Law 25 (formerly Bill 64): an initiative that impacts how you do business
The right to privacy is not a new concept.
In 1890, two former U.S. Supreme Court justices published an article entitled The Right to have Privacy.[1] They were already pointing out that, given the increasing capacity of government, the press and other agencies to invade the personal activity of individuals, the law needed to evolve in response to those changes by putting in place legal remedies to enforce the boundaries between public and private life.
Since that time, research, work and legislation on the right to privacy have continued to evolve so as to keep pace with changes in technology and the increase in threats to privacy.
Today, the cost of protecting consumer privacy continues to rise as advanced technologies, such as artificial intelligence, are developed. Approximately nine out of 10 U.S. internet users are concerned about the privacy and security of their personal information online, and 67% of them would now support strong national privacy laws.[2]
The age of technology and computing has led to an exponential increase in data. More than 1.7 MB of new data are created every second.[3] For example, Google alone processes 40,000 search queries every second, which translates to 3.5 billion searches per day and 1.2 trillion searches per year worldwide.[4]
This drastic change in data creation, sharing, circulation and storage is prompting professionals, individuals, researchers and legislators to call for serious action on privacy issues. This explains why the regulations surrounding this matter are constantly evolving.
In May 2018, the European Union introduced the General Data Protection Regulation (GDPR). It is currently the toughest privacy and security law in the world.[5] Companies can be subject to harsh fines of up to 10 million euros.
Bill 64 in Quebec
On June 12, 2020, Quebec’s then Minister of Justice, Sonia Lebel, introduced a bill to modernize the province’s privacy legislation, which will apply to public bodies and private enterprises established in Quebec.
Although the Bill has not yet been finalized, businesses must now begin to:
- review their privacy policies and their contracts with third parties and clients;
- review their consent forms;
- assess the personal information they hold to determine its degree of sensitivity and the level of protection required;
- put in place protocols in the event of a confidentiality incident; and
- ensure that they use technology that meets the highest security standards.
Should Bill 64 pass into law, its main provisions are as follows[6]:
- The Commission d’accès à l’information (CAI) would have the power to impose administrative sanctions of up to $10 million or up to 2% of an organization’s previous year’s worldwide turnover.
- Penal sanctions could be up to $25 million or 4% of an organization’s previous year’s worldwide turnover.
- The creation of a new Chief Privacy Officer role within enterprises: The role’s responsibilities would include:
- the implementation and publication of policies and practices governing the protection of personal information;
- a requirement to conduct privacy impact assessments; and
- requirements related to privacy by design. By default, this role is assigned to the Chief Executive Officer of an enterprise, who can delegate some or all their responsibilities to the Data Privacy Officer (a new role created by the Bill).
- The introduction of a requirement for enterprises to deal transparently with “confidentiality incidents” involving personal information and to report to the CAI any incident presenting a “risk of serious injury”. The risk of ‘serious injury’ is assessed by taking into account “the sensitivity of the information concerned, the anticipated consequences of its use and the likelihood that such information will be used for injurious purposes.” Reasonable measures to limit the risk of injury must be put in place to prevent the recurrence of such incidents.
- Certain specific information must be made available to the public when personal information is collected. This includes the purposes of the collection, the means of collection, the rights of access and rectification, and the right of the individual to withdraw consent to the communication or use of the information collected. Bill 64 does not provide an exception for employee consent.
- Three new rights, inspired by the GDPR, are granted to individuals regarding their personal information:
- Right to data portability;
- Right to be forgotten;
- Right to object to automated processing.
- Service providers (third parties) must:
- Provide a description of the measures taken to ensure the confidentiality of the personal information (e.g. a description of security measures) obtained;
- Provide an attestation that they will use the information obtained only for the purpose of providing services and not to retain the information after the contract expires; and
- Notify, without delay, the person in charge of the protection of personal information of any violation or attempted violation concerning the confidentiality of the information communicated and must allow the person in charge of the personal information to conduct any verification relating to confidentiality requirements.
Ontario is moving in the same direction
Quebec is not the only province that has started to modernize its legal framework for data protection. Ontario has initiated a project to strengthen privacy protections in the private sector by modernizing its existing laws. Ontarians do not currently have privacy regulations in the private sector. Their only recourse is the federal Personal Information Protection and Electronic Documents Act.
Organizations must evaluate their level of internal controls, practices and employee awareness regarding the protection of personal information, including challenges and threats. Regardless of the outcome of the discussion, businesses will have to assume responsibility in ensuring the protection of personal information. As a business owner or executive, it is essential for you to begin thinking about the implications of Bill 64 on your business operations.
How can Richter help you?
We can assist you with all the steps leading to compliance with this new legislation:
- Draw up an inventory of the information collected, processed and stored by your company.
- Implement a strategic and operational plan for compliance.
- Identify critical IT hardware and software assets.
- Assess IT risks and mitigation measures.
- Develop and implement sustainable action plans.
- Monitor the implementation of action plans.
[1] Susan E. Gallagher, Introduction to “The Right to Privacy” by Louis D. Brandeis and Samuel Warren: A Digital Critical Edition, University of Massachusetts Press, forthcoming.
[2]GDPR, AI and Machine Learning in the Age of Data Privacy
[3] Google Search Statistics (https://www.internetlivestats.com/google-search-statistics/)
[4] Ibid 4
[5] GDPR Regulation 2016/679
[6] An Act to modernize legislative provisions as regards the protection of personal information