New Privacy Requirements: Is Your Business Compliant?

The Act respecting the Protection of Personal Information in the Private Sector (the “ARPPIPS”), which had been deemed obsolete for several years, was recently revamped and has now more teeth, especially due to the possible penalties for non-compliance. However, the ARPPIPS’s update is not over yet, as new requirements will come into effect on September 22, 2023, and September 22, 2024.

Much like the General Data Protection Regulation passed in Europe in 2016, the new ARPPIPS requires businesses to be more transparent about how they manage personal information in their possession. In addition to granting better rights to individuals, the ARPPIPS also introduces new tools and processes for businesses to put in place, which must be prepared to prove their compliance at all times to the Commission d’accès à l’information (the “CAI”), regardless of their size.

New Requirements as of September 22, 2022

Among the new requirements applicable as of September 22, 2022, the following are noteworthy:

Person in Charge of the Protection of Personal Information (“PCPPI”)

Your business must now have a PCPPI who is responsible for overseeing compliance and enforcement of the ARPPIPS and for recommending actions to be taken to ensure compliance with the Act.

The ARPPIPS provides for the direct assumption of responsibilities for this role by requiring that the highest-ranking person in the business (usually the CEO or the President) acts as the PCPPI by default. However, this role may be fully or partially delegated in writing to another person.

The PCPPI’s title and contact information should be posted on the company’s website, or if the business does not have a website, made available by other appropriate means.

Managing Confidentiality Incidents

A register of all confidentiality incidents involving personal information must now be maintained by your business and should document, among other things, the number of people affected by the incident and the measures put in place to reduce the risk of harm. The CAI may ask for a copy of this register.

Remember that confidentiality incidents are defined rather broadly and include:

• unauthorized access (e.g., an employee gaining access to a customer’s or another employee’s file without authorization or without it being necessary for the performance of their duties);
• unauthorized use (e.g., a customer’s personal information is used for marketing purposes without consent);
• unauthorized disclosure (e.g., an employee sends a confidential email to the wrong person); and
• loss of personal information (e.g., a client’s physical file is lost).

Furthermore, the CAI must be notified of a confidentiality incident, as well as the individuals affected by it, if it present a risk of serious injury.

It should be noted that the assessment of the risk of serious injury is a sensitive operation that should not be taken lightly and must be carried out on a case-by-case basis. Several elements may be relevant, including the sensitivity of the information involved, the likelihood that it could be used for harmful purposes, and the number of people affected by the incident.

Upcoming Requirements on September 22, 2023

In addition to the requirements that have been in place since the fall, another wave of new requirements is scheduled for September 22, 2023, and will include:

Privacy Impact Assessment ("PIA")

The PIA is a new mandatory tool for businesses implemented by the ARPPIPS. While new, this tool will be at the forefront of most of your activities so you will need to master it.

Basically, a PIA is a tool that enables businesses to assess, weigh and mitigate, where appropriate, the privacy risks associated with their operations. The PIA also ensures that appropriate measures are in place to protect personal information (e.g., obtaining appropriate consents, establishing confidentiality agreements, using only de-identified information).

Given that PIAs will need to be performed often and will require the involvement of several key players (e.g., PCPPI, compliance, security, legal, etc.), it will be beneficial for you to quickly determine how your PIAs will be structured and what information will need to be documented in them.

Specifically, a PIA will have to be conducted:

• for any information system acquisition, development or redesign project or electronic service delivery project involving the collection, use, disclosure, retention or destruction of personal information (e.g., algorithm development, use of artificial intelligence, design of a new customer interface, launch of an advertising campaign, software implementation). However, this requirement is not retroactive and applies only to new projects implemented after September 22, 2023; and
• before disclosing personal information outside of the Province of Québec. This means that a PIA is required in all cases where personal information is held or may be accessed outside of the Province of Québec by a subcontractor or a partner, for example. The evaluation will also need to take into account the legal regime applicable in the jurisdiction where the information will be disclosed. Special attention should be paid to transfers to the United States.

Establishing and Posting Policies Regarding the Protection of Personal Information

If you have a website, you will need to post on it detailed information, in plain language, about your policies and procedures regarding privacy governance, including how personal information will be used and how privacy complaints will be handled.

If, for example, you collect personal information through your website or mobile application, you will be required to post the entire privacy policy on your website.

Outsourcing Personal Information

You may still outsource the processing of personal information in your possession to a subcontractor without the consent of the individuals concerned. Disclosure of the personal information must be necessary to carry out the mandate or contract given to the subcontractor.

However, you must inform the person concerned of the third parties or categories of third parties to whom the personal information will be disclosed (e.g., to a subcontractor responsible for hosting the information). This information could be included in your privacy policy.

Finally, you will need to sign a written agreement with your subcontractor to protect the personal information disclosed. This contract must namely include measures to ensure:

• the confidentiality of the personal information (e.g., technical security measures to enable access management on a need-to-know basis only);
• that the personal information disclosed will not be used for any purpose other than the fulfillment of the contract (e.g., for the subcontractor’s own purposes);
• that the personal information is not stored by the subcontractor after the contract is fulfilled; and
• the right to conduct any verification relating to confidentiality requirement.

Use of Technology

The ARPPIPS also introduces several new requirements related to the use of technologies. On the one hand, businesses wishing to use technologies that allow for decision-making based exclusively on automated processing (such as artificial intelligence) will have to inform the concerned individuals of this possibility at the latest at the time they inform them of the decision (e.g., to determine the eligibility of a customer for a product or service). This does not apply to decision support systems, where the technology merely assists human decision-making.

Furthermore, the person concerned by the decision may require knowing the reasons as well as the main factors and settings leading to the decision, which could cause some issues if you use machine learning techniques, which sometimes lack transparency in this regard.

On the other hand, businesses offering a technological product or a service to the public (e.g., a mobile application, a login interface for customers) and collecting personal information must ensure that the product or service settings provide the highest level of privacy, free of any intervention from the individual concerned.

Last but not least, if you are using technology that identifies, locates or profiles, you must inform individuals of this possibility and of the means available to activate the identification, location or profiling functions (e.g., employee monitoring tools or cookies on your website). In other words, these settings cannot be enabled by default and will instead have to be enabled by positive action by the individual.

Coming September 22, 2024

Right to Portability 

A new right for individuals will emerge in 2024, namely the right to receive personal information collected electronically about an individual in a structured, commonly used technological format.

The right to portability is thus limited to personal information collected directly from an individual and does not apply to information that may have been created or inferred by your organization (e.g., an internal indicator generated based on information obtained from a customer).

So not only will you need to define a procedure so that individuals can exercise this right, but you will also need to put in place the technical means to be able to act on it. It should be noted that this right is in addition to other existing rights, such as the right of access and the right to rectify personal information, as well as the right to obtain information about processing (e.g., which categories of individuals have access to personal information and for how long it is kept).

Should you have any questions regarding the impact of the new requirements on your business, feel free to contact our team, who will be pleased to assist you. These are some of the ways in which BCF can assist you:

• delegation of the role of the PCPPI;
• implementation of a confidentiality incident register;
• elaboration of a processing register to map out what your buisness is doing with personnal information in its custody;
• implementation of privacy governance practices, policies and protocols tailored to your organization;
• implementation of a privacy incident prevention and notification program;
• assistance when a confidentiality incident occur;
• development of compliance and security breach risk reduction strategies;
• privacy impact assessments;
• preparation of data processing agreements with your service providers; and
• assistance with the transfer of personal information outside of the Province of Québec and Canada.