Stikeman Elliott privacy law expert spoke with Canadian Lawyer about the province's reforms
Quebec is rolling out its new privacy law, Bill 64, over the next several years.
The first batch of amendments came into force last September. The second will be in force this coming September, followed by a third wave in September 2024 and a fourth in 2025.
Danielle Miller Olofsson is a senior associate at Stikeman Elliott LLP’s corporate group, with expertise in privacy and data protection, technology, and blockchain. She spoke with Canadian Lawyer* about the most significant aspects of the privacy law reforms.
What is significant about the new personal information policies?
You have duties concerning transparency, data integrity, data security, individual-access rectification, individual rights, and disclosing what you're doing with the information, how much you're collecting, and limiting it to what's necessary.
One thing that sets Quebec apart is if you are going to be profiling an individual, you have to disclose it very clearly.
And if you're using a technology to profile an individual – that must be explained, and the mechanism used to trigger that technology, or track using that technology, must be disclosed so that the individual can deactivate it.
The second thing that sets Quebec apart from the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) regulation is that it has finally defined what it means by “sensitive information.”
It's very important because information should be protected based on sensitivity. If there is a breach, one must determine, based on the sensitivity of the information, whether one will disclose this to the regulators and the individuals whose information has been compromised.
Information will be considered sensitive based on the context – notably, medical or biometric information.
The federal legislation and its proposed amendments don't do that. That’s unfortunate because it's important for industries to know where they are going and what is considered sensitive information.
I like the Quebec approach. It gives you a roadmap without limiting sensitive information only to certain categories – as the European legislation does. And it doesn't just leave it to a contextual interpretation as the federal legislation does. It's a very workable approach.
What's significant or notable about the new rights for individuals?
We have a mobility right. That will be coming into effect next year.
If you collect information on an individual, you must ensure that you can provide that information to the individual, or any other organization, that requests it. You must do so within 30 days.
For instance, I have my dental records at a particular dentist. My dentist decides to retire and sends me to whoever's taking over their practice. I don’t like that person. I find another dentist. I have a right to ask that my files be transferred.
That makes it so much easier on the individual if you know you have a right to ask for that, and people must produce it.
It's not complicated for organizations, they will just have to be more vigilant where they keep information.
The other thing that is very important for corporate clients to remember is there is a right to deindexation. If they see that their information is being used, an individual has the right to ask that any links to that information be deindexed.
This is important to remember if you're using employee images or if you're using testimonials on your website because an individual can go and ask you to take that down. There's nothing wrong with doing it. Just make sure that it's easy to take down.
Explain the privacy impact analysis and why its notable
The privacy impact analysis is not new. It's required in Europe. It's required in the public sector in Canada.
It aims to determine whether the activity that you're proposing to engage in, in any way, compromises the personal information of an individual.
You look at what activity you're doing, how it compromises the rights that an individual can access, and then you have to put into place measures that will mitigate any deemed risk.
It's a risk analysis, and it's required in three instances.
One, if you're introducing or updating information systems. Second, if you're transferring personal information outside of Quebec. Third, if you use information for research and development purposes, will that compromise an individual's right to privacy?
Tell me about data processing agreements
Data processing agreements are also standard. They're required in Canada as well. They are agreements that an entity must enter into with another entity to which it transfers personal information. It's an agreement asking the recipient entity to protect personal information.
The Canadian legislation is not prescriptive. Quebec’s legislation is prescriptive.
A data processing agreement must contain three things: specific security measures to ensure the confidentiality of that information, an audit, and a breach notification provision. If my recipient suffers a breach, they need to tell me immediately or as soon as they possibly can.
The difference in Quebec is that we now have very specific elements that these data processing agreements must contain. It's perfectly standard. The European legislation is the same.
What is startling about the new penalties? And how do these measure up to other privacy regimes?
It's a first in Canada. Globally, they're not startling. They're common. Up to $25 million or four percent of your annual turnover for violation of privacy.
What's also interesting is that there's a private right of action. Individuals, if their privacy rights, as per the Civil Code, have been breached, now have a private right of action.
Is there anything else significant about Quebec’s new privacy law that you wanted to mention?
The Act to establish a legal framework for information technology is often forgotten. This law has been around for a while.
It requires that any entity that uses biometrics to identify or authenticate an individual must only do so after having informed the Quebec Access to Information Commission and with an individual's express consent.
This is really important because biometrics are super efficient, pretty accurate, and becoming easier and easier to use.
The other thing is, if you are going to put up a databank of biometric information, you have got to inform the Access to Information Commission 60 days before doing so.
*Answers have been edited for length and clarity.