My Appearance to discuss Bill 64 (Quebec privacy law – private sector)

Earlier this summer, Quebec’s National Assembly introduced Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, which proposes to overhaul Quebec’s privacy laws, including those applicable to private-sector organizations. Among the various changes being considered, the bill would significantly increase monetary penalties, introduce new enforcement mechanisms, impose new data security standards and cross-border data transfer requirements on businesses, create new rights for individuals, and reinforce requirements related to transparency and consent, as further detailed in our bulletin summarizing Bill 64’s impact on businesses.

Although Bill 64 remains in its preliminary stages of consideration, the bill is currently being reviewed by the Committee on Institutions, which has decided to hold special consultations and public hearings starting this week – the week of September 21, 2020. It is within this context that I was invited to appear before the Committee on September 22 at 4:40PM (French version of my testimony is available here and video available here) and to submit a brief detailing our comments and suggestions with respect to Bill 64.

My colleagues and I are pleased to share a copy of our brief (in French), as well as the following summary of our recommendations to the Committee:

  • New Enforcement Mechanisms: to reduce the scope of the monetary penalties that may be imposed on organizations pursuant to the bill’s enforcement mechanisms (s. 90.12, 91), as they may be disproportionate if applied systematically. In addition, we suggest delaying or eliminating the private right of action introduced by Bill 64 (s. 93.1), as this may unnecessarily expose organizations to an increased number of class actions in the province.
  • Privacy by Default and Design – PIA: to circumscribe the scope of the bill’s privacy by design and default provisions – that is, the obligation to conduct an assessment of privacy-related factors (s. 3.3) and to ensure the highest level of confidentiality by default (s. 9.1) – in order to enhance their flexibility and to take into account individuals’ reasonable expectations of privacy. More specifically, with respect to the obligation of conducting an assessment of privacy-related factors for information system projects or electronic service delivery projects involving personal information, we suggest limiting this requirement on the basis of a materiality threshold (i.e. limited data processing activities that do not involve sensitive personal information should not be subject to this requirement).
  • Transparency: to remove the requirement to publish internal policies and procedures regarding an organization’s information handling practices (s. 3.2), as these documents do not serve to meaningfully enhance transparency and may contain commercially sensitive information.
  • Consent: to clarify the bill’s requirements for obtaining valid consent (s. 14), and to introduce new legal bases for processing personal information that take into account standard business practices and individuals’ reasonable expectations in order to limit reliance on consent and incidentally reduce consent fatigue (we are concerned about the requirement to obtain consent “separately from any other information provided to the person concerned” if this means outside the scope of a privacy policy). We also recommend creating a consent exception for employee personal information that is processed for the purposes of establishing, managing or terminating an employment relationship – an exception that already exists under other Canadian privacy laws and would therefore enhance interoperability between these legislation.
  • Data Portability Right: to limit and exclude certain types of information that may be the subject of the new data portability right (e.g. derived and inferred data), and to collaborate with key figures within various industries in order to identify and address potential risks and opportunities related to the implementation of such a right (s. 27).
  • Right to Be Forgotten: to circumscribe the right to be forgotten, taking into account constitutional challenges that may arise, and the fact that it may be neither desirable nor practical for private-sector organizations with limited time and resources to evaluate whether it is appropriate to cease disseminating information or de-index hyperlinks (s. 28.1). In turn, we also recommend limiting the territorial scope of an order to have information removed or de-indexed, as it would be inappropriate to require businesses operating in a number of jurisdictions to restrict the availability or access to content outside Canada.
  • Cross-Border Transfers of Personal Information: to remove the requirement to conduct a comparative analysis of a foreign jurisdiction’s privacy legal framework before transferring information thereto, as most organizations do not have the capacity or means to conduct such an evaluation (s. 17). Furthermore, we recommend reducing barriers to inter-provincial data transfers and limiting the retroactive effects of cross-border requirements in order to avoid unduly disrupting existing data flows.
  • Obligations of Data Processors: to clarify and circumscribe the obligations of a data processor (i.e. service provider) that is processing personal information on behalf of an organization in order to avoid holding the data processor accountable for the latter’s obligations.

Businesses looking to submit comments on Bill 64 can follow the process detailed online.

This content has been updated on September 22, 2020 at 23 h 24 min.