Category Archives: Privacy

Businesses within the Province of Quebec Have Homework to Do as to their Employees and their Data

Posted on by

As you may already know, Quebec’s Bill 64 was passed into law a couple of months back, setting in motion a substantial revamp of the province’s main privacy statute. Much like what’s been going on in Europe and, more recently, at Federal level, the province finally decided it was time to update its antiquated statute governing the protection of personal information within Quebec.

The law’s coming into force of an Act to modernize legislative provisions as regards the protection of personal information (the “Act”) will stretch until 2024. In the meantime, the first provisions of the new law came into force last week, including numerous new obligations for Quebec businesses and organizations about their employees.

In practice, until now, little attention was generally paid in Quebec as to rules that may govern and apply to the personal information of employees, an issue that was often swept under the rug. Well, now that the Act is here things have to change -fast.

Indeed, the Act provides for a whole slew of obligations that apply to employers within the province of Quebec. For example, as is the case elsewhere, Quebec organizations should draft and make generally available their data handling policy, including as to how you handle employee information. This is but an example of what the new regime requires.

The first thing quite a few Quebec businesses and organization should do, including relatively small ones, is come to terms with the fact that the world has indeed changed and that Quebec business may no longer look at privacy as this theoretical issue that no SMB really bothers with. With the advent of the Act, all businesses and organization should (quickly) make the transition, from apathy as to privacy, to being highly involved. If you need motivation to do so, the staggering amount of potential penalties provided by the Act should help: 25 MILLION dollars or, and here’s the kicker, 4% of annual revenues. Yup, that’s right, just like Europe did a while back, we’re now realizing that dollar amounts may not be enough, but percentage of revenues, now THAT scares the bejesus out of ANY business.

As to employees, without going into details, to start, you should probably simply understand that personal information is now treated as such, whether it relates to a customer or an employee. Both are individuals, right? So, from now on, the Act basically assumes that organizations should have processes, policies and protocols in place to deal with personal information, wherever it comes in or from -employee-related information including. One should also note as to these, that the Act now requires making these policies generally available, including to employees, so that individuals can know how you are handling their information. Though this may seem a no brainer, in actuality, quite a few Quebec organizations still do not comply with this.

The Act also provides constraints as to how an organization may use automated processing of data to make or reach decisions as to individuals. If your company has AI sorting CVs, for example, individual may have to be made aware of this fact, etc.

One should also make note of the fact that, no only must employees be made aware what information of theirs is collected and used (and how), but employees can now lodge complaints with the Quebec privacy watchdog called the Commission d’accès à l’information (the “CAI”), should they want to question the employer’s data-handling practices, for example, if they suspect their employer’s practices are not in-line with the Act.

As is the case in numerous other jurisdictions, the Act also now provides for a mandatory notification in case of hacking incidents (and similar incidents where personal information may have been compromised), including when it comes to employee information.

Another change mandates that employers (and all organizations in fact) appoint a privacy officer, who will handle personal information-related matters on behalf of the entity, moving forward. This will have to include issues relating to employee information. Such a person may, for example, be a an officer of the company and should, generally, be selected based on his/her ability to deal with eventual issues relating to the types of data that the organization at issue normally handles. In other words, though the Act presumes the president of the company may be the person in charge, he/she may or may not be the best person for the job. All in all, if you are located in the province of Quebec and have employees, you may very well now be subject to the new Act. The time to educate yourself, seek advice and act is… now.

Québec Adopts New Personal Information Protection Statute

Posted on by

Québec formally adopted last week an overhaul of its statute meant to regulate personal information handling by businesses, in the province. Bill 64 was an attempt to bring the Québec Loi sur la protection des renseignements personnels dans le secteur privé in line with more modern pieces of legislation used abroad, including the famed GDPR, in Europe.

The revised statute now includes more strenuous obligations for organizations handling such data, and includes potentially huge fines (we’re talking millions) for businesses which may be caught violating the law. Yes, I think we can safely say that the province of Québec now has a real piece of legislation to govern how organizations are supposed to protect personal information when collecting, using or communicating it.

Though the statute was formally adopted, one should note, however, that most provisions included in Bill 64 will come into force only in September 2023, thus giving business about 2 years to shape-up. During that time, the Québec watchdog (the “CAI”) will also seek to provide guidance by coming-up with rules and protocols that it expects businesses to apply and abide by.

A limited number of provisions will come into force in September 2022, including those related to the obligation for businesses to disclose security incidents that may have exposed personal information to loss of theft, including for example pursuant to hacking incidents. The Québec media reports that the government intends to curb a culture of negligence when it comes to adequately handling and protecting personal information. After almost 30 years of being governed by an obsolete statute as to personal data, Québec businesses certainly have work to do!

Modifications to Bill 64 as Adoption in 2021 Remains Likely

Posted on by

The Québec bill proposing substantial amendments to an Act respecting the protection of personal information in the private sector (Bill 64) keeps making progress through the legislative process, as  the parliamentary committee recently published its report, including by proposing further changes to that piece of legislation.

The commission proposed several modifications to the initial version of the bill, including the following:

  1. Creating certain new rights for individuals as to their personal information;
  2. Requiring businesses to check, beforehand, that information exported outside Québec would be protected by laws (in the other jurisdiction at issue) that are “adequate”;
  3. Adding an obligation to inform individuals of the actual identity of third-party businesses and partners to which the organization may be disclosing information (as opposed to merely disclosing the types of third parties);
  4. Allowing business to delegate the roles of their Chief Privacy Officer (as required under the bill), to someone outside the company, if they so choose (for example, to allow outsourcing of that function if no one in the company has the requisite expertise);
  5. Forcing businesses that use information that has been depersonalized, to take reasonable precaution against eventual use of such information to “reidentify” the individuals at issue;
  6. Allowing use of personal information, even without consent, for purposes of delivering products or providing services to the individuals at issue;
  7. Allowing use of personal information, even without consent, in the context of purchase-type corporate transactions, but also other commercial operations such as mergers, financings, etc.;
  8. Expressly adding to the Québec statute the possibility of settling claims against businesses that violated the statute, by having them enter into undertakings with authorities, as is allowed under the Federal statute;
  9. Modifying the amount of certain penalties provided by Bill 64, being understood however that the maximum penalty of $25M (or 4% of annual turnover) remains untouched;
  10. Limiting what business must provide to individuals who ask to see “their” own data, by excluding therefrom data that was indirectly produced or induced from the initial data actually provided by each individual.

It is generally agreed Bill 64 is likely to complete the legislative process in 2021, as its formal adoption seems more than likely to follow before the end of the year, with fairly minimal modifications being made to it between now and then.