Quebec To Introduce The Most Punitive Privacy Laws In Canada – With Fines Of Up To $25 Million – Privacy – Canada – Mondaq News Alerts

Posted: June 24, 2020 at 6:08 am

On June 12, the Quebec government introduced the highlyanticipated Bill 64, An Act to modernize legislative provisionsas regards the protection of personal information. Inpresenting the bill, the province's Minister of Justice, SoniaLeBel, noted that Quebec's current data protection laws havebecome outdated and no longer adequately regulate new and evolvingdigital technologies. Ms. LeBel noted that the current pandemic hashighlighted the central role that information technology nowoccupies in our society, and that our laws must stay apace of thisreality.

If adopted, Bill 64 will make significant changes to therequirements applicable to the use and protection of personalinformation under numerous provincial statutes, including notablythe Act respecting the protection of personal information inthe private sector (the "Private SectorAct") and the Act respecting Access to documentsheld by public bodies and the Protection of personalinformation (the "Public SectorAct"). In this article, we summarize some of the mostnotable changes to these two statutes.

Bill 64 will significantly increase the fines that may be leviedagainst both private and public sector entities who fail to complywith the province's privacy legislation.

Private sector entities will be subject to fines ranging from$15,000 to $25,000,000, or an amount corresponding to 4% ofworldwide turnover for the preceding fiscal year, whichever isgreater. This represents a dramatic increase from the currentmaximum penalty of $50,000, and would make the Private Sector Actthe most punitive privacy law in the Canada with apotential fine exceeding those available under the Competition Act,or the Anti-Spam law, CASL.

Moreover, Bill 64 would grant the Commissiond'accs l'information (CAI) theability to impose monetary administrative penalties (AMPs) forcertain violations following a notification of non-compliance with maximum AMPs of $10,000,000 or, if greater, an amountcorresponding to 2% of worldwide turnover for the preceding fiscalyear.

For certain offences under the Public Sector Act, includingreleasing personal information in contravention of the law orattempting to identify an individual using anonymized information,fines will range from $15,000 to $150,000.

If passed into law, Bill 64 will create a private right ofaction whereby individuals could bring a claim for damages forinjury resulting from the unlawful infringement of a rightconferred by the Private Sector Act or sections 35 to 40 of theCivil Code of Qubec.

The Bill also introduces a minimum award of $1,000 in punitivedamages where the infringement is intentional or results from agross fault the latter defined as "a fault which showsgross recklessness, gross carelessness or gross negligence"per section 1474 of the Civil Code of Qubec.

Bill 64 will introduce "privacy by design"typedefault settings whereby enterprises who offer technological goodsor services and who collect personal information must ensure thatthe parameters of the good or service provide the "highestlevel of confidentiality by default", without any interventionby the person concerned.

Until now, Quebec has been one of the few Canadian jurisdictionswhere reporting of data security incidents has not been mandatory.While data breach notification has long been the subject ofvoluntary guidelines, Bill 64 will require that both public andprivate entities report incidents to both the Commissiond'accs l'information and to thepersons whose data is affected where the incident "presents arisk of serious injury".

Entities may also notify "any person or body that couldreduce the risk". The Bill provides that regulations may beadopted to establish the content and terms of thesenotifications.

Bill 64 imposes more robust consent requirements prior to thecollection, use, or disclosure of personal information. Currently,the Private Sector Act requires that consent be "manifest,free, enlightened" and given for specific purposes, while thePublic Sector Act is silent on what constitutes adequate consentwhere consent is required under this law. Under Bill 64, both thePublic and Private sector Acts will be amended to require thatconsent be "clear, free and informed" and given forspecific purposes.

Where consent is required, both public and private sectorentities must request consent for each separate purpose in"clear and simple language and separately from any otherinformation provided to the person concerned". Entities willalso be required, on request of the person concerned, to assist theperson in understanding the scope of the consent requested.

Moreover, under Bill 64, consent will remain valid only for thetime necessary to achieve the purposes for which it was requested,following which the information will have to be anonymized ordestroyed.

Bill 64 also establishes new situations in which personalinformation may be communicated without the consent of theindividual concerned. These include, notably:

Bill 64 also withdraws the right, provided under the currentPrivate Sector Act, of an enterprise to communicate a nominativelist without the consent of the individuals concerned.

Following the trend of including "right to beforgotten" provisions in privacy legislation, Bill 64 willafford Quebec individuals the right to demand the deletion ofcertain personal data.

More specifically, it provides that an individual may requirethat a private sector entity cease disseminating his/her personalinformation or de-index any hyperlink attached to his/her name thatprovides access to the information by a technological means if thedissemination of said personal information contravenes the law or acourt order.

An individual will also be permitted to make such an order, orto order that the hyperlink be re-indexed, where:

In assessing whether the injury is clearly greater than publicinterest or the right to freedom of expression, the followingelements are to be considered: the sensitivity of the information,the time elapsed between the dissemination of the information andthe request, and whether or not the individual concerned is a minoror a public figure.

Bill 64 will also increase the obligations incumbent on bothprivate and public sector entities regarding the protection ofpersonal information.

With regards to private sector entities, the individual with the"highest authority" in that enterprise will beresponsible for ensuring compliance with the Private Sector Act.This responsibility may, in writing, be delegated to a member ofthe enterprise's personnel. This person's title and contactinformation must be published on the enterprise's website.

Private sector entities will also be required to establish andimplement governance policies and practices to protect personalinformation, which, in addition to being published on theenterprise's website, must:

As for public bodies, they will be required to appoint anindividual in charge of access to documents and protection ofpersonal information. Unlike in the private sector, where theappointed individual may be a member of the enterprises'personnel, the individual appointed by a public sector entity mustbe a member of the public body or of its board of directors, as thecase may be, or a member of the management personnel. The title andcontact information of this individual will have to be reported tothe CAI.

Public bodies will also be required to establish a committee onaccess to information and protection of personal information, to beoverseen by the aforementioned individual. Private bodies will notbe required to establish such a committee.

Bill 64 also imposes more stringent requirements on enterprisesor public bodies wishing to communicate personal informationoutside of Quebec. Before releasing personal information outside ofthe province, an entity will be required to conduct an assessmentof privacy-related factors, namely:

The information may only leave the province if the assessmentestablishes that the information in the foreign jurisdiction willreceive protection equivalent to that afforded in Quebec and therelease of said information is subject to a written agreement thattakes into account factors such as the results of the assessmentand, if applicable, the terms agreed upon to mitigate the risksidentified in the assessment.

The above applies even if the information is merely being storedor processed by a party outside the province.

Under Bill 64, both public and private sector entities whocollect personal information using technology that allows a personto be "identified, located or profiled" must first informthe person of the use of such technology and of the meansavailable, if any, to deactivate the function that allows theperson to be "identified, located or profiled".

For the purposes of the above, "profiling" refers tothe collection and use of personal information to assess certaincharacteristics of a natural person, in particular for the purposeof analyzing that person's work performance, economicsituation, health, personal preferences, interests or behavior.This could be the case, for example, of information collected viaonline cookies used in order to direct targeted advertising to anindividual, or collected through a fitness tracker app.

Public and private sector entities will also be required, underBill 64, to assess "the privacy-related factors of anyinformation system project or electronic service delivery projectinvolving the collection, use, release, keeping or destruction ofpersonal information".

Finally, where a public or private sector entity uses personalinformation to render a decision based exclusively on an automatedprocessing of such information, it will be required to inform theindividual concerned of same prior to or at the time the decisionis made. The entity must also, upon request, inform the individualof:

Following the introduction of Bill 64, Quebec's NationalAssembly adjourned for its summer break. It will return inSeptember 2020, with committee proceedings to resume in mid-August.If passed into law, Bill 64's final and transitional provisionsindicate that most amendments to the Private Sector Act will comeinto force one year after the date of assent.

The Gowling WLG Cyber Security & Data Protection group willbe monitoring developments closely and may be contacted for furtherinformation.

Read the original article on GowlingWLG.com

The content of this article is intended to provide a generalguide to the subject matter. Specialist advice should be soughtabout your specific circumstances.

Continue reading here:

Quebec To Introduce The Most Punitive Privacy Laws In Canada - With Fines Of Up To $25 Million - Privacy - Canada - Mondaq News Alerts

Related Posts