Issue 6 - September, 2022

Quebec Privacy Reform: Impacts for ACSESS Members

On September 22, 2021, the Government of Quebec passed Bill 64, which reforms Quebec’s privacy laws in the public and private sectors. It imposes many new obligations on Quebec businesses regarding the handling of personal information and provides for important penalties in cases of non-compliance. These obligations will enter into force in three waves. By September 22, 2022, businesses will be expected to have implemented measures to deal with confidentiality incidents involving personal information. Between 2023 and 2024, organizations will need to update their privacy governance framework and become more transparent regarding their handling of personal information. All these changes are important to personnel placement and recruitment agencies, which collect and process a substantial amount of employee and client personal information, including leased employee information in the course of their business. The best way to comply with Quebec’s new requirements is to implement a robust compliance program, which can be developed in partnership with Fasken, a law firm recognized Canada-wide for its expertise in the area of the protection of personal information.

Introduction

The Quebec Privacy Act (the Act respecting the protection of personal information in the private sector) governs the handling of personal information by persons carrying on an enterprise in Quebec or through third-party agencies. Personal information is defined as information that relates to a natural person and which allow them to be identified, either directly or indirectly.

Bill 64, which amends the Quebec Privacy Act, was adopted in 2021. It will require companies to implement a number of changes that will be phased in over a three-year period, starting in September 2022.

Relative to the first phase, your company should have already implemented adjustments to some of its practices, particularly with respect to the handling of confidentiality incidents, as these new requirements came into effect on September 22, 2022. By September 22, 2023, your company will need to have reviewed and updated its governance policies and practices regarding the protection of personal information. This includes privacy notices written in plain language, additional transparency requirements and new individual rights. Finally, the last phase of requirements come into effect on September 22, 2024, and mainly concern individuals’ right to the portability of their personal information.

While these new requirements can seem overwhelming, Fasken has developed a multitude of solutions to assist a wide range of businesses in facing these new challenges, from emerging small companies to multinational corporations.

This article provides an overview of the main changes that will affect your business and how we can accompany you in achieving compliance with the new requirements.

1. Why ASCESS Members Should Be Particularly Sensitive to the Reform?

Recruitment and placement agencies face specific challenges that require additional care and caution in their processing of personal information.

In the course of their activities, these agencies encounter various types of individuals from which they collect personal information. Whether it be the agencies’ own employees, their clients, or the individuals they recruit and place with their clients, they are likely to collect a significant amount of personal information, some of it considered sensitive.

Employment relationships always involve the processing of sensitive information, such as social insurance numbers, financial information, health and medical information or criminal history. But in the case of placement and recruitment agencies, because of the large number of recruits they encounter, the sheer quantity of sensitive information subject to processing may be greater. Recruitment agencies are also likely to collect information related to immigration processes, which could also be considered sensitive. Note that this type of information requires express consent from the individuals concerned, which augments the importance of reviewing how consent from individuals is obtained, in light of Bill 64’s additional requirements.

Also particular to placement and recruitment agencies is the high rate of turnover they experience. This requires them to exercise special care in ensuring that the personal information they retain isn’t kept longer than permitted by law, and that it is disposed of using secure measures. To achieve this, agencies need to maintain a comprehensive overview of all the personal information that they hold. In addition, requirements specific to personnel placement and recruitment agencies pertaining to the length of time that specific types of information must be kept should be incorporated into your policies and practices (e.g., the requirement for keeping the number of hours worked by every leased employee for six years).

By undertaking a comprehensive mapping of the personal information you handle, your company will also be in a better position to keep track of what information has been communicated to third parties, and for putting the required measures in place in order to comply with the obligations pertaining to such communications. This is particularly important because of the tripartite nature of the relationship between recruits, agencies and their clients, in which personal information is greatly circulated.

Indeed, in the course of your activities, an important quantity of information is exchanged between all such parties, and those exchanges must be in compliance with the law’s requirements, which are generally factored into the contracts governing the relationships between such parties. Nevertheless, given the quantity of information exchanged, the number of different parties involved, and the high frequency of such communications, it will be critical for organizations such as yours to keep track of all of these exchanges, in addition to the contractual safeguards that are typically in place. This is especially important considering that the more information is communicated, the higher is the risk of confidentiality incidents occurring. For this reason, agencies also need to be diligent in verifying that the information communicated will be adequately protected by the receiving party. They can do this by verifying such parties’ practices and security measures, such as by implement auditing and other vendor due diligence processes.

2. September 22, 2022: What You Should Have Done by Now

September 22, 2022, marks the day of the coming into force of new privacy obligations for businesses carrying on an enterprise in Quebec. The first of these new requirements your company must comply with is the appointment of a person responsible for the protection of personal information, and the publication on your website of this person’s title and contact information. By default, the law attributes this role to the person exercising the highest authority within the organization. But this person may delegate their function, in whole or in part, to any person, including ones that are not part of your company.

More substantial changes will also need to be implemented to comply with new requirements in the event that your company suspects or faces a confidentiality incident, which is broadly defined as any access to, use or communication of personal information in contravention of the law, loss of that information, or any other breach regarding its protection.

With respect to such incidents, the law requires that:

1. You take reasonable measures to reduce the risk of injury that may be caused by the suspected incident and to prevent the future occurrence of any similar incidents;
2. You promptly notify the Commission d’accès à l’information (the applicable regulatory authority in Quebec) and the persons whose personal information is involved in the incident, if the incident presents a risk of serious injury. In determining if there is a risk of serious injury, the Quebec Privacy Act enunciates certain factors to take into consideration, such as the sensitivity of the information or the anticipated consequences of its use;
3. You record the incident in a register of confidentiality incidents, whether it presents a risk of serious injury or not, along with information prescribed by regulation. Information recorded about an incident must be kept for at least five years following the given incident.[1]

The best way to ensure compliance with all of these obligations is to put in place an Incident Response Plan, which aims to establish a procedure to be followed when a confidentiality incident occurs and to define the roles and responsibilities of the members of the personnel who will be involved in the response. The value of this plan is that it provides a framework for the prevention and the management of incidents, thus making it more likely that your organization will be fully compliant with the law if such an incident occurs, and that best practices are implemented to ensure a diligent corporate response, thereby reducing liability risks for your company.

Fasken can assist you in establishing your Incident Response Plan, being mindful to tailor it according to the size of your organization, the amount and sensitivity of personal information held, the likelihood of your company experiencing a confidentiality incident, and the risks of prejudice that could result if one were to occur. For example, a large organization employing hundreds of employees in Quebec and that stores the majority of the personal information it holds on third-party clouds is at much greater risk than a five-employee enterprise which manages all of its information internally.

3. September 22, 2023: Get Ready for the Big Wave

If the first stage of the coming into force of Bill 64 was critical in that it directly impacted the security of personal information, as of September 22, 2023, your company will need to double its efforts in light of the additional number of new obligations it will be subject to.

These new requirements aim to increase the enterprise’s transparency about how it handles personal information, and to give more control to individuals over their personal information.

What follows are some of the things that will need to be implemented by that date (if not already in place):

19. Establish/review and implement governance policies and practices pertaining, in particular, to the keeping and destruction of the personal information you hold, to the definition of roles and responsibilities of the members of your personnel, and to the establishment of a process for dealing with complaints relative to the way you handle personal information.
19. Draft a confidentiality policy, if any information is collected through technological means (e.g., through contact forms available on your website).
19. Update your website to publish such policy and detailed information about your other privacy-related policies and practices, using clear and simple language.
19. Ensure that any technological functions used to collect personal information and which allow the identification, location or profiling of a person (e.g., certain types of cookies on a website) are deactivated by default, and that individuals are informed of the use of that technology.
19. If you offer technological products or services to the public (such as a recruitment application for example, but excluding cookies), ensure that the default settings ensure the highest level of confidentiality.
19. Review your practices surrounding how you obtain consent from individuals, how you inform them of their rights, and how you handle their personal information, so that the additional requirements imposed by Bill 64 are taken into account.
19. Update and reinforce your practices surrounding what you do with personal information once it is no longer needed to fulfil the purposes for which it was collected (in particular, for its destruction and anonymization and, if applicable, subsequent use that may be allowed under the law).
19. Review your contracts with third parties and update your templates when the communication of personal information is necessary for the execution of a contract.
19. Update your practices regarding individual’s rights, to take into account the additional rights individuals are entitled to under Bill 64, including the de-indexation of any hyperlink attached to an individual’s name.

The development of these numerous measures requires having a comprehensive overview of your current practices and should be methodically planned and implemented to ensure your compliance in a timely manner. In doing so, priority should be given to the most pressing areas (in particular, taking into account your current compliance with each requirement and the frequency of situations requiring specific measures within your company, such as the use of cookies or the amount and sensitivity of personal information involved in your various processing activities).

Another tricky new requirement is the necessity to conduct a Privacy Impact Assessment (“PIA”) in a wide range of situations, such as:

19. When communicating personal information outside Quebec, including where such communication is aimed at outsourcing the collection, use, communication or keeping of personal information (e.g., the use of a third-party cloud);
19. For any project to acquire, develop or overhaul an information system or electronic service delivery system that involves either the collection, use, communication, keeping or destruction of personal information (e.g., use of video surveillance or use of a new technological platform for payroll management).

These complex assessments aim to evaluate the level of protection that personal information will benefit from in each situation, and to identify the risks that may be involved. In particular, PIAs conducted in the context of communications of personal information outside Quebec require an evaluation of the legal framework applicable in the recipient state. The law explicitly prohibits such communications unless the PIA reveals that the information communicated would receive adequate protection, and if a written agreement is concluded between the parties.

Those privacy impact assessment could be facilitated by using premade models tailored to the specificity of your organization and its needs, which could be elaborated in collaboration with Fasken, that would only require further adjustments to each situation.

Finally, by 2024, you should have put in place new measures to facilitate individuals’ new right to portability, which requires that computerized personal information about an individual be communicated to him in a structured, commonly used technological format, if they request so. It also entails, on request, to communicate their personal information to any person or body authorized by law to collect this information.

4. Why Should ASCESS Members Be Determined to Comply?

Most of the time, implementation of legislative reforms is only as good as the mechanisms by which they are enforced. This statement probably explains the massive increase in the amount of the fines to which companies are exposed to in case of non-compliance to the Quebec Privacy Act.

Currently, non-compliant companies expose themselves to fines ranging from $1,000 to $10,000, and from $10,000 to $20,000 for subsequent offences. Any administrator, director or representatives of your company that ordered, authorized or consented to the act or omission constituting the offence, is also liable to those fines.

Starting September 2023, fines will be increased as to range between $15,000 and $25,000,000 or, if greater, the amount corresponding to 4% of worldwide turnover for the preceding fiscal year. Any subsequent offence exposes your organization to fines ranging between $30,000 and $50,000,000 or, if greater, the amount corresponding to 8% of worldwide turnover for the preceding fiscal year. For natural persons, such as administrator, fines range from $5,000 to $100,000 or $10,000 to $200,000 for subsequent offences.

A new form of sanctions has also been introduced: monetary administrative sanctions, that may be imposed by the Commission d’accès à l’information directly. The maximum administrative penalty is $50,000 in the case of a natural person and, in all other cases, $10,000,000 or, if greater, the amount corresponding to 2% of worldwide turnover for the preceding fiscal year.

In addition, in the context of a civil lawsuit, where an injury results from an intentional infringement or gross fault, you would be subject to punitive damages of not less than $1,000.

Conclusion: How Can We Help You?

Navigating through the implementation of this heavy reform can be worrisome and stressful for enterprises, which is why Fasken has created a robust compliance program that can be tailored to your organization’s specific needs and resources. At Fasken, we know there is not a one-fit-for-all solution, and that is why great care is used in taking into account, in particular, the business reality of your company, its needs’ evolution, its size, or the specific area in which it operates.

Our clients range from emerging to big national and international companies. Our team is recognized Canada-wide for its expertise in Information Technologies legislation and cumulate years of experience in helping and accompanying companies to comply with protection of personal information laws. With privacy teams spread across various Canadian provinces, we are able to assist our clients with the Quebec law, but also other Canadian privacy legislation, as well as with the European General Data Protection Regulation (GDPR).

As a multi-practice firm, we have the expertise to adapt to the unique challenges of each business. Our labour team is one of the biggest and most recognized across Canada. Through a collaborative relationship between you, our privacy team and our labour team, Fasken can offer a unique and comprehensive solution to help personnel placement and recruiting agencies navigate their privacy challenges.

For any questions you may have about Bill 64, you can consult our Resource Center or contact someone on our team (see our team members at the bottom of the Resource Center page).

 

Mathilde Romano AVOCATE