Law also adopts tough monetary penalties, rigorous accountability around data use, says David Young
Québec’s new privacy law, Bill 64, adopts the rigour of Europe’s General Data Protection Regulation (GDPR), but also helps facilitate commercial transactions with new exceptions for the disclosure of personal information, say two privacy lawyers.
Bill 64, “An Act to modernize legislative provisions regarding the protection of personal information,” received Royal Assent last fall, and will be enacted in three stages, beginning this September.
The legislation is a “complete overhaul” of Québec privacy law, for both the public and private sector, and is “maybe the most stringent [privacy] legislation in North America,” says Guillaume Laberge, a partner in the Montréal office of Lavery de Billy LLP.
“They are the first jurisdiction in Canada to bring into play these more rigorous GDPR rules, including the penalties,” says David Young, who practises privacy and regulatory law in Toronto. “You’ve really got the two sides. More facilitation for businesses. But on the flip side, more rigor in terms of the compliance rules.”
Section 18.4 of the Act creates a new exception for the disclosure of personal information without consent when communication of the personal information is necessary to conclude a commercial transaction. The section defines a commercial transaction as involving “a transfer of ownership of all or part of an enterprise.” This means that, in the due-diligence process, companies may share client lists, names of independent contractors, pension-plan details, employee lists, contracts and remuneration programs, says Laberge.
“I’d say it’s a long-overdue exception,” he says. Laberge notes that similar exceptions are already present in the federal Personal Information Protection and Electronic Documents Act (PIPEDA), and both British Columbia’s and Alberta’s own privacy legislation.
To make use of the exception, the party communicating the personal information must execute an agreement with the receiving party. The latter must agree to only use the information to conclude the transaction, to not communicate it without consent or as authorized under the act, to take all measures to protect its confidentiality and to destroy the information if the transaction falls apart or the information is no longer necessary to complete the transaction.
“From a Québec practitioner’s point of view,” says Young, “… that was a significant plus to the law… Québec’s brought that rule up to the same level as the rest of Canada.”
Prior to Bill 64, to share personal information as part of a commercial transaction required a more complicated process, in which parties were required to anonymize the information or get a third-party involved, says Laberge.
The definition of personal information has also been revised to exclude business contact information – a person’s name, title, duties, professional address and email, for example, he says. “It’s no longer subject to the collection, communication and retention obligations of the Act.”
As they figure out how to upgrade procedures to meet Bill 64’s stricter requirements, there is currently “quite a bit of gnashing of teeth,” among businesses operating in Québec, says Young. The law requires privacy impact assessments at a lower threshold than that of the GDPR. “Basically, any adoption of a technology that involves processing of data requires a privacy impact assessment, and this is something that really has not existed in the private sector, until now,” he says.
Companies are also required to do a privacy impact assessment when transferring data outside the province, to determine what risks exist in that jurisdiction.
Bill 64 represents the “first stake in the ground” in Canada for the second generation of privacy regimes, with Québec’s first privacy law, and those in Alberta, B.C. and PIPEDA comprising the first, says Young. The first-generation laws were crafted before the proliferation of data and data breaches and lacked significant financial penalties, he says.
Contravention of Bill 64 invites fines up to the greater between $25 million and four per cent of worldwide income in the preceding fiscal year.
The GDPR inaugurated the second generation, and Canadian governments are now following suit with more severe penalties and more rigorous accountability around data use, says Young. Last summer, Ontario produced a white paper calling for input to aid the development its own private sector privacy regime. Last April, B.C. convened a Legislative Assembly Special Committee to review the province’s Personal Information Protection Act. The committee released its report, and 34 recommendations for strengthening the act, in December. Ottawa also aims to reform federal privacy law with the Digital Charter Implementation Act, which was tabled in November 2020.