Québec’s Bill 64 to Amend Data Protection Legislation: A Bill with Teeth?

Danielle Miller Olofsson has co-authored this article.

Québec’s Bill 64

With respect to the Act Respecting the Protection of Personal Information in the Private Sector (“PPIPS”), Bill 64 is long overdue. The first Canadian jurisdiction to adopt private sector privacy legislation in 1993, Québec has not kept the law up to date and, in 2014, was deemed inadequate by the European Union’s advisory board, Working Party 29, for failing to properly protect the privacy rights of individuals. Ordinarily, the assessment of another jurisdiction might not be noteworthy. The Working Party’s findings, however, if acted upon by the European Union, could have subjected Québec companies to onerous data protection measures and exposed it to steep fines in order to continue sharing data with European countries.

Proposed Changes to Existing Privacy Legislation

If implemented, Bill 64’s proposed changes will clarify a number of points in the present legislation thereby bringing PPIPS in line with its federal and provincial counterparts. It will introduce into Québec law rights that are recognized in Europe and the United States but that so far have not made their way to Canada. The Bill also proposes severe fines for a violation of the existing legislation.

The following proposed changes are of particular interest:

• Consent to data collection, use, and communication will have to be clear, free, and informed, as well as given for a specific purpose;
• As with the federal legislation, Bill 64 would exempt employee contact information from the scope of the legislation;
• Sensitive information, previously undefined, would now be defined to include information that, due to its nature, context, use or communication, entails a high level of reasonable expectation of privacy;
• Any “enterprise” (ie. a business or other organization) collecting information will have to put in place data governance policies and procedures, including retention and destruction provisions, and publish these on their website;
• Enterprises regardless of their size will have to appoint a person responsible for implementing the personal information protection measures and make this person’s contact details available on its website;
• Privacy impact analysis will have to be conducted when an enterprise considers implementing any information system project or electronic service delivery project involving the collection, use communication, storage or destruction of personal information;
• Enterprises will have to put in place processor agreements containing specific items if they wish to use a third-party contractor to process personal information;
• Québec enterprises will be required to disclose a data breach if it presents a risk of serious injury to  : i) the Commission d’accès à l’information du Québec (the “Commission”) ii) the individual(s) affected; and iii) any organization that might help mitigate the damage. Failure to do so could result in penalties of $5,000 to $50,000 for a natural person, $15,000 to $25,000,000 for a legal person or even, in certain cases, an amount corresponding to 4% of the latter’s worldwide turnover for the preceding fiscal year; and
• As with the federal law, PPIPS will require organizations to keep a breach log.

Additional Rights for Individuals Whose Data is Collected

Bill 64 provides greater clarity by guaranteeing an individual’s right to access and rectify a file containing his or her personal information. It also recognizes the right to have any hyperlink that provides information by technological means de-indexed if the dissemination of the information contravenes the law or a court order. The individual also has the right to have the hyperlink re-indexed provided certain conditions are met. In the event the individual is subject to automated decision making, he or she has the right to be informed of the personal information that is used, the reason for processing his or her personal information, and the principle factors and parameters relied upon to make these automated decisions. He or she also has the right to access the personal information that is used and processed.

Penalties

In addition to the penalties mentioned above for non-compliance with breach-reporting, Bill 64 proposes giving the Commission the right to develop and impose heavy administrative monetary penalties for statutory violations. These penalties can be up to $50,000 for a natural person and the greater of $10,000,000 for an enterprise or 2% of its worldwide turnover. Bill 64 also allows for punitive damages in the cases of an enterprise that unlawfully, intentionally or as a result of gross fault infringes articles 35 to 40 of the Civil Code of Québec (which codify rights to the respect of reputation and privacy).

Litigation

The recognition of new rights and the imposition of new penalties, including punitive damages, could serve as the basis for litigation against virtually any business, institution or organization active in Québec. More specifically, by reinforcing the privacy and data protection regime, Bill 64 could encourage class actions, notably those instituted as a result of alleged failures to meet more onerous governance and disclosure requirements.

Take Away

Bill 64 brings PPIPS into the 21^st century and officially requires what many enterprises are already doing with respect to data governance. It also provides some consistency for international companies seeking to do business in Québec by aligning the province with data protection practices, such as breach notification, that exist almost everywhere else in North America. It remains to be seen which elements of Bill 64 will become law. Until then, BCF invites you to direct any questions concerning privacy and data protection to its Data Protection and Cybersecurity Group.