirement that a person operating a business must have a serious and legitimate reason and must collect only the necessary information, it does clarify that the purposes for which personal information is collected must be determined before the information is collected.

 

d) Use

Bill 64 clarifies certain aspects relating to the use of personal information, with or without the consent of the person concerned. For example,

  • personal information may only be used within the company for the purposes for which it was collected, unless the person concerned gives his or her consent;
  • personal information may be used for another purpose without the consent of the person concerned in the following cases:
    • when it is used for purposes consistent with those for which it was collected. In this case, the company will have to demonstrate that there is a relevant and direct connection with the purposes for which the information was collected. Commercial marketing or charitable fundraising do not constitute such a purpose;
    • when its use is clearly for the benefit of the person concerned;
    • when its use is necessary for the prevention and detection of fraud or the evaluation and improvement of protection and security measures. This addition echoes Bill C-11 (s. 18(2)(c));
    • when its use is necessary for the purpose of providing or delivering a product or service requested by the person concerned. This addition echoes Bill C-11 (s. 18(2)(a));
    • when its use is necessary for study or research purposes or for the production of statistics, and it is de-identified.

Bill 64 adds a provision relating to the use of personal information to make a decision based exclusively on automated processing of such information. In such a case, the person operating the business will have to inform the person concerned no later than the time he or she informs him or her of the decision (as opposed to at or before the time of the decision).

This information should include:

  • the personal information used to make the decision;
  • the reasons and the principal factors and parameters that led to the decision;
  • the right to have the personal information used to make the decision corrected.

The person concerned should also be given the opportunity to make submissions to a staff member of the company who is in a position to review the decision.

However, unlike its federal counterpart, Bill 64 does not define what constitutes “automated processing” for the purposes of its application. Indeed, Bill C-11 provides a definition of what constitutes an automated decision system, namely “any technology that assists or replaces the judgment of human decision-makers using techniques such as rules-based systems, regression analysis, predictive analytics, machine learning, deep learning and neural nets” (ss. 2 and 63(3)).

It should also be noted that Bill 64 modifies the rules applicable to the use of personal information for commercial marketing or charitable fundraising purposes. A person operating a business will now have to identify themselves to the person whom they are contacting and inform that person of their right to withdraw their consent to the use of their personal information for these purposes.

 

e) Disclosure

Bill 64 reaffirms the principle that no one can disclose personal information about another person to a third party without the consent of the person concerned or authorization under the PPIPS.

With respect to the circumstances where disclosure to a third party is authorized, Bill 64 adds to those already contained in the PPIPS the possibility for a company to disclose, without the consent of the person concerned, personal information:

  • to any person or body if the information is necessary to carry out a mandate or perform a contract of enterprise or for services entrusted to that person or body. It is provided that this disclosure must be made pursuant to a written mandate or contract that must contain certain elements prescribed by law;
  • when it is necessary for the purpose of concluding a commercial transaction to which it intends to be a party. In this case, an agreement will have to be entered into between the parties. During discussions on this subject, the definition of “commercial transaction” was amended. It now includes the disposition or lease of all or part of a company or its assets, a change in its legal structure by merger or otherwise, the obtaining of a loan or any other form of financing by it, or a security taken to guarantee any of its obligations.

    According to comments made by the Minister Responsible for Access to Information and the Protection of Personal Information during the detailed review of Bill 64, the proposed addition and definition is intended to bring Bill 64 in line with the PIPEDA (re-enacted in Bill C-11) and the legislation of Alberta and British Columbia;
  • to a person or body that wishes to use the information for study or research purposes or to produce statistics. A privacy impact assessment will have to be carried out and an agreement entered into between the parties. The impact assessment and agreement will then have to be forwarded to the CAI.

Bill 64 modifies the rules applicable to the disclosure of personal information outside Quebec. Thus, a person operating a business will have to:

  • conduct a privacy impact assessment before considering such disclosure. They must take into account:
    • the sensitivity of the personal information;
    • the purposes for which it will be used;
    • the protection measures, including contractual safeguards, that will apply to the information;
    • the legal framework applicable in the jurisdiction where the information will be disclosed, including the personal information protection principles applicable there.

Based on this assessment, disclosure may proceed if it can be demonstrated that the information will be adequately protected, including with respect to generally accepted principles for the protection of personal information;

  • establish a written agreement that takes into account, among other things, the results of the assessment and, if applicable, the terms agreed on to mitigate the risks identified in the assessment.

Bill 64 initially provided for the publication in the Gazette officielle du Québec of a list of jurisdictions whose legal framework governing personal information is equivalent to the principles for the protection of personal information applicable in Quebec.

However, this amendment was withdrawn because reference is no longer made to the concept of “equivalence” but rather to “adequacy.” It should be noted, however, that during the discussions regarding the functions and powers of the CAI, it was added that its function will be to develop guidelines to facilitate the application of the PPIPS.

 

f) Retention and destruction

First, it should be noted that Bill 64 does not change the obligation under the PPIPS to take appropriate security measures that are necessary to ensure the protection of the personal information collected, used, kept or destroyed and that are reasonable taking into account, among other things, the sensitivity of the information, the purposes for which it is to be used, the quantity and distribution of the information and the medium on which it is stored.

However, Bill 64 clarifies that once the purposes for which the personal information was collected or used have been fulfilled, the person operating the business must destroy or anonymize the information in order to use it for a serious and legitimate purpose, subject to a retention period prescribed by law.

 

3. Rights of the persons concerned

Bill 64 modernizes the terms of the rights of access and rectification contained in the PPIPS. For example, at the request of the applicant, computerized personal information will have to be provided in the form of a written and intelligible transcript.

Bill 64 also recognizes new rights for the persons concerned, namely:

  • the right to be informed that a decision is based exclusively on automated processing (for more details see d) Use above);
  • the right to portability: an applicant may request that computerized personal information that a company has collected about him or her be communicated to him or her in a structured, commonly used technological format. He or she may also request that the information be disclosed to any person or body authorized by law to collect such information;
  • the right to cease dissemination, de-index or re-index: where the dissemination of personal information contravenes the law or a court order, the person to whom the information relates may require the person operating the business to cease disseminating the information or to de-index any hyperlink attached to his or her name that provides access to the information by a technological means.

    In order to apply for cessation of dissemination, de-indexing or re-indexing, the following conditions must be met:
    • the dissemination of the information causes serious harm to the person’s right to respect of his or her reputation or privacy;
    • the harm clearly outweighs the public interest in knowing the information or the interest of any person in free expression;
    • the cessation of dissemination, re-indexation or de-indexation requested does not exceed what is necessary to prevent the perpetuation of the harm.

With respect to these new rights, it should also be noted that Bill 64 intends to allow persons who have been affected by an unlawful infringement of the rights conferred on them by the PPIPS or the Civil Code of Quebec to sue the person operating the business for damages, unless the harm results from force majeure. It is therefore provided that where the harm is intentional or results from gross negligence, punitive damages of at least $1,000 may be awarded. This private right of action had not yet been discussed at the end of the parliamentary session, nor were the provisions relating to administrative monetary penalties and fines that will be applicable in the private sector. 

 

4. Penalties and fines

Bill 64 strengthens corporate accountability by creating an Administrative Monetary Penalty (“AMP”) system and increasing the amount of fines that can be levied against any person operating a business.

 

a) Administrative monetary penalties

An administrative monetary penalty may be imposed by the CAI when a person operating a business fails to inform the persons concerned of:

  • the source of their personal information when it is collected from third parties and they request it;
  • the purposes for which their personal information is collected, the means by which it is collected, their rights (access, rectification, withdrawal of consent) and any other information that must be provided to them voluntarily at the time of collection or upon request;
  • the fact that the decision taken against them is based exclusively on automated processing of their personal information and they are not given the opportunity to make submissions.

AMPs may also be imposed where a person operating a business collects, discloses, uses or destroys personal information in contravention of the PPIPS or fails to report privacy incidents that present a risk of serious harm to the CAI or to affected persons.

In such cases, an AMP of up to $50,000 may be imposed in the case of an individual. In other cases, the maximum amount of the administrative penalty will be the greater of $10,000,000 or 2% of total revenue for the previous fiscal year.

 

b) Fines

Bill 64 also modifies the offence scheme of the PPIPS. First, while the power to initiate criminal proceedings currently rests with the Attorney General of Quebec, Bill 64 provides that the CAI will now be able to initiate criminal proceedings. Second, the amount of fines that may be awarded under the penal provisions will be significantly higher than what is currently provided for (i.e., a maximum of $10,000, or $20,000 in the case of a repeat offence). The amount of the fine will now be between $5,000 and $50,000 for individuals and, in all other cases, between $15,000 and the greater of $25,000,000 or 4% of total revenue for the previous fiscal year. This amount may be doubled in the case of a repeat offence.

Such fines may be imposed for several offences, including against anyone who:

  • collects, holds, discloses or uses personal information in contravention of the PPIPS;
  • fails to report a confidentiality incident;
  • identifies or attempts to identify an individual without the authorization of the person holding the personal information or based on anonymized information; or
  • contravenes an order of the CAI.

 

5. Conclusion

Discussions about Bill 64 are not yet complete and some important provisions remain to be debated (such as those relating to certain rights of individuals and those relating to law enforcement measures). It is therefore likely that further changes will be made to the original draft bill when Parliament resumes in the fall. It will be important to closely monitor what happens to some of this bill’s provisions, particularly in the light of the comments and criticisms that have been made about it. That said, it is likely that the planned amendments to the PPIPS will be enacted by the end of 2021.

While there is currently a one-year transition period before Bill 64 comes into force (three years for the right to portability), companies doing business in Quebec should take advantage of the coming months to prepare accordingly. It is advisable to consider the changes to the PPIPS in order to anticipate the issues that could arise with respect to the collection, use, disclosure and retention of personal information, and to take the necessary steps to ensure that their practices are compliant.