Private eye: It is time to relook at your Québec privacy policies and practices

A new year on the horizon presents an ideal time for businesses to revisit and amend the policies in place within their respective organizations. As Québec’s privacy legislation recently underwent extensive changes, we urge all businesses operating in Québec to undertake a review of their privacy policies and practices.

While most of the changes will only come into effect later in the new year (September 2022) and the year following (September 2023), they are extensive and require businesses to start rethinking and retooling their privacy policies and practices immediately in order to be compliant with these upcoming changes in a timely fashion.

While the privacy legislation revisions have impacted various pieces of legislation in the province, in this article we focuse on highlighting some of the most important changes to the Act respecting the protection of personal information in the private sector, which received Royal Assent on September 22, 2021 and will have a significant and ongoing impact on private-sector businesses in the near future:

Changes coming into effect September 22, 2022:

• Requirement to name a person responsible for overseeing compliance with privacy law within the enterprise and to publish this person’s contact information on the company website or in another analogous place accessible to the public;
• Obligation to advise the Commission d’accès à l’information (“CAI”) as well as any concerned individuals in the event a privacy breach threatens to cause a serious prejudice;
• Obligation to take all measures reasonable in the circumstances to reduce risk of prejudice associated with a data breach and to ensure that no such similar data breach incidents happen again in the future;
• Obligation to keep a register of privacy breach incidents, detailing items such as the date and number of affected individuals, to be remitted to the CAI upon request; and
• Possibility of communicating personal information without the consent of the person concerned to the other party to the transaction in order to engage in a commercial transaction, provided that certain agreements have been entered into with the receiving party.

Changes coming into effect September 22, 2023:

• Certain reforms to consent requirements and the information to be provided at the time consent is being collected;
• Obligation to adopt a privacy policy and privacy practices proportionate to the organization’s size and the nature of its business activities, and to publish sufficient information regarding those practices on the company website in clear and simple terms;
• Obligation to conduct a privacy impact assessment before engaging in an acquisition or development project or the redesign of an information system or electronic service delivery system involving the collection, use, disclosure, conservation or destruction of personal information;
• Obligation to conduct a privacy impact assessment before communicating personal information outside of Québec to ensure that adequate protection will be afforded to same in the receiving jurisdiction;
• Certain disclosure obligations in connection with decisions made based on automated processing of personal information;
• Companies which collect data via technology which includes confidentiality settings must ensure that the highest level of privacy protections is engaged by default;
• Certain disclosure requirements with respect to the collection of personal information using tracking or profiling technology;
• Requirement for express consent with respect to the collection of sensitive personal information;
• Requirement to present a request for consent separately from all other information being presented to an individual and the obligation to provide assistance to individuals with understanding the scope of the consent sought;
• Possibility of communicating personal information without the consent of the person concerned to a service provider, subject to entering into an agreement with the service provider regarding the handling of the relevant information; and
• Possibility for a person to request that a person holding personal information related to them cease all communication of that information and that hyperlinks to that information be removed under certain circumstances (i.e. the “right to be forgotten”).

Another important element that will come into effect in September 2024, is the right for individuals to receive the personal information held in their regard in a structured and commonly used technological format upon request (i.e. the right to data portability).

While most of the changes affecting private sector businesses are not yet in force, the extensive nature of the changes, as well as the significant penalties associated with same, require that businesses begin addressing these issues in the immediate. In fact, administrative penalties of up to $10 million or two percent of worldwide income for the previous fiscal year, as well as penal sanctions of up to $25 million or four percent of worldwide income for the previous fiscal year may apply in the event of non-compliance. Furthermore, the new law will give enhanced powers to the CAI to audit and monitor an organization’s privacy practices and issue binding directives.

We encourage you to contact your local privacy counsel to assist you with navigating these complex changes within your organization.

This article provides only general information about legal issues and developments, and is not intended to provide specific legal advice. Please see our disclaimer for more details.