Canada: Sensitive Personal Information: Another Concept Borrowed From The GDPR

Bulletin #19 | Special Series - Bill 64 & Act to modernize legislative provisions as regards the protection of personal information

In sections 12, 19 and 102 of Bill 64¹ the legislator has introduced a new concept – that of "sensitive personal information" – affecting both the Act respecting access to documents held by public bodies and the protection of personal information² and the Act respecting the protection of personal information in the private sector.³

This concept has been introduced in the context of explicit or implicit consent to the use or disclosure of personal information for the purposes for which it was collected. For example, it is provided that the consent of an employee of a private enterprise must be explicit when that company wants to use the employee's sensitive personal information for purposes other than those for which it was collected.⁴

Proposed Definition of "Sensitive Personal Information"

While this concept does not appear in the current version of the federal Personal Information Protection and Electronic Documents Act,⁵ it does, however, exist in European law as "sensitive data" under the General Data Protection Regulation⁶ ("GDPR").

Under Bill 64, information is defined as "sensitive" when "due to its nature or the context of its use or communication, it entails a high level of reasonable expectation of privacy."⁷

According to this definition, it should be noted that all obligations affecting enterprises under Bill 64 vary depending on how sensitive the personal information is. Moreover, this concept seems to be subjective since the sensitivity of the information depends on the context of its use or communication.

Unlike Bill 64, the GDPR provides a precise definition of "sensitive data." In fact, the GDPR not only provides that "sensitive data" is a special category of personal data, it also explicitly defines sensitive data that is in the special category of personal data. More precisely, article 9 of the GDPR provides that the:

Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.

As such, the concept proposed in Bill 64, seen through the lens of the GDPR, may seem incomplete or inadequate given that:

• the sensitivity of information is left to the discretion of the companies processing such information, and so it could be difficult for them to determine how they should be processing certain information in certain specific contexts;
• in cases where it may be less obvious that information should be considered sensitive, the same information may be handled differently, depending on the person processing that information; and
• company policies may vary from one company to another regarding the same type of information.

Other Ways of Defining Sensitive Information

In light of the foregoing, we believe that, as provided under the GDPR, a clearer definition of "sensitive personal information" could help prevent confusion or any misinterpretation of the law.

For example, it seems that in the context of Québec, the definition of "sensitive personal information" could constitute the prohibited grounds of discrimination under section 10 of the Charter of Human Rights and Freedoms,⁸ which are race, colour, gender identity or expression, pregnancy, sexual orientation, civil status, age except as provided by law, religion, political convictions, language, ethnic or national origin, social condition, handicap or the use of any means to palliate a handicap.

Lastly, while the addition of the concept of "sensitive personal information" is interesting, we believe that certain changes should be made to the definition in order to avoid interpretation issues and to ensure the uniform application of the new legislation.

Footnotes

1. Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, 1st Session, 42nd Legislature, Québec, 12 June 2020, (Introduction) ("Bill 64") http://m.assnat.qc.ca/en/travaux-parlementaires/projets-loi/projet-loi-64-42-1.html.

2. Act respecting access to documents held by public bodies and the protection of personal information, chapter A-2.1.

3. Act respecting the protection of personal information in the private sector, chapter P-39.1.

4. Bill 64, section 102.

5. Personal Information Protection and Electronic Documents Act, SC 2000, c 5.

6. General Data Protection Regulation, 2016/679.

7. Bill 64, sections 12 and 102.

8. Charter of Human Rights and Freedoms, chapter C-12.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.