The Province of Quebec has passed a new law regarding data protection & privacy that will impact any organization operating in Canada. This page focuses on the amendments to the; “Act respecting the Protection of Personal Information in the Private Sector.” (PPIPS)
What you need to know
New changes to the current legislative framework include:
Reinforced consent requirements (including explicit requirements to obtain express consent in certain situations). As well as;
- Consent exceptions for research and business transactions.
- Exclusion of business contact information from the definition of “personal information.”
Individual rights inspired by European law:
- right to data portability,
- right to be forgotten and
- right to object to automatic processing.
Transparency requirements, including when organizations are using technologies allowing individuals to be identified, located and profiled.
Requirements for outsourcing and transfers outside of Québec.
An adequacy system seemingly influenced by European law.
Strong Enforcement tools:
The Commission d’accès à l’information (CAI) would have powers to impose administrative monetary penalties of up to C$10,000,000 or, if greater, the amount corresponding to 2 per cent of worldwide turnover in the preceding year.
Reinforced fines in the case of penal proceedings of a maximum of C$25,000,000, or, if greater, the amount corresponding to 4 per cent of worldwide turnover for the preceding fiscal year.
Private right of action for individuals.
Breach reporting requirements.
- Introduction of a new privacy officer role that rests with CEOs by default.
- Obligation to establish, implement and publish governance policies and practices.
- Obligation to conduct privacy impact assessments (PIAs).
Privacy by design requirements.
The coming into force of this law will be spread over three years, but companies doing business in Canada (specifically Quebec) would be well advised to take the necessary steps now to ensure the compliance of their data protection & privacy practices.
On Sept 22, 2022, the following provisions inserted in the Act respecting the protection of personal information in the private sector (“PPIPS”) will come into force:
The appointment of a Privacy Officer (section 3.1);
The obligation to report to the Commission d’accès à l’information and to the persons concerned any privacy incidents involving personal information in the company’s possession that present a risk of serious harm (sections 3.5 to 3.8);
The right to disclose personal information without the consent of the person concerned when it is necessary for the purpose of concluding a commercial transaction (section 18.4);
The right to disclose personal information without the consent of the persons concerned when using that information for study or research purposes or for the production of statistics (sections 21 to 21.0.2).
On Sept 22, 2023, most of the provisions of the PPIPS, as amended by Bill 64, will come into force. These include the requirements for companies to:
Establish and implement policies and practices to guide the governance of personal information and ensure the protection of such information (section 3.2);
Conduct a privacy impact assessment:
- of any planned information system acquisition, development, or redesign or any electronic service delivery project involving the collection, use, disclosure, retention or disposal of personal information (section 3.3);
- before disclosing personal information outside Quebec (section 17);
Determine the purposes for collecting personal information prior to collection, inform the persons concerned of those purposes at the time of collection or upon request, inform them about any use of technology that includes functions allowing them to be identified, located or profiled, and inform them any time a decision has been made based exclusively on automated processing of their personal information (sections 4, 5, 8, 8.1 and 12.1);
Obtain clear, free and informed consent that is given for specific purposes and valid only for the time necessary to achieve the purposes for which it was requested. It should be recalled that when the request for consent is made in writing, it must be presented separately from any other information communicated to the person concerned (section 14);
Ensure that, by default, the privacy settings of any technological product or service being offered to the public provide the highest level of privacy, without any intervention by the person concerned (section 9.1). It should be noted that this provision does not apply to the privacy settings of a cookie;
Once the purposes for which personal information was collected or used have been fulfilled, destroy the information or anonymize it to use it for a serious and legitimate purpose (section 23);
Consider requests from a person to whom personal information relates to cease disseminating that information, to de-index any hyperlink attached to their name that provides access to that information by a technological means, or to re-index the information (section 28.1).
Finally, on Sept 22, 2024, the rest of the Act will come into force including;
- the obligation of a company, at the applicant’s request, to disclose computerized personal information collected from an applicant (and not created or inferred from personal data);
- to communicate such information to the applicant in a structured, commonly used technological format;
- and to further disclose the information, at the applicant’s request, to any person or body authorized by law to collect such information (the right to portability) (section 27 subsection 3).
Yes, there is a transition period for the coming into force of many of the new provisions of the PPIPS, but full compliance of this Act will require organizations to begin to take action now.