On September 22, 2023, the second set of amendments from Quebec's An Act to modernize legislative provisions as regards the protection of personal information (introduced as Bill 64 and sanctioned as Law 25), to Quebec's Act respecting the protection of personal information in the private sector (Quebec Privacy Act) will come into force. These amendments represent major changes that will need careful examination as non-compliance can now result in significant monetary penalties.

In previous bulletins, we discussed how Law 25 changes Quebec's privacy laws, including the initial set of amendments that came into force on September 22, 2022.

For more information, see Blakes Bulletin: Quebec Introduces New Amendments to Its Privacy Regimes and Blakes Bulletin: Quebec Privacy Law: Is Your Organization Ready for New Rules in Force this September?

The 2022 Amendments in Review

To comply with amendments made by Law 25, organizations operating in Quebec should have already implemented or adopted the following:

  • Designating a person in charge (PIC) of the protection of personal information (i.e., a privacy officer) if the organization does not want the person with highest authority (e.g., the CEO) to undertake this role by default.
  • Reporting any confidentiality incident that creates a risk of serious injury to the Commission d'accès à l'information du Québec (CAI) and affected individuals.
  • Creating and maintaining a registry of all confidentiality incidents for five years.
  • Signing a data protection agreement if personal information is disclosed in the context of a commercial transaction.
  • Promptly notifying the CAI regarding the collection and use of biometric data for identity verification purpose.

The 2023 Amendments

The second set of amendments made by Law 25 come into force on September 22, 2023. These amendments impose new compliance obligations, create new individual rights and place a strong emphasis on obtaining consent for the collection, use and disclosure of personal information. To comply with the new amendments, organizations operating in Quebec will need to take a more proactive approach to their privacy management programs. Below, we have summarized the most significant changes organizations should be aware of.

New Consent Framework

Generally speaking, to comply with the Law 25 amendments, consent must be obtained to collect, use or disclose personal information. The CAI is in the process of establishing guidelines for obtaining and demonstrating valid consent in accordance with the Quebec Privacy Act. The CAI's draft guidelines provide that to be valid, consent must be:

  1. Clear. The consent given must be obvious, meaning that it clearly demonstrates the individual's intention. Generally speaking, valid consent is express consent, especially when dealing with sensitive personal information.
  2. Free. There can be no coercion in obtaining consent. Consent must be free, meaning that an individual providing consent had a real, genuine choice whether to provide it.
  3. Informed. Consent must be specific and based on sufficient knowledge of the request. The individual providing consent must be aware of what they are consenting to.
  4. Specific. Consent must be given for a specific, limited purpose.
  5. Granular. Consent must be requested for each purpose for which it is sought. If an organization wishes to use information towards a new purpose, it must obtain fresh consent from the individual to whom the information belongs.
  6. Understood. Clear language must be used in an organization's request for consent. The vocabulary used should be common and accessible.
  7. Temporary. Consent is temporary and is limited to a period of time. In a request for consent, an organization must make it clear to the individual from whom consent is sought how long their consent will be valid.
  8. Distinct. Requests for consent must be separate from other information.

To comply with the Quebec Privacy Act, records demonstrating valid consent should be maintained. However, the CAI does not outline a specific way consent must be documented. Rather, it imposes various requirements for consent that must be met using whatever method of demonstrating consent an organization chooses.

Further, while the Quebec Privacy Act includes exceptions to the requirement to obtain consent in certain cases, these exceptions should only be used where an organization can clearly demonstrate that the exception applies. If an exception is used, an organization should outline, in a privacy policy or other statement, what actions it will take regarding the individual's personal information absent the consent requirement.

Governance Policies and Practices

Organizations should develop (or review existing) internal governance policies and practices in respect of the protection of personal information to ensure they comply with legal requirements and are approved by the PIC.

These policies and practices should provide a framework for:

  1. Keeping and destruction of personal information;
  2. Roles and responsibilities for personnel throughout the lifecycle of the information; and
  3. Processes for dealing with complaints.

Other governance policies may be necessary to ensure compliance with new obligations under the Quebec Privacy Act.

Privacy Impact Assessment

Organizations must conduct an assessment of the privacy-related factors (privacy impact assessment or PIA) of any project of acquisition, development and redesign of an information system, or electronic service delivery involving the collection, use, communication, keeping or destruction of personal information. Organizations must consult the PIC at the outset of any project requiring a PIA.

Transfers Outside of Quebec

Organizations must also consider where personal information is being stored and communicated. Before communicating personal information outside the province of Quebec, the organization must conduct an assessment of privacy-related factors, such as the sensitivity of the information being shared and the purposes for which it is to be used.

The communication of the information must be the subject of a written agreement that takes into account, in particular, the results of the assessment and, if applicable, the terms agreed on to mitigate the risks identified in the assessment. Further, individuals must be made aware that their personal information will be communicated outside Quebec.

Marketing

If an organization uses personal information for marketing purposes, the organization must identify itself in the marketing and inform the individual of their right to withdraw consent to the use of their personal information for these purposes. If the individual does withdraw their consent, the organization must stop using their data for these marketing purposes. We note that organizations operating in Quebec are also subject to Canada's Anti-Spam Legislation which strictly requires consent to send commercial electronic messages.

Cookie Banners

If organizations collect personal information using technology allowing an individual to be identified, located or profiled, such as through non-necessary cookies, the individual must be informed of the use of such technology and the means available to activate the technology. This means that organizations operating in Quebec should implement cookie consent tools and ensure that cookies and similar tracking technologies that include these functions are turned off by default.

An organization that collects personal information through technological means must publish a confidentiality policy on their website in clear and simple language, and disseminate it by any appropriate means to reach the affected individuals.

Privacy by Design

Organizations that offer technological products or services must ensure that the privacy parameters of these products or services are set to provide the highest level of confidentiality without any intervention by the individual.

Automated Decisions

When an organization relies on automated processing of personal information solely to make decisions that impact an individual, they must inform the affected individual no later than the time the organization informs the individual of the decision. If the individual requests, the organization must also inform the individual of:

  • The personal information that was used to make the decision.
  • The reasons and principal factors and parameters that led to the decision.
  • The right of the individual to have the personal information used to make the decision corrected.

Penalties

In addition to existing enforcement powers under the Quebec Privacy Act, Law 25 introduces a scheme for monetary administrative penalties (AMPs). A framework has been published by the CAI to shed some light on how these AMPs will be enforced.

A person the CAI designates may impose an AMP on anyone who fails to comply with the Quebec Privacy Act. The person the CAI designates must, before imposing an AMP, provide notice of the non-compliance and give the organization an opportunity to submit observations and produce any documents to complete the record. Following a decision imposing an AMP, the affected person or organization does have certain rights of appeal.

The maximum AMP for a corporation is C$10-million or 2% of worldwide turnover for the preceding fiscal year, whichever is greater. Certain more egregious violations may constitute offences under the Quebec Privacy Act. A court may impose fines for these offences of up to C$25-million or 4% of worldwide turnover for the preceding fiscal year, whichever is greater. These limits are doubled in the case of a subsequent offence. Notably, directors and officers may also be liable.

For permission to reprint articles, please contact the Blakes Marketing Department.

© 2020 Blake, Cassels & Graydon LLP.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.