Well, there it is! Last Friday, Quebec Minister of Justice Madam Sonia LeBel introduced the much-anticipated Bill 64, An Act to modernize legislative provisions as regards the protection of personal information (“Bill 64”). As its title indicates, Bill 64 aims to reform Quebec’s legislative framework for privacy. It proposes several amendments to the 26-year-old Act respecting the protection of personal information in the private sector (“Private Sector Act”), which applies to private companies with respect to the collection, use and disclosure of Quebecers’ personal information (“PII”). Should this Bill pass, the Quebec privacy regime for private companies could become the most onerous in Canada, as new proposed penal provisions would introduce fines of either up to $25,000,000 or 4% of worldwide turnover for the preceding fiscal year, whichever sum is greater.
Over the next few weeks, we will demystify the new Bill 64 by demonstrating how it could potentially apply to specific technologies, such as artificial intelligence, geofencing and many others. Stay tuned on FaskenTech for our analysis specific to start-ups and emerging tech organizations!
This first blog post aims to provide an overview of some of the starting points of interests we’ve identified for start-ups and organizations involved with emerging technologies: (1) mandatory “assessments of the privacy-related factors” of information system and/or electronic service delivery projects; (2) confidentiality-by-default parameters for technological products & services; and (3) new obligations to report and log “confidentiality incidents”.
Other notable modifications proposed in Bill 64 include restrictions on the use of PII to render a decision based on automated processing; requirements regarding the use of technologies with functions to identify, profile or locate an individual; right to data portability; data de-identification requirements; mandatory disclosure of the use of data brokers for collection of PII upon request; and many more (a more complete list can be found here).
Does it apply to my organization?
The Private Sector Act applies to people that exploit an enterprise within the meaning of Quebec law. In other words, private sector companies that engage in business operations in la belle province are likely to fall under the scope of Bill 64.
This Bill also proposes to amend the Private Sector Act to say that it applies regardless of whether the enterprise keeps the PII or whether it is kept by a third party. Provisions of the Private Sector Act regarding the collection and confidentiality of PII do not apply to information that is public “by law“, and Bill 64 further adds that they would not apply either to PII concerning someone within the performance of their duties in an enterprise, including the person’s name, job title and duties, as well as their work address, email address and telephone number.
While Bill 64 promises significant impacts on businesses of all sizes and industries, those that are using big data may find the new legislation particularly challenging, particularly if it passes as it is currently written. Now that we’ve covered the basics, we will go over some points that start-ups should keep in mind with the arrival of Bill 64.
Some of the most relevant proposals under Bill 64 for start-ups and emerging tech companies
1. Assessment of the “privacy-related factors” of projects
Justice Minister Lebel proposes, through Bill 64, to introduce corporate governance requirements regarding the protection of PII, which include the assignment of responsibility within the enterprise to ensure implementation and compliance with the new legislation (see last section below).
More specifically, the new proposed Section 3.3 of the Private Sector Act would require organizations to conduct an “assessment of the privacy-related factors” (“APRF”) of “any information system project or electronic service delivery project involving the collection, use, communication, keeping or destruction of personal information”. For the purpose of the APRF of a project, the designated person in charge of the protection of PII within the enterprise will have to be consulted from the beginning of such a project. This person will then have the possibility to suggest implementing PII protection measures at any stage of the project. Bill 64 proposes that APRFs would also be required before communicating PII outside Québec or to communicating PII without the consent of the persons concerned for study, research or statistical purposes.
Privacy impacts assessments (“PIA“) have long been part of Canadian public sector privacy law, while data protection impact assessments (“DPIA”) are also required in certain circumstances under the European Union’s General Data Protection Regulation (“GDPR”). These tools help to preventively identify potential privacy risks of new or redesigned projects, eliminate or reduce those risks to an acceptable level and develop systems aimed at protecting privacy by design. It enables an informed dialogue between corporations and individuals and ensures that the rights of individuals are taken into account in corporate governance.
The “privacy-related factors” to be assessed for the purpose of conducting the APRF under the new proposed Section 3.3 are not mentioned in this first version of Bill 64. Although it would not be surprising to see the Commission d’accès à l’information publishing a framework or guidelines for performing APRFs when the Bill will pass, we think that companies should be allowed to follow their own context-appropriate and risk-based governance policies, as it is required under the new proposed Section 3.2 of the Private Sector Act. The good news is that there is an international standard that provides you with a framework for performing privacy impact assessments. There are also other international standards that provide you with a methodology for implementing good governance on the protection of PII, and under which you can eventually get certified. Fasken has the expertise to assist you with those standards.
Office of the Privacy Commissioner of Canada’s guidance on PIA for federal public sector institutions, Office of the Information and Privacy Commissioner of Alberta’s PIA requirements and those for DPIA under Article 35 of the GDPR could also be good starting points. In any event, it is important to make sure that the risks are quantified and addressed, and that acceptable risks are defined beforehand. Finally, although this is not a specific requirement under Bill 64, APRFs should be performed as soon as possible in a conceptual manner to aim at privacy by design and to ensure the risks can be easily addressed in the long term.
2. Regulating Parameters
Bill 64 also proposes to introduce design into the regulatory framework of Canada. Till recently, our provincial and federal laws have been largely informed by the Fair Information Principles (“FIPs”), which were drafted in the 1970s and have proven resilient over time. Nonetheless, the FIPs were designed with an electronic database in mind, and focused overwhelmingly on addressing power imbalances in an epoch of mass surveillance by the state and other powerful organizations, neglecting actions such as designing, engineering and coding. Through its proposal for a new Section 9.1 in the Private Sector Act, Bill 64 effectively brings all the software development and computer engineers out there within the attention of the regulator:
9.1. Any person carrying on an enterprise who collects personal information when offering a technological product or service must ensure that the parameters of the product or service provide the highest level of confidentiality by default, without any intervention by the person concerned.Bill 64, s. 100.
That’s not surprising, as convincingly demonstrated by Don Norman in The Design of Everyday Things, design is everywhere and cannot be ignored.
In Privacy’s Blueprint, Woodrom Hartzog explains how the mantra according to which “technology is neutral” is a fallacy, and that design is inherently an ethical choice. According to the author, design is everywhere and cannot be ignored, so the law makes an error when it fails to take it into consideration. Design is behaviour shaping and political. The author enters into a vehement critic of privacy law that is based solely on the right to privacy:
The notion that human choice, and not design, is what matters most in protecting our privacy is firmly entrenched in U.S. law. In this way, privacy law reflects a kind of neutral or even protectionist approach to technology. Courts generally refuse to hold technology companies liable in tort for unsecure computer code. […] But we must move past the notion that the only thing that matters in the privacy debate is collection, use and disclosure of personal information. The current trajectory of privacy law and discourse cannot continue to marginalize the role of design. Design picks data winners and privacy losers.Privacy’s Blueprint – The Battle to Control the Design of New Technologies, Harvard University Press, 2018, pp. 49-50
Since this book was published in 2018, the GDPR came into force, requiring specifically in its article 25 both data protection by design and by default. Bill 64 seems to promote a mid-position through the introduction of Section 9.1 in the Private Sector Act.
While it is unclear how this new provision is to be interpreted, take into consideration that it comes in combination with other governance requirements that push towards design, such as above-discussed assessments of privacy-related factors of information systems. What we know for sure is that in many configurations with “on/off” buttons, designers must pre-select the default position. As Hartzog points out:
This choice cannot be avoided, because even some halfway choice in a binary decision would basically function as off. Because we know defaults are sticky, and it would take the user’s scarce resources of time and attention to change the settings, the default decision reflects a value.Privacy’s Blueprint – The Battle to Control the Design of New Technologies, Harvard University Press, 2018, p. 53.
At a minimum, it seems to use this provision will require that all data sharing is off by default, including geolocation tracking, which is likely to have an important impact on the Adtech industry.
3. Incident reporting regime
If Bill 64 comes to pass, it will usher in new requirements regarding informing individuals and the authorities of actual and suspected “confidentiality incidents”. Bill 64 identifies “confidentiality incidents” as unauthorized access to, use or communication of PII that is not authorized by law, loss of PII and other breaches that compromise the information.
Under the Private Sector Act as it is currently in force, there is no obligation for companies to disclose if any data breach that has occurred. This stands in sharp contrast to the Personal Information Protection and Electronic Document Act (“PIPEDA”), which has mandatory breach reporting provisions that require organizations to report data breaches that pose a real risk of significant harm to individuals to the Privacy Commissioner and to the individuals whose PII has been compromised.
New Section 3.5 proposed under Bill 64 brings the Private Sector Act in line with PIPEDA by requiring that the person who carries on an enterprise who has cause to believe that a “confidentiality incident” has happened should take steps to reduce the prejudice caused by it and to prevent future incidents. They must also report the incident to the Commission d’accès à l’information, and all people whose PII might have been compromised. The person in charge should also inform any bodies that could help reduce the risk of harm stemming from the incident. According to Bill 64, enterprises would also need to log all “confidentiality incidents“.
These changes are important for start-ups as investors will now have access to a record of confidentiality incidents as part of their due diligence during rounds of financing. In addition, by having to report on confidentiality incidents, organizations risk inquiries into their privacy practices, which means that back-end compliance becomes even more relevant.
What are the next steps?
For the moment, Bill 64 is not yet law. It still has to be debated at the National Assembly of Quebec and is subject to consultation and parliamentary committee’s report, at which point it will either pass and become law or be rejected. Bill 64 still has to undergo the debate process, in which it might be modified before being adopted. It might not become law exactly as it is now introduced, but many of the changes proposed by this Bill have already been adopted in other jurisdictions, such as in PIPEDA and the GDPR.
What should start-ups and emerging tech companies do with this information in the immediate?
In addition to what has been discussed above, Bill 64 contains two additional governance requirements which emerging growth organizations should pay attention to, as they are the foundational pillars for ensuring accountability compliance. The new proposed Section 3.1 assigns to the individual having the highest authority within the company (such as the Chief Executive Officer) the responsibility for ensuring implementation and compliance of such company with the new legislation. These roles and responsibilities may be delegated in writing to a member of personnel within the organization. Unlike the GDPR, Bill 64 does not permit outsourcing these responsibilities. To begin your compliance journey, start by identifying someone that will be your compliance champion. This is important because the new legislation would come into force one year after the date of assent of Bill 64 (except for the obligations related to data portability, which would come into force three years after such date).
The person responsible for the protection of PII should be implementing good governance practices through a system referred to as a Privacy Information Management System (“PIMS“), as set forth under the proposed Section 3.2, which requires companies to implement governance policies and practices. The good news is that there is an international standard that provides you with a methodology for doing so, and under which you can eventually get certified; ISO/IEC 27701:2019. At Fasken, we have acquired this expertise by certifying some of our experts as Lead Implementer for ISO/IEC 27701:2019 and by extending our ISO/IEC 27001:2013 certification to deploy a PIMS for our own offices Canada-wide. These are effective practices that will help you to develop resilience for the upcoming changes to Canadian legislation, regardless of how this new legislation comes out.
On a side note: Bill 64 also proposes additional requirements for the use of technologies with functions to identify, profile or locate an individual, such as for geofencing and Adtech purposes. We will take a deeper dive into these requirements and the impacts on the tech industry over the next weeks.
If you want a head start on compliance, this is where you should start! Make sure you have a good methodology to be organized, as it’s easy to get overwhelmed. Ah, did you know that these policies will also have to be published on your website? Ready, set, comply!