On June 12th, 2020 numerous amendments to Quebec’s privacy legislation were introduced in Bill 64, An Act to Modernize Legislative Provisions as Regards the Protection of Personal Information. Bill 64 was tabled at the Quebec National Assembly and is intended to enhance data privacy, transparency, and strengthen user consent by amending An Act Respecting the Protection of Personal Information in the Private Sector (“the Quebec privacy statute”). However, the proposed amendments are extremely concerning because of how unnecessarily onerous and impractical they would be for businesses to comply with. In many areas, Bill 64 proposes a stricter standard than we see in the European GDPR, which has increasingly become the de facto standard of reference for privacy legislation.
The significant amendments proposed include:
- Fines for offences will be increased to $25 million or 4% of worldwide turnover for the preceding fiscal year (and can be doubled for subsequent offences). There will also be new administrative monetary penalties of up to $10 million or 2% of worldwide turnover for certain violations.
- If there is an injury “resulting from the unlawful infringement of a right” under the Quebec privacy statute or specific provisions under the Quebec Civil Code, statutory damages may be awarded. In addition, if the infringement is “intentional or results from gross fault”, there is a new provision for statutory punitive damages of at least $1000. Directors or officers who order an act or omission of an act that leads to an offence can be deemed personally liable.
- New statutory rights include de-indexing and the right to be forgotten, the right to object automated decision-making, and data portability. Data subject rights under the GDPR have clearly informed these proposed amendments.
- When processing personal information, organizations in Quebec will be required to conduct “an assessment of privacy related factors of any information system project or electronic service delivery project”.
- Decisions on whether to send data across borders must be accompanied by a privacy assessment to ensure that personal information is only communicated with entities that offer protections that are equivalent to the Quebec privacy statute. There must also be a publication in the Gazette by the Minister outlining the jurisdictions that have similar privacy legal frameworks as Quebec. Thus, Bill 64 incorporates its own adequacy standard, however this provision is much more problematic than the GDPR because if the entity in the other jurisdiction (be it an affiliated company or a service provider) is not Quebec-approved, there is no alternative as we see in the GDPR (i.e. “appropriate safeguards” could allow the data transfer as outlined in the GDPR, if the EU Commission has not issued an adequacy decision for that country).
- Express consent must be obtained for each personal information processing purpose, and that consent is only valid for the timeframe that must be indicated. This is virtually impossible to comply with, given data intensive emerging technologies involving numerous intermediaries. As acknowledged by the Federal Privacy Commissioner, the consent model is broken in our data-driven global economy, and alternatives need to be considered rather than entrenching consent further. These amendments would force organizations to bombard consumers with an overwhelming number of requests for express consent.
- Notice and transparency requirements with respect to the use of technology that causes an individual to be “identified, located or profiled”. This applies to basically any type of analytics, and once again the notice and opt out model makes little sense. Individuals do not expect this intense level of notice – it would most certainly frustrate consumers in the digital environment.
- Default settings for technological services and products that collect personal information must ensure the “highest level of confidentiality” without any human intervention. This standard sets a much higher expectation than what we have with the GDPR’s requirement for information protection by design – the language suggests a test that is extremely burdensome on businesses.
- Organizations must now notify individuals when using personal information “to render a decision based exclusively on an automated processing of such information”.
- Mandatory reporting of “confidentiality incidents” to the Quebec Commissioner where an incident gives rise to a “risk of injury”. Again, there is problematic language here suggesting incidents that are broader than ‘breaches of security safeguards’ that result in a ‘real risk of significant harm’ as we have under PIPEDA. Use of the broad term “confidentiality” in various provisions of the Bill is not helpful or in line with any other data protection standard in Canada or elsewhere.
When the Quebec Parliament resumes in the Fall, Bill 64 will be subject to the next steps in its adoption process. These new amendments are not likely to come into force for some time, as the transitional and final provisions have a one-year period to come into force following the Bill’s assent for most of its provisions. If the Bill is passed with provisions that are anywhere near what has been proposed, amidst PIPEDA reform discussions, this could send Canada in the wrong direction with respect to privacy legislation and cause businesses extreme difficulty if they operate across Canada, including Quebec.
Clearly the Quebec privacy statute, adopted more than 25 years ago, is in desperate need of amendment, but in my opinion Bill 64 goes too far.
If you have any questions regarding Bill 64, contact PRIVATECH. Also note that there will likely be a consultation period announced by the National Assembly of Quebec regarding the Bill. It is important that companies and trade associations provide their comments to play a critical role in urging the Quebec government to revisit undesirably restrictive provisions in Bill 64.