Summary
Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, was adopted by the National Assembly on Tuesday, September 21, 2021 and has received official assent on September 22, 2021. It will come into force in three stages following assent, with some provisions coming into effect after one year, most after two years and some after three years.
For those who have followed the progression of Bill 64, the significant changes proposed in parliamentary committee discussions in recent weeks are noteworthy.
Three main themes emerge from these changes: (i) a strengthening of the rights of individuals, (ii) adaptations to the reality of small- and medium-sized businesses and, finally, (iii) the easing of measures allowing personal information to be released outside Quebec.
Entry into force
About 16 months after its initial tabling at the National Assembly in June of 2020, Bill 64 was given its final form, leading to its adoption on September 21, 2021.
Most of the provisions will come into force within two years of the law's date of assent, rather than one year as originally planned.1
Certain provisions will come into force within one year of the date of assent, namely the provisions relating to:
- Confidentiality incidents;
- The release of personal information for study or research purposes;
- The obligation to designate a person in charge and form a committee;
- The release of personal information as part of a commercial transaction;
- The release of information relating to the disposition of a complaint by an educational institution at the request of the person making the complaint; and
- Certain changes to the powers of the Commission d'accès à l'information (CAI).2
Changes respecting the right to data portability will come into effect three years after the law has been assented to.3
The initiative began with the many calls for reform from the business community, consumers and experts over the past decade, as well as the entry into force of the European Union's new General Data Protection Regulation (GDPR) in 2018, which legitimized a new approach to the matter and accentuated the need to reform Canadian private sector laws. While a bill had been tabled at the federal level, namely Bill C-11: An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make related and consequential amendments to other Acts, and several provinces are considering reforms, to date only Quebec has completed its reform, perpetuating its reputation as a leader in the field.
Review of amendments in committee – the Private Sector Act
In the 20 meetings of the Committee on Institutions, 17 briefs were submitted, including some by our team. The resulting amendments show that the legislator was compelled to reformulate major parts of Bill 64 in response to many of the concerns expressed by the business community, the academic community and civil liberties organizations.
This bulletin summarizes the significant changes resulting from parliamentary committee debates on the Act respecting the protection of personal information in the private sector (the "Private Sector Act"). Previous Fasken bulletins on the subject are still relevant, subject to the amendments that were adopted after they were published.
A complete table of parliamentary committee changes can be found at the end of this bulletin. Please note that the table is not an official version of Bill 64 at this stage, but rather a working tool prepared for the purpose of understanding changes made to the text over time.
Three main themes emerge from the changes made to Bill 64
The latest version of Bill 64 includes significant changes that revolve around three main themes.
The first is better protection of the rights of data subjects, who are given a greater say in how their data is processed and whose understanding of the consequences of their choices is ensured.
The second is the government's expressed willingness to be flexible in the ultimate application of the new standards and penalties—which are much stricter than before—to small- and medium-sized Quebec businesses that do not operate in the same business reality as large, often U.S.-based multinationals. The government has likewise expressed its willingness to be flexible with users of personal information, who must generally comply with certain international standards when conducting scientific research.
The third is certain amendments that aim to better deal with the realities surrounding the continuous transmission of data around the world and its role in trade outside Quebec.
Strengthened protection of individuals and their personal information
Several participants, concerned about the fundamental right to privacy, wanted a stricter version of the Act with tougher penalties. In response, the legislator made sure to strengthen the provisions protecting the privacy rights of individuals whose personal information is solicited or used by others.
Result: additions that provide data subjects with much more control over their data, greater disclosure requirements with respect to data subjects and stiffer penalties for those who violate the new law.
Definition of personal information
The very definition of personal information has been clarified, as it now indicates that personal information is that which allows a natural person to be directly or indirectly identified.4
Information and consent
An individual must now be informed of the third persons or categories of third persons to whom their information wi5
Additions have also been made to adapt how consent is given for the personal information of a minor under 14 years of age. As well as by the person having parental authority, consent may be given by a tutor.6
Privacy by default
The amendments change the circumstances in which a business offering a technological product or service must ensure that the privacy settings of such products or services provide the highest level of privacy by default.
They state that this only applies to products and services offered to the public and does not include privacy settings for cookies.7
In addition, when information is collected through a technology that has identification, tracking or profiling features, the individual must be informed of how to activate them. This is an opt-in choice, a change from the opt-out in the initial version of Bill 64, where the default setting had such functions enabled.8
De-identified and anonymized information
De-identified information is that which no longer allows the direct identification of a data subject.9
A business that uses such information is now required to take "reasonable steps to avoid re-identification."10 This amendment will help to alleviate a data subject's possible fears about the handling of their personal information, which is necessary in many contexts.
In this regard, Bill 64 introduced a new sanction in relation to de-identified information, making it an offence for any person to identify or attempt to identify a natural person using such information.11
Anonymized information is information that no longer allows a natural person to be identified directly or indirectly. This information can not be reversed. An amendment clarified this definition by adding that information is anonymized if it "is at all times reasonable to expect in the circumstances" that it will no longer allow such identification.12 This addition imposes an obligation on businesses to maintain, over time, anonymization techniques that comply with the Act.
In addition, once the purpose for which the personal information was collected or used is fulfilled, the information must be destroyed or anonymized. However, the amendments limit the situations in which information may be anonymized, requiring that such anonymization be done only for serious and legitimate purposes.13
Retention and destruction of personal information by a personal information agent
According to the Commission d'accès à l'information (the "CAI") a personal information agent is "any person who, on a commercial basis, personally or through a representative, establishes files on other persons and prepares and communicates to third parties credit reports bearing on the character, reputation or solvency of the persons to whom the information contained in such files relates."14
Bill 64 imposes a new obligation on personal information agents in terms of personal information retention by requiring them to destroy personal information collected more than seven years ago rather than simply no longer retaining it.15
In addition, personal information needed for conducting an inquiry for the purpose of preventing, detecting or repressing a crime or a statutory offence may now be retained for more than seven years. However, the information must still be destroyed once the prevention, detection or repression purposes are achieved.16
Administrative and criminal penalties
The amendments add additional reasons which may lead to an administrative penalty. Accordingly, such a penalty will, from now on, be imposed on:17
- Anyone who retains personal information in contravention of the Act.
- Anyone who fails to take appropriate security measures to ensure the protection of personal information.
- A personal information agent who fails to comply with their obligations, for example, by not registering with the CAI.
With regard to criminal offences, some additions and amendments have also been made:18
- The maximum fine that can be imposed on a natural person for an offence is $100,000, up from $50,000.
- Anyone who retains personal information in contravention of the Act is now guilty of an offence.
- Anyone who fails to take appropriate security measures to ensure the protection of personal information is now guilty of an offence.
- Anyone who requests personal information from a credit assessment officer after being informed by another officer of a credit freeze prohibiting disclosure is guilty of an offense.
- The time limit to institute criminal proceedings has been extended from three to five years after the offence.
Flexibility of the Act in different situations
A number of the representations made to the parliamentary committee highlighted the wide variety of activities to which the Act could apply. Small and medium-sized businesses, ubiquitous in Quebec's economy, should not be penalized by an approach originally creadted for large multinationals.
Result: A number of changes have been made to give businesses greater flexibility in carrying out their obligations and responsibilities and to clarify certain specific situations.
Delegation of the duties of the person in charge of personal information in a business and governance policies
It is now possible to delegate the duties of the person in charge of personal information to anyone, not only to a staff member.19
In addition, businesses are no longer required to publish, in their entirety, their governance policies regarding personal information. They will now fulfill their obligations by simply publishing detailed information about their policies in clear and simple language.20 In its brief, Fasken pointed out the issues surrounding the full publication of such policies to the Committee on Institutions.21
Assessment of privacy-related factors (or privacy impact statement (PIA)) and the concept of sensitive information
Clarification has been provided on when a PIA is required, and the principle of proportionality of the PIA to the sensitivity of the information involved has been added.22 A PIA will now have to be conducted for any project involving the acquisition, development or redesign of an information system or electronic service delivery involving personal information. This clarification as to when a PIA is required responds, in part, to one of the recommendations Fasken made in its brief.23
The amendments clarify what constitutes "sensitive" information by giving examples: "in particular, medical, biometric or otherwise intimate", giving businesses greater certainty in how to handle various types of personal information.24
Relief from consent obligations
A number of changes also make it easier for a business to operate by providing that a data subject's consent is not required in certain new situations, including:25
- To prevent and detect fraud or to improve protection and security measures.
- To provide or deliver a product or service requested by a data subject.
The amendments also extend the scope of the consent given by a data subject. Consent is provided not only for the use of personal information for the intended purposes, but also for its communication for those same purposes.26
Communication and use for research, study and statistical purposes
With regard to research, the notion of public interest has been added as something that must be considered, where there is no consent, to assess the impact on privacy.27
In addition, research, study and statistical activities have been facilitated by replacing the requirement to submit a research protocol with the broader requirement to submit only a detailed description of research activities.28
The notion of a commercial transaction
Initially, Bill 64 defined a commercial transaction as involving a transfer of ownership of all or part of a business.
This concept has been expanded to be consistent with that of other jurisdictions. This new definition now includes:
- Alienating or leasing a business or its assets, in whole or in part.
- Modifying a business' legal structure.
- Obtaining a loan or other form of financing.
- Taking a security interest in order to guarantee an obligation.29
This broadened definition of commercial transaction reiterates Fasken's recommendation on the subject.30
Administrative and criminal penalties
Finally, a number of amendments give decision-makers discretion in determining the appropriate sentence or penalty for a failure or contravention of the new Act.
In the case of criminal offences, a judge must take eight different factors into account when determining the sentence, including the nature, seriousness and repetitiveness of the offence and the sensitivity of the personal information involved.31
With regard to monetary administrative penalties, in its initial version, Bill 64 already introduced criteria to guide decision-makers in whether to impose a penalty when finding a failure. The amendments extended the use of these criteria to determine the penalty amount and added to them the consideration of whether the person at fault is able to pay.32
Undertaking to avoid administrative penalties
In addition, once a failure to follow the law is found, a person can now make an undertaking to the CAI to take the necessary steps to remedy the failure or mitigate its consequences. In doing so, if the CAI accepts the undertaking, the person will not be subject to administrative penalties.33
Easing of measures allowing personal information to be communicated outside Quebec
Early criticisms of Bill 64 included the observation that the proposed legislation did not take into account the reality of the continual transmission of personal information outside Quebec. Such transmission is often necessary both for commercial and scientific research purposes.
Result: The bill was adapted to interprovincial and international realities in an era of globalization and the exponential development of new technologies.
Before releasing personal information outside Quebec, businesses must still conduct a PIA that takes into account the sensitivity of the information, the purpose of its use, the protection measures that would apply to it and the legal framework applicable in the destination State.34
Bill 64 previously required that the destination where the personal information would be communicated offer "equivalent" protection to that existing in Quebec. However, the concept of "equivalent" protection was abandoned and information may now be released outside Quebec to a jurisdiction with adequate protection, "in particular in terms of generally accepted best practices respecting the protection of personal information."35 This concept appears to be as difficult to apply in practice as the previous one.
The amendments clarify which information protection measures that would apply to the information that must be considered, because the bill now mentions that such measures include additional measures added by contract.36 This addition respecting contractual measures was proposed by Fasken in its brief submitted to the Committee on Institutions.37
These amendments further specify that the protection of personal information principles applicable in the destination State must be taken into account when assessing the legal framework applicable there.38
Finally, the amendments eliminate the notion of the government producing a list of jurisdictions deemed appropriate.39
List of amendments to Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, introduced on June 12, 2020, during the first session of the forty-second legislature of the National Assembly of Québec. The amended law received official assent on September 22, 2021.
Amendments to the Act respecting the protection of personal information in the private sector (the "Act")
*Warning: This is not the official English version of the law.
|
No. |
No. of the N.A. amendment |
Amended s. of Bill64 |
Amended s. of the Act |
Content of the amendment |
|
1 |
54 |
94.1 |
2 |
Clarification of the definition of personal information (PI): PI allows to directly or indirectly identify a natural person. |
|
2 |
55 |
95 |
3.1 |
Broadening of the concept of person in charge, as their duties can now be delegated to any person, not just a staff member. |
|
3 |
56 |
95 |
3.2 |
It is no longer necessary to publish a business's PI governance policies. From now on, detailed information in clear and simple language is sufficient. |
|
4 |
57 |
95 |
3.3 |
|
|
5 |
58 |
96 |
4.1 |
In addition to a person with parental authority, a tutor may give consent for a minor under 14 years of age. |
|
6 |
59 |
99 |
8 |
The need to inform the data subject of the names of the third persons to whom the information will be released. A new amendment adopted when the Committee on Institutions report was submitted now makes it possible to inform the data subject of the names of the third persons or categories of third persons to whom information will be released. This is amendment No.2, adopted under section252 of the Standing Orders of the National Assembly. |
|
7 |
60 |
99 |
8.1 |
The basic setting should have identification, location and profiling functions disabled. |
|
8 |
61 |
99 |
8.3 |
In order to ensure consistency with amendment59, consent is now given to use and disclose PI for the intended purposes. |
|
9 |
62 – Sub-amendment1 |
102 |
12 |
|
|
10 |
62 |
102 |
12 |
|
|
11 |
63 |
102 |
12.1 |
The data subject about whom a decision is made must be informed of the automated nature of the decision at the latest when they are informed of the decision, not when the decision is made. |
|
12 |
64 |
102 |
14 |
|
|
13 |
65 |
103 |
17 |
|
|
14 |
66 |
103 |
17.1 |
Withdrawal of the Minister's publication of a list of States whose legal framework governing PI offers equivalent protection. |
|
15 |
67 |
107 |
18.4 |
Amendment and expansion of the concept of "commercial transaction" for consistency with other jurisdictions. |
|
16 |
68 |
110 |
21 |
When disclosing PI to an organization for study, research or statistical purposes without consent, the purpose of the study must outweigh the impact on privacy, in view of public interest. |
|
17 |
69 |
110 |
21.0.1 |
When a person wishes to use PI for study, research or statistical purposes, they are no longer required to provide a research protocol, but rather a detailed outline of the research activities. This is a wording change to broaden its scope to cover more concepts. |
|
18 |
70 |
110 |
21.0.2 |
|
|
19 |
71 |
111 |
23 |
|
|
20 |
72 |
113 |
28.1 |
In the context of a cessation of dissemination or de-indexing request, the business must not take into account the age of the data subject, but rather the fact that the request involves PI of an individual who was a minor at the time. |
|
21 |
73 |
113 |
28.1 |
The person in charge of protecting PI, in complying with a cessation of dissemination or de-indexing request, must attest to the cessation of dissemination or de-indexing of the PI in a written response. |
|
22 |
74 |
132 |
64 |
Addition to allow the Court of Québec, when an order made by the oversight division is contested, to stay the execution of the order where urgent action is required or there is a danger of serious and irreparable damage. |
|
23 |
75 |
140 |
79.1 |
The amendment allows a personal information agent to retain PI for a period exceeding seven years where necessary for an inquiry for the purpose of preventing, detecting or repressing a crime or a statutory offence. The general rule will continue to apply, i.e., PI will have to be destroyed when the purpose for which it was collected or used is fulfilled. |
|
24 |
76 |
140 |
79.1 |
Replacement of "may not retain" with "must destroy" in the (former) sentence: "Despite section23, a PI agent may not retain PI collected more than seven years prior." |
|
25 |
77 |
144 |
81.2 |
The purpose of this amendment is to modify the means of filing a formal demand and documents or information so as to allow the use of a technological means (technological neutrality). |
|
26 |
78 |
144 |
81.1 and 81.1.1 |
Addition of section81.1.1, which reiterates the third paragraph of section81.1 (now withdrawn). |
|
27 |
79 |
145 |
83 |
The purpose of the amendment is to ensure consistency with section129 of the Act respecting Access to documents held by public bodies and the Protection of personal information, with respect to the CAI's inquiries. Addition of "within such reasonable time as it may specify" to replace "It may specify time limits for the execution of any measures it may order," in relation to corrective action that the CAI may order. |
|
28 |
80 |
149 |
90 |
Consistency amendment with the addition of a regulatory power in section23 of the Act regarding the anonymization of PI. Thus, the government may now make regulations to determine the criteria and procedures for PI anonymization. |
|
29 |
81 |
150 |
90.1 |
Section90.1 concerns monetary administrative penalties:
|
|
30 |
82 |
150 |
90.2 |
Addition to clarify that the general framework for the application of monetary administrative penalties to be developed by the CAI must contain criteria to guide designated persons in determining the amount of the penalty. |
|
31 |
83 |
151 |
91 |
The maximum criminal penalty for natural persons is increased from $50,000 to $100,000, such that the maximum amount is higher for criminal penalties than for monetary administrative penalties. Addition of the destruction of PI in contravention of the Act as an offence and consistency of wording throughout the bill. Addition of an offence based on section108 of the Credit Assessment Agents Act. Addition of an offence for failing to take appropriate security measures to protect PI. |
|
32 |
84 |
151 |
92.2 |
Amendment made for consistency with an amendment to the Act respecting Access to documents held by public bodies and the Protection of personal information: change in the time limit for instituting criminal proceedings from three to five years. |
|
33 |
85 |
151 |
92.3 |
Addition of this section to provide for the factors that a judge must consider in determining a sentence. Because the amount related to an offence can be elevated, the factors will help judges more clearly determine the appropriate amount. |
|
34 |
86 |
152 |
93.1 |
Amendment that allows claims for damages to be subject to the general rules of civil liability. |
|
35 |
96 |
112 |
27 |
Section on access to information by data subjects: The purpose of the amendment is to explicitly provide that the right to receive PI in a structured and commonly used format and the right to request the release of such information to any other person or body do not apply to information created or inferred from an applicant's PI. |
|
36 |
99 |
100 |
9.1 |
Amendment to clarify that the requirement for default privacy settings applies only to products and services offered to the public, thus excluding products and services used internally by employees. Ultimately, they are intended to clarify that the obligation applies to settings that provide a choice to the user. In addition, the second paragraph provides that the default protection does not apply to the privacy settings of a cookie. |
|
37 |
100 |
150 |
90.2 |
Addition of the person at fault's ability to pay, taking into account, in particular, their assets, turnover or income, in the criteria that must guide designated persons in the decision to impose an administrative penalty. |
|
38 |
107 |
93 |
1 |
Amendment to replace the term "authorized entity" used in the bill with "political party, independent member or independent candidate" in the section dealing with the applicability of the Act, thereby making it applicable to information they hold. |
|
39 |
108 |
142.1 |
80.1.1 |
The purpose of the amendment is to indicate that a political party is considered a natural person for the purposes of subsections 4.1 and 5 of sectionVII of the Act. |
Footnotes
1 Bill 64, s. 165 as amended.
2 Id., s. 165(2) as amended.
3 Id., s. 165(3) as amended.
4 Private Sector Act, s. 2, as amended by amendment 54 modifying section 94.1 of Bill 64.
5 Id. s. 8, as amended by amendment 59 to Bill 64, section 99, and amendment 2 under section 252 of the Standing Orders of the National Assembly.
6 Id. ss. 4.1 and 14, as amended by amendments 58 and 63 modifying sections 96 and 102 of Bill 64.
7 Id. s. 9.1, as amended by amendment 99 modifying section 100 of Bill 64.
8 Id. ss. 8 and 8.1, as amended by amendments 59 and 60 modifying section 99 of Bill 64.
9 Id. new s. 12, para. 4, subpar. 1.
10 Id. s. 12, as amended by amendment 62 modifying section 102 of Bill 64.
11 Id. new s. 91(3).
12 Id. s. 23, as amended by amendment 71 modifying section 111 of Bill 64.
13 Id.
14 https://www.cai.gouv.qc.ca/liste-des-agents-de-renseignements-personnels/ [Translation obtained in s. 70 of the Act respecting the protection of personal information in the private sector: http://legisquebec.gouv.qc.ca/en/showversion/cs/P-39.1?code=se:70&pointInTime=20210921#20210921]
15 Private Sector Act, s. 79.1, as amended by amendment 76 modifying section 140 of Bill 64.
16 Id. s. 79.1, as amended by amendment 75 modifying section 140 of Bill 64.
17 Id. s. 90.1, as amended by amendment 81 modifying section 150 of Bill 64.
18 Id. ss. 91 and 92.2, as amended by amendments 83 and 84 modifying section 151 of Bill 64.
19 Id. s. 3.1, as amended by amendment 55 modifying section 95 of Bill 64.
20 Id. s. 3.2, as amended by amendment 56 modifying section 95 of Bill 64.
21 A. Aylwin, K. Delwaide, J. Stoddart, J. Uzan-Naulin, G. Pelegrin, A. Barbach and W. Deneault-Rouillard, Moderniser, mais conserver un équilibre, brief presented to the Committee on Institutions of the National Assembly of Québec, as part of the special consultations and public hearings on Bill 64: An Act to modernize legislative provisions as regards the protection of personal information, Montréal, 2020, recommendation 11, p. 14.
22 Private Sector Act, s. 3.3, as amended by amendment 57 modifying section 95 of Bill 64.
23 Moderniser, mais conserver un équilibre, supra, note 21, recommendation 18, p. 21.
24 Private Sector Act, s. 12, as amended by amendment 62 modifying section 102 of Bill 64.
25 Id. s. 12, as amended by sub-amendment 1 of amendment 62 modifying section 12 of Bill 64.
26 Id. s. 8.3, as amended by amendment 61 modifying section 99 of Bill 64.
27 Id. s. 21, as amended by amendment 68 modifying section 110 of Bill 64.
28 Id. ss. 21.0.1 and 21.0.2, as amended by amendments 69 and 70 modifying section 110 of Bill 64.
29 Id. ss. 17.1 and 18.4, as amended by amendments 66 and 67 modifying sections 103 and 107 of Bill 64.
30 Moderniser, mais conserver un équilibre, supra, note 21, recommendation 8, p. 12.
31 Private Sector Act, s. 92.3, as amended by amendment 85 modifying section 151 of Bill 64.
32 Id. ss. 90.2, as amended by amendments 82 and 100 modifying section 150 of Bill 64.
33 Id. s. 90.1, as amended by amendment 81 modifying section 150 of Bill 64.
34 Id. new s. 17.
35 Id. s. 17, as amended by amendment 65 modifying section 103 of Bill 64.
36 Id. s. 17, as amended by amendment 65 modifying section 103 of Bill 64.
37 Moderniser, mais conserver un équilibre, supra, note 21, recommendation 2, p. 9.
38 Supra, note 35.
39 Amendment 66 withdrawing s. 17.1 of the Private Sector Act, introduced by s. 103 of Bill 64.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
