Canada: Bill 64: Mirroring The GDPR?

With Bill 64,¹ Quebec is taking the lead in Canada on reforming privacy legislation² and seeks to follow the example of the General Data Protection Regulation ("GDPR").³ In fact, a review of the new bill reveals a number of similarities with the GDPR with respect to both individual rights and business obligations.

New Rights for Individuals

Currently under Quebec's Private Sector Act,⁴ individuals have the right to be informed in order to obtain their consent, to access their personal information and to make changes to their information. Bill 64 gives them additional rights, thereby aiming to parallel those provided under the GDPR.

Individual's Consent

Firstly, as we discussed in a previous Bulletin,⁵ for consent to be given, the individual must be informed. To obtain consent from the person in question, the information must be written in clear and simple language and must include the purpose, the means by which the information will be collected, the individuals' rights and, if applicable, the name of the third party for whom the information is being collected as well as the possibility that the information could be disclosed outside of Quebec.

Secondly, the proposed legislation provides that "on request" the individual must be informed of the type of information collected, the categories of persons who will have access to the information within the company, the period of time that the information will be kept and the contact information of the person in charge of protecting the personal information.⁶

The drafting of the proposed legislation in two-steps – primary information and then supplemental information – is similar to article 13 of the GDPR.

Moreover, as in the GDPR, consent for collecting, using or disclosing personal information must be requested separately from any other information provided to the individual.

With regard to consent, another parallel with the GDPR may be discerned under sections 9 and 89 regarding exceptions to consent, in particular when the use of the personal information is necessary for study, research or statistical purposes and the information is de-identified so that it no longer allows the person to be directly identified (Bill 64, sec. 102).

Additional rights under Bill 64

Bill 64 also introduces new rights for individuals that are similar to those provided under the GDPR, such as:

• the right to erasure (right of de-referencing, Bill 64, sec. 113): Bill 64 allows a person to require an organization to cease publishing personal information or to de-index any hyperlink providing access to that information when such publication causes the person serious harm to that person's reputation or privacy and when such harm is clearly greater than the public's interest to have knowledge of such information. This new right is similar to that provided under section 17 of the GDPR, interpreted by European case law such as Google Spain⁷ and Google v. CNIL⁸;
• the right to data portability: which is the right of an individual to receive personal information that they provided to an organization in a structured, commonly used technological format; and at that person's request, this information must be transmitted to any other person or entity (Bill 64, sec. 112); and
• rights relating to the use of technologies: the person must, in addition to the elements set out above, be informed of the use of a particular technology and, if applicable, the means available to deactivate the functions used in order to identify, locate or profile that person (Bill 64, sec. 8.1; note that the definition of profiling under section 8.1 paragraph 2 is very similar to that under the GDPR). However, contrary to the GDPR, Bill 64 does not grant the right not to be subject to an automated decision.

New Obligations Imposed on Organizations

Bill 64 also sets out additional obligations for organizations, which are aligned with those provided under the GDPR.

For example, like the data protection officer under the GDPR, the duty to appoint a person who will be responsible for protecting personal information within an organization has been added (Bill 64, sec. 95).⁹

Bill 64 has also introduced the concept of "privacy by default," which refers to the default parameters whereby a business that collects personal information when offering a technological product or service must ensure, i.e. that the parameters of the product or service provide the "highest level of confidentiality by default," without any intervention by the person concerned (Bill 64, sec. 100). This is basically the notion of data protection by design and by default under the GDPR (art. 25).

With regard to disclosing information outside of Quebec, section 103 of Bill 64 introduces a new framework. Before transferring personal information outside of Quebec, an impact assessment must be conducted to show that the information will be protected to the same extent as provided under Quebec's Private Sector Act. Moreover, just as the European Union does, the Minister will publish a list of the countries where the privacy protection laws are equal to those applicable in Quebec. This list is comparable to the adequacy decisions provided under European Union law that allow the transfer of personal information from the EU to a third country (in particular, see GDPR, art. 45).

In addition, in the case of security incidents,¹⁰under Bill 64 there is a duty to notify the Commission d'accès à l'information and, if necessary, the individuals affected, as well as to keep a register, which is consistent with articles 33 and 34 of the GDPR.

Lastly, regarding sanctions, Bill 64 significantly raises the fines that may be imposed on private sector entities and public bodies that do not respect the province's privacy protection laws.¹¹

Private sector entities will be subject to fines of $15,000 to $25,000,000 or an amount equal to 4% of the company's global revenue of the previous fiscal year, whichever is highest. This represents a considerable increase from the current maximum penalty of $50,000, which will make Quebec's Private Sector Act the strictest in Canada - with a potential fine that exceeds that provided under Canada's Competition Act or Anti-spam Legislation (CASL).

Moreover, Bill 64 will give the Commission d'accès à l'information the power to impose monetary administrative penalties for certain violations following a notice of non-compliance – up to a maximum of $10,000,000 or an amount equal to 2% of the global revenue of the previous fiscal year, if this amount is higher.

Once again, the similarity with the fines under the GDPR is clear. In fact, it should be noted that article 83 of the GDPR provides fines that may range, depending on the type of violation, between 20,000,000 euros or 4% of the annual global revenue.

The conclusion to be drawn from this overview is that Bill 64 aims, to a certain extent, to parallel the GDPR. Does this mean that the European Commission might decide to recognize Quebec as an adequate territory? This would facilitate the transfer of personal data from the EU to Quebec without any other formality.

Footnotes

1. Projet de loi n° 64, Loi modernisant des dispositions législatives en matière de protection des renseignements personnels.

2. Jennifer Stoddard, "Quebec takes the lead in privacy law but overreaches," Financial Post, July 15, 2020.

3. General Data Protection Regulation, 2016/679.

4. Act respecting the protection of personal information in the private sector, CQLR P-39.1.

5. Aya Barbach & Julie Uzan-Naulin, "Bill 64 – C as in Consent - An oversimplification?" Fasken Bulletin.

6. Aya Barbach, Bill 64 – Chief Privacy Officer will be mandatory in private organizations, Fasken Bulletin.

7. CJEU, May 13, 2014, C-131/12, Google Spain SL and Google Inc.  v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González.

8. CJEU, September 24, 2019, C-507/17, Google LLC v. Commission nationale de l'informatique et des libertés (CNIL).

9. Aya Barbach, Bill 64 – Chief Privacy Officer will be mandatory in private organizations, Fasken Bulletin.

10. For more details, see Kateri-Anne Grenier, William Deneault-Rouillard and Geneviève Laliberté, "Bill 64 Introduces new confidentiality incident reporting obligations amid increased cyber security risks," Fasken Bulletin.

11. Guillaume Pelegrin, "The Commission d'accès à l'information could issue penalties of up to $10 million based on administrative decisions," Fasken Bulletin.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.