Protection of personal information: Three-year phased implementation after Bill 64 receives assent
On September 21, the National Assembly of Quebec adopted the Act to modernize legislative provisions as regards the protection of personal information. The adoption of this Act puts an end to a lengthy legislative process which started on June 12, 2020 when Bill 64, An Act to modernize legislative provisions as regards the protection of personal information (“Bill 64”), was tabled. During this process, many amendments were adopted to take into consideration comments received during specific consultations and the clause-by-clause consideration of Bill 64 by the Committee on Institution of the National Assembly.
As mentioned in a previous article, this piece of legislation modifies and adds several rights and obligations with respect to the protection of personal information. And, even if the coming into force of this law will be spread over three years, companies doing business in Quebec would be well advised to take the necessary steps now to ensure the compliance of their practices in this area. The same applies to public bodies, as we will discuss in another article.
In fact, one year after the date of assent, the following provisions inserted in the Act respecting the protection of personal information in the private sector (“PPIPS”) will come into force:
- The appointment of a Privacy Officer (section 3.1);
- The obligation to report to the Commission d’accès à l’information and to the persons concerned any privacy incidents involving personal information in the company’s possession that present a risk of serious harm (sections 3.5 to 3.8);
- The right to disclose personal information without the consent of the person concerned when it is necessary for the purpose of concluding a commercial transaction (section 18.4);
- The right to disclose personal information without the consent of the persons concerned when using that information for study or research purposes or for the production of statistics (sections 21 to 21.0.2).
Two years after the date of assent, most of the provisions of the PPIPS, as amended by Bill 64, will come into force. These include the requirements for companies to:
- Establish and implement policies and practices to guide the governance of personal information and ensure the protection of such information (section 3.2);
- Conduct a privacy impact assessment
- of any planned information system acquisition, development, or redesign or any electronic service delivery project involving the collection, use, disclosure, retention or disposal of personal information (section 3.3);
- before disclosing personal information outside Quebec (section 17);
- Determine the purposes for collecting personal information prior to collection, inform the persons concerned of those purposes at the time of collection or upon request, inform them about any use of technology that includes functions allowing them to be identified, located or profiled, and inform them any time a decision has been made based exclusively on automated processing of their personal information (sections 4, 5, 8, 8.1 and 12.1);
- Obtain clear, free and informed consent that is given for specific purposes and valid only for the time necessary to achieve the purposes for which it was requested. It should be recalled that when the request for consent is made in writing, it must be presented separately from any other information communicated to the person concerned (section 14);
- Ensure that, by default, the privacy settings of any technological product or service being offered to the public provide the highest level of privacy, without any intervention by the person concerned (section 9.1). It should be noted that this provision does not apply to the privacy settings of a cookie;
- Once the purposes for which personal information was collected or used have been fulfilled, destroy the information or anonymize it to use it for a serious and legitimate purpose (section 23);
- Consider requests from a person to whom personal information relates to cease disseminating that information, to de-index any hyperlink attached to their name that provides access to that information by a technological means, or to re-index the information (section 28.1).
Finally, three years after the date of assent, will come into force the obligation of a company, at the applicant’s request, to disclose computerized personal information collected from an applicant (and not created or inferred from personal data); to communicate such information to the applicant in a structured, commonly used technological format; and to further disclose the information, at the applicant’s request, to any person or body authorized by law to collect such information (the right to portability) (section 27 subsection 3).
Thus, while there is a transition period for the coming into force of many of the new provisions of the PPIPS, the magnitude of the task of complying with these new obligations should not be underestimated. That’s why over the next few weeks, we will be publishing several articles and offering training to explain the impact of these changes.