Quebec has chosen to modernize its 1994 Act respecting the protection of personal information in the private sector. To say that it was about time…would not be an exaggeration, to say the least. Although Quebec was the first province to adopt data protection legislation, it is high time that it was adjusted to the new technological landscape. The last 25 years have seen more technological advances than the previous 75, and we will probably see just as many in the next 10.
It is therefore entirely appropriate that the Government of Quebec has decided to make improvements. Since the project has just been deposited, we can already see that it will have a significant impact on businesses.
Let’s explore together these measures that you should already be thinking about in order to prepare for its implementation (it is unlikely that the law will remain as it is currently, even if the project has to go back to the drawing board if it is not accepted as is in the fall).
Data usage, a problem?
In an interview given for La Presse, Minister Sonia Lebel mentions this: “I think that the biggest irritant for citizens is not the use of the data because in most cases, it does not bother them, it might even suit them, but it is rather the fact that they are not aware of the extent of this use, of what is being done with it. That’s where the problem lies.”
This seems to be entirely true. To cite just one example from the past few years, perhaps you will recall the Facebook and Cambridge Analytica scandal, the one that highlighted the use of Facebook data for the purpose of analysis and influencing the political sphere. Few people have identified this problem in terms of the collection of their information, but rather in terms of the use made of it. If all goes well, Quebec should soon adopt regulations on the use of data at the political party and government levels, which is a good thing!
On the other hand, if we look at consumers themselves, many surveys tend to conclude that consumers do not have a real problem with businesses using information about them, as long as it is used for valid reasons. A good example is the personalization of customer experiences:
- More than half of consumers (57%) agree to provide personal information (on a website) as long as it is in their interest and is used responsibly;
- 79% of consumers say they are unlikely to engage with an offer unless it is personalized to reflect the consumer’s previous interactions with the brand;
- If they get personalized offers or discounts, 63 percent of Millennials, 58 percent of Gen-Xers and 46 percent of Boomers are willing to share personal information with companies;
- On average, 71% of consumers express some level of frustration when their shopping experience is impersonal.
The collection of information is then not a major problem. Rather, as the Facebook incident indicates, it is the protection of personal information, and its use, that is at the heart of the changes in Bill 64, and by extension all bills on the subject. This is, moreover, what the image below shows us (which follows the findings of several other surveys on the protection of personal data).
The European model, an inspiration for all
The Minister also affirms that her team has been inspired by the “best standards” in the world in terms of data protection. “Quebec will, at the very least, be in the lead, naturally in our jurisdiction. “We’re moving towards European models, and that’s what is recognized as the most advanced. ” (La Presse)
It is true that the implementation of the European Data Protection Regulation (GDPR) made a lot of waves when it was announced in 2017. It must be said that it was the first time that a regulation of this kind took the issue of data protection to heart, and framed it in such a way that few (read no) companies could escape or be exempted from it.
Reminder: Personal data is defined as any information, whatever its nature and medium, relating to an identified or identifiable natural person, directly or indirectly (surname, first name, browsing history). Even IP addresses or cookies are concerned. In fact, this is information that almost all companies collect as soon as they have a website.
Let’s take a look at novel data protection principles introduced in the GDPR (explained in Article 3 of the Law), many of which are found in Bill 64.
- Companies must explain how the organization processes data “in a concise, transparent, intelligible and easily accessible form, using plain language”. It must also make it easy for individuals to make requests (e.g., a request for a right of deletion, etc.) and respond to those requests promptly and appropriately.
- Data subjects have the right to know certain information about the processing activities of their data. This information includes the source of their personal data, the purpose of the processing, and the length of time the data is kept. Most importantly, they have the right to receive personal data concerning them that companies are processing.
- Also known as the “right to be forgotten”, data subjects have the right to ask you to delete any information you have about them. There are five exceptions to this right, including when the processing of their data is necessary to exercise your right to freedom of expression. You must make it easy for data subjects to make requests for the right of deletion.
- Unless they ask you to erase their data, data subjects may ask you to temporarily change the way you process their data if they believe that the information is inaccurate, is being used unlawfully or is no longer needed by the controller for the stated purposes. The data subject also has the right to object simply to the processing of his or her data by any party.
- Since data confidentiality is the measure of control that people have over who can access their personal information, the GDPR contains a new data protection requirement called data portability. Basically, you must store your users’ personal data in a format that can be easily shared with others. In addition, if someone asks you to send their data to a designated third party, you must do so (if technically possible), even if it is one of your competitors.
The notion of third parties in Bill 64
Another principle introduced for the first time with the GDPR comes from the fact that the law goes beyond the borders between countries. Indeed, the Regulation applies to personal data relating to individuals within the territory of the European Union. This may apply to a company that does not have a physical service point in Europe, but which offers goods or services to people in the Union or which monitors the behavior of those people (e.g. online profiling of websites visited in these areas). So even if you do not have an office in an EU country, but sell services or products there, you are affected!
As for Bill 64, a similar concept is found, since it states that the Bill would apply not only to companies that retain personal information, but also when the retention of this information is ensured by third parties. Thus, the obligation incumbent on the enterprise also extends to its third party contractors, regardless of where the enterprise is located.
New approaches to consent
In Canada, we were introduced to the concept of consent with the advent of Canada’s Bill C-28, which talks about express versus implied consent. This concept has since been introduced into most legislation on electronic mailings, and now on the management of personal data.
Bill 64 also introduces a new form of consent, notably with what is called “informed consent”. Simply explained, this is a company’s ability to explain, in clear language, its data protection policies to consumers. This portion is also part of the GDPR, as noted above. No more texts written by lawyers, which are not easily accessible to consumers. This information will need to be much more transparent in form and substance to ensure that informed consent is given.
Minister Lebel also introduces “specific consent”, which allows consumers to give or withhold their authorization for different uses of their personal data. They could, for example, consent to have their information used for internal purposes, but not shared with third parties or sold (even if anonymized). This is a rather complex technical degree to achieve on the business side, but a necessity that could quickly come about if the law is accepted. Gone are the days when basic consent prevails for everything. It will no longer be possible to have a very broad consent, used for all types of use of personal data. Organizations will have to be much more diligent about the use of this information, depending on the specific consents given.
Finally, and obviously, as with the GDPR, it will be expected that any consumer will be able to withdraw consent at any time. Currently, there is no obligation for a company to respect the will of someone who wishes to do so.
Data governance, whose responsibility?
Good personal data management is only possible if responsibility for it rests with an individual or group of people. One of the provisions of the GDPR, which requires the appointment of a DPO within companies, has highlighted exactly this.
The DPO, for “Data Protection Officer”, is a person in charge of the protection of personal data processed by a body (administration, company, etc.). His or her tasks are to inform, advise and train the data controller (or a contracting company) and its employees. It tells them the obligations they must respect with regard to European regulations, the proper application of which it monitors. Thus, the DPO enables an entity processing personal data to ensure that it complies with the regulations applicable to their protection.
If we turn to Bill 64, within a company, the highest executive (CEO) will automatically be responsible for the protection of personal information. However, he or she will have the option of delegating this function to a member of staff whose contact information and title must be published on the company’s website. The Bill also provides for a specific framework for the destruction and retention of personal information. These policies and practices must be approved by the person responsible for the protection of personal information and published on the company’s Internet site.
Saltier sanctions for Bill 64
When the European regulation was announced, and why it differed greatly from other laws of the same kind, is related to the sanctions given to companies. It was the first time that the fines were high enough, and relative to the size of businesses, to actually create an impact on whether or not it was respected. The sanctions can be 4% of revenues or a maximum of €20 millions (whichever is higher).
In 2019, because of the RGPD, several sanctions were given to companies (179 fines for more than €143 million), a significant increase compared to 2018. Among the most notable are the following:
- France: Google was fined €50 million because the information made available to users was difficult to access and understand.
- United Kingdom: €110 million for Marriott Hotels following a data breach involving more than 330 million people.
- United Kingdom: British Airways with a fine of more than €204 million for a later disclosed breach of its customers’ data.
In Quebec, at present, the fines under the law are only $10,000 and $50,000 for repeat offenses. Bill 64 provides for an increase in these penalties to $25 million or 4% of worldwide sales, again taking the higher amount depending on the seriousness of the offense. In the case of an individual, offenders would be liable to a fine of between $5,000 and $50,000.
Relying on the European model, the penalties are increasingly higher and more frequent, which could also be a potential trend in Quebec. Companies will, therefore, have no choice but to comply.
New concepts applicable to data
New concepts for Quebec are also introduced in Bill 64, including the obligation for businesses and public bodies to report security incidents, such as leaks or data theft.
From this stems the obligation to report to the CAI when the incident in question presents a serious prejudice to individuals affected.
All businesses will, therefore, have a clearly stated responsibility under the Act to put in place reasonable measures to reduce the risk of harm and prevent such incidents from occurring again. Businesses will also have to keep a registry of confidentiality incidents, which must be sent to the CAI upon request.
Finally, and this is unprecedented in the province, the Bill introduces the possibility for a person to bring an action for damages based on an invasion of privacy, as set out in the Civil Code of Québec. In the case of intentional or gross negligence, the Bill provides for punitive damages of at least $1,000.
Here’s what you need to remember about Bill 64 to better prepare for it:
- Significant administrative penalties may be imposed by the ”Commission d’accès à l’information (the CAI)” of up to $10 million or 2% of worldwide sales, whichever is greater, and criminal penalties of up to $25 million or 4% of worldwide sales;
- The possibility for a company to be sued for damages;
- The requirement to appoint a Chief Privacy Officer and establish governance rules;
- New obligations of transparency when a confidentiality incident occurs;
- New rights for individuals with respect to data portability, the right to forget and the right to object to the automated processing of their personal information;
- Withdrawal of communication without the consent of the data subjects;
- The obligation to use technological products and services that respect the highest levels of confidentiality and data protection quality.
Since the legislation is still at the draft stage, we will only be able to know if it is adopted as is when the parliamentary meetings resume in the fall. In the meantime, it must be remembered that the current legislation will not keep its format for much longer. We therefore advise all businesses to think about the improvements they must, and eventually will have to, make in order to ensure better protection of individual information.
As for Dialog Insight, we are in the process of revising certain functionalities so that they meet the requirements of the Act. However, it should be noted that we have had advanced data protection procedures in place for several years now. It already meets many requirements and we will continue to be at the forefront to better serve our customers.