Quebec Privacy Act

Data protection laws have taken center stage in several countries around the world. Governments are responding to the renewed need to keep their citizens' data secure. At the same time, users themselves now expect the organisations collecting their data to be proactive in protecting any collected data.

However, countries are not the only ones legislating to bring in data protection laws of some kind. Most prominently, the United States does not have an overarching federal statute that regulates data privacy for consumers. That is why states like California with the California Consumer Privacy Act (CCPA), New York with The New York Privacy Act, Massachusetts with the Massachusetts Data Privacy Law, and New Jersey with the New Jersey Disclosure and Accountability Transparency Act (NJ DaTA) are passing their own state-level laws to protect their residents.

Quebec, a province of Canada like the states in the US has its own data protection law, known as Act Respecting the Protection of Personal Information in the Private Sector, CQLR P-39.1 (Quebec Private Privacy Act) in place. However, unlike the US, there is a federal law that regulates Canadian residents’ data privacy thanks to the Personal Information Protection and Electronic Documents Act (PIPEDA).

Now, amendments have been introduced in Quebec’s data protection law through Bill 64. What effect do these amendments have on the regulation itself and how can organisations remain compliant with them? Read on below to learn more:

1. Who Needs to Comply with the Law

a. Material Scope

The amended Quebec Privacy Law consistently reiterates Personal Information (PI) as one of the essential pieces of data covered by law. The Quebec Privacy Act applies to personal information, whether the organization keeps the information itself or through the agency of a third person, whatever the nature of its medium and whatever the form in which it is accessible, whether written, graphic, taped, filmed, computerized, or other. Personal information is any information which relates to a natural person and directly or indirectly allows that person to be identified.

The Quebec Private Privacy Act also covers sensitive personal information. However, it does not apply to journalistic, historical or genealogical material collected, held, used or communicated for the legitimate information of the public.

b. Territorial Scope 

As far as the Quebec Private Privacy Act territorial scope goes, it applies to the collection, use, or disclosure of personal information within the province by any organization.

Moreover, organisations and websites that offer goods/services online or are accessible by users from Quebec must also comply with this law.

2. Obligations for Organizations Under that Specific Law

As per the amended Quebec Private Privacy Act, organisations have certain obligations towards their users and customers.. The most important of these obligations include the following:

a. Consent Requirements

No matter how safe and secure an organisation claims its data processing activities and measures are, it cannot proceed with the data collection unless it has a lawful basis of processing the personal data of individuals.

Under the amended Quebec Privacy Act, personal information may not be used within the enterprise for any other purpose except for which it was initially collected for or if the data subject has consented to an additional purpose. Furthermore, no person may communicate to a third person the personal information of the data subject unless the data subject has consented or or this law provides for such communication.

Consent needs to be:

1. freely-given
2. specific
3. informed
4. Clear

A data subject may request assistance to help him/her understand the scope of the consent being provided. Consent is also only valid for the time necessary to achieve the purposes for which it was requested. And Consent not given in accordance with this law is of no effect.

Organization collecting personal information from the data subject must, when the information is collected and subsequently on request, inform data subject of the following:

1. The purposes for which the information is being collected;
2. How the information is collected;
3. The rights of access and rectification granted to any person by law;
4. Right to withdraw consent at any time;
5. If applicable, the name of the third party for on whose behalf the collection was carried out and the name or category of third parties to whom the information must be released, and details if the information could be released outside of Quebec;
6. Details of use of technology and means available to activate the functions that allow a data subject to be identified, located or profiled (if using technology for collection of personal information that includes functions allowing the data subject to be identified, located or profiled); and

Any person who collects personal information through technological means must publish on the enterprise’s website, if applicable, a confidentiality policy drafted in clear and simple language to disseminate it by any appropriate means to reach the persons concerned. - failure to do so may vitiate consent collected for PI collected through technological means.

Express consent is required for the processing of “sensitive personal information”, which is defined as information that “entails a high level of reasonable expectation of privacy." Organizations must also ensure that consent can be withdrawn by the data subject as easy as giving consent and at any given time.

There are special provisions for minors and people that are differently-abled as Bill 64 reiterates the responsibility of the data handlers to ensure informed consent is elicited from their guardian.

b. Privacy Notification/ Privacy Policy Requirements

All organisations are required to have a robust privacy policy that informs the users what tools and methods an organisation uses to collect and process their data and what data is being collected.

As per the amended Quebec Privacy Act, it is up to the organisation or website to ensure it has a framework in place that informs and educate the user about the various practices and policies that reflect proportionate to the nature and scope of the enterprise’s activities and be approved by the person in charge of the protection of personal information. Additionally, the policy must contain ample resources for the user to complain regarding the protection of their information.

An organisation must ensure it regularly assesses the success and effectiveness of its practices in ensuring compliance with the data protection laws. Any policies must be updated and reformed accordingly, while the staff should be promptly informed of these changes.

c. Data Breach Requirements

In the event of a data breach, there are certain requirements in place that the compromised organisation must adhere to. These include the following:

• Once an organisation becomes aware of a data breach, it must “take reasonable measures to reduce the risk of injury and to prevent new incidents of the same nature.”
• The organisation must inform the CAI as soon as possible of the data breach
• The organisation must also inform the affected individuals whose data has been compromised
• The organisation must also keep a record of this communication with the affected individuals
• The organisation must maintain a regular record of any such breaches, and forward them to the CAI upon request

d. Data Protection Officer (DPO) Requirement

As strange as it may sound, the top official within the organisation, i.e., the CEO is the DPO. However, some provisions allow this role to be delegated to someone within the organisation or hire a third party.

It is strongly recommended that an organisation hire a dedicated DPO for two apparent reasons. The first is that the CEO will almost always have a lot on their plate, and piling on another role would undo the purpose behind having a Privacy Officer role, to begin with. Secondly, a DPO can ensure efforts within the organisation to implement privacy-related governance policies and practices across all teams.

The Privacy Officer, whether it be the CEO or a DPO, must ensure the most robust privacy practices are implemented within the organisation to minimize and ideally eliminate, any chances of future breaches.

e. Privacy Impact Assessments (PIA)

This is arguably the most important and core element of the amended Quebec Private Privacy Act. A Privacy Impact Assessment (PIA) will be required when personal information on Quebec residents is transferred outside the jurisdiction of Quebec (read Cross border data transfer Requirements section below for more details on this subject).

Other instances that may trigger the need to carry out a PIA include the acquisition, development, and overhaul of an information system or electronic service delivery that involves personal information of Quebec residents.

f. Cross-border data transfer Requirements

The amended Quebec Private Privacy Act does allow data transfers across regions. However, there is a catch. The jurisdiction where the data is to be transferred must have an equivalent legislation in place that protects the data in question. The Commission plans on publishing a list of jurisdictions considered equivalent and safe for data to be transferred.

Additionally, a privacy impact assessment must be carried out of the jurisdiction where data is to be transferred. Any such assessment must be based on the following criteria:

• The sensitivity of the information;
• The purposes for which it is to be used;
• The protection measures, including those that are contractual, that would apply to it; and
• The legal framework applicable in the State in which the information would be communicated, including the personal information protection principles applicable in that State.

g. Vendor Requirements

Organisations often rely on third parties, or vendors, to assist in their operations. Often to ensure such a collaboration, personal information and data collected on users must be shared with these vendors. However, this data and PI can only be shared once the user has consented to this sharing of data.

Similarly, the vendor is required to:

• Entrust the mandate or contract in writing; and
• Specify in the mandate or contract the measures the mandatary or the person performing the contract must take to protect the confidentiality of the personal information communicated, to ensure that the information is used only for carrying out the mandate or performing the contract.

Any data shared with the vendor must be deleted permanently once the contractual obligation for which the data was required is complete.

However, the second obligation does not apply to public entities or when the data being shared is available on public domain.

h. Automated Processing

If the organisation or website collecting a user’s data employs automated processing based on the data collected on users, it must inform the user of the following information without delay once any data that is to be used in automated processing is collected:

• Personal information used to render the decision;
• Reasons and the principal factors and parameters that led to the decision;
• Right of the person concerned to have the personal information used to render the decision corrected.

3. Data Subject Rights

Like all other significant data protection regulations globally, the new Quebec Privacy Act also guarantees all users certain rights, known better as Data Subject rights. Some of the rights covered by the Privacy Act include the following:

• Right to Data Portability - All data collected must be available for the data subject to request access to in a machine-readable format that can be accessed easily by the data subject.
• Right to Be Informed - The data subject has the right to know the reason behind the collection of their personal information, processing, retention period, cross-border data transfers, and the contact information of the relevant personnel to contact at the organisation related to the collected on them, usually the DPO of the organisation.
• Right to De-indexation & Re-indexation - A data subject has the right to request that their data be de-indexed. Hence, an organisation must delete any data they may have collected on the data subject. Similarly, the Amended Quebec Privacy Act gives the users the right to re-indexation in the same circumstances where de-indexing of hyperlinks may be required.
• Right of Access & Rectification - A data subject has the right to access and see what data has been collected on them from the point they consented to the data collection. Moreover, a data subject has the right to request changes being made to any data that may be incorrect, outdated, incomplete, or out of context.
• Right to Withdraw Consent - Arguably, the most critical data subject right is the right to withdraw their consent from all data collection measures at any time they want. A website collecting their data must have a dedicated page or button on the homepage, directing the user to revoke all prior given permissions for data collection.

4. Regulatory authority

The Commission d’accès à l’information, also known as "CAI ," will primarily enforce the Quebec Privacy Act across the jurisdiction. It shall have the power to "take any measure to protect the rights of the persons concerned" while also being authorized to order penalties against organisations for their non-compliance with the new law's provisions.

5. Penalties for Non-compliance

Using the old "carrot-and-stick" metaphor, this would be the stick that compels organisations to comply with the new law. As many will notice, the monetary penalties for failing to adhere to the new mandates introduced by the Quebec Privacy Act can be overly severe.

CAI can levy an organisation CA$10 million ($8.01 million) for individual breaches. Penalties may reach CA$25 million or, if greater, an amount corresponding to 4% of worldwide turnover for the previous year for organisations found in gross breach or non-compliance with any of the new law's statutes.

6. How an Organization Can Operationalize the Law

While the new amendments promise a heightened level of protection for all users' data, organisations might find it a tall order to operationalize the new legislation within their business practices. While achieving compliance with the new law cannot be achieved within a day, certain practices can ensure the adaptation is made quickly and effectively. Some such practices include:

• Appointing a Data Protection Officer
• Having a Real-Time Inventory of All Products/Services Collecting Data
• Training Staff/Employees Accordingly
• Regularly Assessing & Updating Business Practices
• Breach mechanism etc.

7. How can Securiti Help

Users are now becoming increasingly educated and aware of websites' responsibilities online towards the data collected on users. Hence, they expect these websites to take the appropriate measures to ensure this data is protected and maintained as per the laws that they're subject to. With more and more countries enacting their own versions of data protection laws, organisations must consider data compliance and governance as essential parts of their modus operandi.

That is an arduous task. However, AI-driven solutions could hold the key towards striking a balance between efficiency and effectiveness. Securiti is a market leader in offering solutions based on its PrivacyOps framework that can help businesses achieve privacy compliance anywhere in the world at the click of a button.

Request a demo today to learn more about how Securiti can help your business.