This article is part of our Bill 64 Blog Series, which will provide readers with a 360° view on Law 25 (formerly known as Bill 64) and its sweeping amendments to Quebec’s Act Respecting the Protection of Personal Information in the Private Sector (the “Private Sector Act”). To view other blog posts in the series, please visit this page. We have also put together a comprehensive toolkit for businesses looking for resources to understand and ensure that they are compliant with Law 25. This toolkit can be found here.

Privacy Officers across Quebec are hard at work in an effort to demonstrate compliance with the Private Sector Act (and its public sector counterpart) which have been amended by the Act to Modernize Legislative Provisions respecting the Protection of Personal Information (“Law 25” and formerly known as Bill 64). Aimed at promoting transparency and enhancing data privacy, the significant changes to the existing Private Sector Act include more stringent obligations for businesses, greater accountability and tougher penalties for non-compliance.

Are you worried that your organization is running out of time and uncertain about how to proceed ahead of the September 22, 2023 compliance deadline? This article will highlight several key obligations entering into force this September which are operationally complex and time-intensive to comply with.

The entry into force of Law 25 is taking place successively. The chart below summarizes the key components of each entry into force phase.

Since September 22, 2022, several new obligations became effective under Law 25. By now, to avoid sanctions, organizations should have appointed a Privacy Officer, set-up a mandatory breach reporting system or registry, and complied with their continuous obligations to disclose details about their use of biometric information to the Commission d’accès à l’information.

The most significant entry into force phase will occur on September 22, 2023, the key obligations of which are summarized in the chart above and more fully unpacked in our Quebec Compliance Toolkit. This article highlights some of these obligations, focusing on those which our team has identified as demanding significant tactical and strategic effort to achieve compliance. This means that organizations will need to identify current gaps and implement a roadmap to compliance with respect to these obligations well in advance of September 22, 2023.

PIA for Cross-Jurisdictional Communications of Personal Information

As of September 22, 2023, Law 25 will require organizations to conduct privacy impact assessments (“PIA”) upon specified triggering events.

First, organizations will have to conduct a PIA before personal information (“PI”) can be communicated outside of Quebec, including to another Canadian province (s. 17 of the  Private Sector Act). While the obligation only takes effect on September 22, 2023, it will apply to communications of PI initiated ahead of that date that are continuous and which will remain active.

For instance, the obligation to conduct a PIA in relation to cross-border data transfers would apply to a SaaS contract involving PI collected in Quebec that was entered into in 2022 with a 5 year term, and with the vendor’s data center being located in California. Since, in this example, there is a continuous communication of PI to a data center located outside of Quebec, the contracting organization would have to conduct a PIA (and address any unmitigated risks that the organization identifies in the PIA) as of September 22, 2023 in order to ensure that ongoing cross-border communications of PI following such date remain compliant.

Organizations must proactively map out their data flows and activities well ahead of September 22, 2023, to accurately identify these continuous flows of PI, conduct cross-border PIAs and control unmitigated risks revealed by the PIAs.

PIA for New or Updated IT Systems that Process Personal Information

Second, as of September 22, 2023, organizations will have to conduct a PIA in relation to the acquisition, overhaul or development of an information system or electronic delivery system involving PI (s. 3.3 of the Private Sector Act). Such PIAs will need to ensure that the project in question is compliant with all other Law 25 requirements, including new requirements around transparency, consent, confidentiality by default, retention and destruction, and new privacy rights that individuals will be entitled to, including to cease dissemination, de-index or re-index their PI, to submit observations about automated decisions, and portability. This PIA trigger only applies to contracts entered into as of the entry into force date. However, drafting and executing complex commercial agreements regarding such systems can take a long time. It is thus entirely possible that agreements being negotiated now will only sign after September 22, 2023.

Organizations thus need to seriously consider conducting PIAs for such agreements. PIAs in the context of material IT implementation projects generally require significant alignment from multiple stakeholders (e.g. procurement, legal and IT). It is thus crucial for organizations to implement processes and training as regards PIA obligations for such IT system implementation as soon as possible.

Adequate Privacy Clauses in Outsourcing Agreements

Pursuant to section 18.3 of the Private Sector Act, organizations will be able to communicate PI to a service provider without obtaining prior consent, provided that the parties have concluded a contract in writing that includes a variety of privacy protections set out in the provision (including clauses that ensure that the information is used only for performing the contracted services).  Such statutory obligations may raise thorny negotiation issues, especially in relation to contracts with service providers that offer AI-enhanced services who may wish to use client data to “train” the service prover’s models.

Accordingly, organizations must review their existing agreement templates now to help ensure that (at a minimum) they contain the contractual protections laid out in Section 18.3. If any gaps are identified, amendments or addendums to such contracts (or to a stand-alone “data processing agreement” template that can be used by clients in conjunction with their existing contracts) will need to be negotiated ahead of September 22, 2023 to rely on the consent exception.

Privacy by Default

As of September 22, 2023, organizations that collect PI when offering technological products and services to the public will be required to have their privacy settings set to the highest level of privacy by default (s. 9.1 of the Private Sector Act).

For example, organizations that offer mobile “apps” that contain a variety of privacy-related “toggle” options (particularly options related to consent to location-based tracking or behavioral profiling functionality) must (by default) set the privacy toggle to “off”.

Thus, organizations need to ensure that this principle is taken into account for such products and services offered to the public as of this September’s entry into force, and, if necessary, make necessary design changes. 

Automated-Decisions

New transparency and explainability requirements will also come into effect on September 22, 2023, pursuant to section 12.1 of the Private Sector Act. If an organization will use PI to render decisions based exclusively on the automated processing of such PI, the organization will need to inform the individuals concerned that the decision was carried out exclusively through automated processing. Such notice must be provided at the same time that the individual is informed of the decision.

Individuals will also be newly empowered with the right to request and receive information relating to the PI which was used to make the automated decision, along with the main parameters involved in the decision-making process. This requirement is particularly important for organizations looking to increase or incorporate the use of AI in their services and operations.

Organizations must ensure that they are operationally able to explain to individuals about whom automated decisions are rendered the reasons and the principal factors and parameters that led to each such decision. This new obligation will require coordination with an organization’s technical experts, legal department and client communications team in order to assess whether and how this explainability obligation can be met (in a readily understandable manner for your clients) without revealing trade secrets or confidential information. Moreover, organizations must plan to operationalize the right of individuals to submit observations in advance of the entry into force date.

Retention, Destruction and Anonymization

Where the purposes for which PI was collected or used are achieved, organizations will need to destroy PI, or anonymize it to use it for serious and legitimate purposes. Organizations must map out and create a current inventory of their PI processing scenarios and establish retention periods with deletion protocols. This can prove to be a significant undertaking and requires ample time to complete and implement. Organizations may also plan to anonymize the data instead of deleting it, however, our understanding of the exact requirements for anonymization is limited at present. We know that anonymization differs from de-identification in that the process irreversibly no longer allows the person to be identified directly or indirectly. However, anonymization is subject to future regulation, the content of which is presently unknown.

Conclusion

The most significant wave of Law 25’s new obligations comes into effect on September 22, 2023. As this article endeavors to illustrate, compliance with many of these obligations requires significant operational and strategic effort and resources. The point is, it takes time to comply. The costs of not prioritizing compliance ahead of September 22, 2023 are high, with administrative penalties of up to the greater of $10 million and 2% of worldwide turnover for the preceding fiscal year (or the greater of $25 million and 4% of worldwide turnover if a penal proceeding is instituted).

To learn more about how our Cyber/Data Group can help you navigate the privacy and data landscape, please contact national co-leaders Charles Morgan and Daniel Glover.