Québec’s National Assembly has introduced a new bill, An Act to modernize legislative provisions as regards the protection of personal information (Bill 64), that if passed will amend the province’s existing privacy laws in ways that will make them the toughest in Canada. The proposed rules governing businesses in Québec will be more burdensome to businesses than existing federal rules, borrowing ideas from both the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Notable changes include:
Expanded application of privacy legislation to situations where a business holds personal information through the agency of a third party;
Setting the age of consent to provide personal information to a business at 14 years of age;
Requiring a designated person in charge of the protection of personal information;
Mandating businesses to adopt governance policies and practises for the protection of information;
Mandating privacy impact assessments for information systems projects or electronic service delivery projects that involve the collection, use, communication, keeping or destruction of personal information;
Required reporting of newly defined confidentiality incidents;
The right for individuals to be informed of the sources from where their information was collected by a business;
The requirement to inform individuals when using location-finding tools, profiling technology or making decisions based on artificial intelligence. Businesses must also be capable of explaining, upon request, how a decision rendered exclusively on the automated processing of information was made.
GDPR and CCPA protections such as the right of access, rectification, withdrawal of consent and the right to know the means of how information was collected.
Geographic restrictions requiring assessments to be conducted before personal information can be communicated outside of Quebec.
Artificial Intelligence, Location-Finding and Profiling Technology
Businesses that use artificial intelligence to make decisions will be required to inform individuals of its use at the time the decision is made or beforehand. The proposed amendments will require businesses to have appropriate processes to (a) track how their artificial intelligence systems work, and (b) maintain an audit trail of the decisions. At the affected person’s request, a business that makes decisions based exclusively on the automated processing of the person’s information must share:
(i) what personal information was used to render the decision;
(ii) the reasons, principal factors and parameters that led to the decision; and
(iii) the person's right to have the personal information used to render the decision corrected.
The individual must also be given the “opportunity to submit observations to a member of the personnel of the business who is in a position to review the decision.”
Businesses that utilize technology that allow for them to identify, locate or profile persons they receive information from will be required to inform the individuals of the use of the technology and, if applicable, allow them to deactivate the functions that allow the individuals to be identified, located or profiled. Profiling is defined as collecting and using personal information that assess the characteristics of a natural person. This can include analyzing the individual’s “work performance, economic situation, health, personal preferences, interests or behaviour.”
Person in Charge of the Protection of Personal Information (“Designated Privacy Officer”)
Businesses that collect information will be required to designate a person in charge of the protection of personal information. By default, it is the person “exercising the highest authority”, but this may be delegated to a personnel member in writing. The title and contact information of the designated individual must be published on the business’ website or by other appropriate means.
The Designated Privacy Officer will also be responsible for approving newly mandated governance policies and practices regarding personal information. These policies and practices will be required to provide a framework for the maintenance and destruction of the information, define the roles and responsibilities of the members of its personnel throughout the life cycle of the information and provide a process for dealing with complaints regarding the protection of the information. It should be noted that the policies and practices must also be proportionate to the nature and scope of the business activities and also must be published.
Privacy Impact Assessments
The amendment brings with it the requirement for conducting assessments of the “privacy-related factors” of any “information system project or electronic service delivery project involving the collection, use, communication, keeping or destruction of personal information.” Under the new rules, any person conducting these assessments must consult the Designated Privacy Officer within the enterprise from the outset of the project.
The amendments also guide several information protection measures that can be incorporated into projects, which include:
(i) the appointment of a person to be responsible for implementing the personal information protection measures;
(ii) measures to protect the personal information in any document relating to the project;
(iii) a description of the project participants’ responsibilities with regard to the protection of personal information; or
(iv) training activities for project participants on the protection of personal information.
“Confidentiality incidents” are a newly introduced concept that is defined as:
(i) access not authorized by law to personal information;
(ii) use not authorized by law of personal information;
(iii) communication not authorized by law of personal information; or
(iv) loss of personal information or any other breach in the protection of such information.
Upon the occurrence of a confidentiality incident involving personal information that presents a “risk of serious injury,” businesses are now required to take reasonable measures to reduce the risk of injury and to prevent new incidents of the same nature. Where a confidentiality incident presents a risk of serious injury, the business will be required to “promptly” notify the Commission d’accès l’information. The business affected will also be required to notify any person whose personal information is concerned by the incident, failing which the Commission may order the business to do so.
When assessing the risk of injury to a person whose information is affected by a confidentiality incident, the business must consider the “sensitivity of the information concerned, the anticipated consequences of its use and the likelihood that such information will be used for injurious purposes.” The business must keep a register of all confidentiality incidents and must also consult the Designated Privacy Officer.
Before communicating personal information outside of Québec, businesses will be required to conduct privacy impact assessments that must take into account:
(i) the sensitivity of the information;
(ii) the purposes for which it is to be used;
(iii) the protection measures that would apply to it; and
(iv) the legal framework applicable in the State in which the information would be communicated, including the legal framework’s degree of equivalency with the personal information protection principles applicable in Québec.
Under the amendments, the information may be communicated if it is determined that it would receive equivalent protection outside of Québec. This will apply if a business in Québec “entrusts a person or body outside Québec” with the task of “collecting, using, communicating or keeping such information on its behalf.”
GDPR and CCPA
The amendments introduce protections like those found under GDPR and the CCPA. Some of which include:
Right of access and rectification
Right to withdraw consent to the communication or use of the information collected
Right to be informed of the purposes for which information is collected
Right to know the means of how the information was collected and
Right to receive a copy of any information collected
The amendments also allow in certain cases for individuals to force businesses to cease disseminating certain information or to de-index any hyperlink attached to their name.
If passed in its current form, Québec’s proposed amendments will require a much higher level of privacy compliance than businesses operating in the province are accustomed to. The newly provided rights borrowed from GDPR are welcome changes that will enhance protections for individuals but may come at a hefty cost to businesses. Québec’s choice to mandate ‘explainability’ and audit trails for automated decisions is one of the surprise inclusions to the amendments and should be seen as a positive step and necessary safeguard against potential biases. On the other hand, the broad requirement for privacy impact assessments may be found to be too onerous on small businesses. Overall, Québec’s new amendments are bringing it closer in-line with progressive jurisdictions that are adopting pro-consumer privacy legislation.