On June 12, 2020, Québec’s then minister of justice, Sonia LeBel, tabled in the National Assembly Bill 64, An Act to modernize legislative provisions as regards the protection of personal information.
Bill 64’s purpose is to modernize Québec’s privacy laws for both the public and private sectors. This new bill would impose more onerous obligations on employers in the province and provide the Commission d’accès à l’information (privacy commission) with increased powers.
One component of the privacy commission’s duties involves enforcing the Act respecting the protection of personal information in the private sector (Private Sector Act). As it currently stands, the privacy commission is capable only of conducting investigations or inspections and ordering the corrective measures it deems necessary. Put simply, the privacy commission cannot impose monetary penalties for noncompliance. It should be noted that although the privacy commission cannot impose penalties, under the current Private Sector Act, the director of criminal and penal prosecutions can institute penal proceedings against Private Sector Act offenders. However, these situations are extremely rare.
Under Bill 64, the privacy commission would have new prosecution powers that would enable it to institute penal proceedings against any employer that failed to comply with the Private Sector Act. These new powers come with new penal fines that go up to $25 million, or if greater, an amount corresponding to 4 percent of the company’s worldwide turnover for the preceding fiscal year.
This means that an employer with $1 billion in turnover for the preceding fiscal year could be fined up to $40 million for breaching the Private Sector Act.
In addition, Bill 64 provides for a new monetary administrative penalty regime. These types of regimes already exist under other forms of legislation, particularly under environmental law, and they allow regulators to impose penalties without having to respect all fundamental rights that an accused entity would have under the Canadian Charter of Human Rights and Freedoms. As Bill 64 currently stands, under the monetary administrative penalty regime, a Private Sector Act offender could be liable for up to $10 million in penalties or, if greater, an amount corresponding to 2 percent of the company’s worldwide turnover.
Bill 64 would also create new obligations for employers such as:
- the duty to destroy or anonymize personal information once the purpose for which it was collected has been completed;
- the duty to erase personally identifiable data upon an individual’s request; and
- the obligation to appoint a person who will be responsible for protecting personal information.
Employers in Québec may want to remain vigilant and up to date with Bill 64 as it makes its way through the legislature as the new changes proposed are broad and the implications are significant.
Ontario
On August 13, 2020, Ontario’s Ministry of Government and Consumer Services released a discussion paper titled “Ontario Private Sector Privacy Reform.”
The discussion paper recognizes the absence of provincial legislation regulating data collection by private bodies. Specifically, it addresses how the collection of “employee related personal information” is free from any type of privacy regulation and oversight. The province indicated that it wants to construct its own legislative response that allows Ontarians to exercise more control over their data when engaging with private organizations.
The discussion paper outlines the following key areas for reform
Changes to consent and transparency requirements
Currently, private organizations obtain an individual’s consent for use, collection, and disclosure of personal information through service policies and privacy statements. However, the discussion paper recognizes that these policies are saturated with “dense legal jargon” that can leave individuals uncertain of what they just consented to. Furthermore, the discussion letter expresses the opinion that the consent model is unrealistic and inefficient given how frequently personal information is collected, used, or disclosed.
The discussion paper proposes scrapping the traditional dense privacy policy. Instead, organizations would be required to outline in plain and clear language what personal information is collected, how it is collected, and with whom it is shared. Organizations would also be required to identify situations in which consent is not required. For collection, use, and disclosure of personal information that falls outside an organization’s described practices, “opt-in” consent would be required. This “opt-in” system would prevent organizations from continuing to collect information indefinitely.
Data erasure and data portability
Ontario also examines the introduction of two new rights: the right to data erasure and the right to data portability. Data erasure rights would allow individuals to request that their employers permanently delete or “de-index” any collected personal information. Data portability rights would require employers to provide individuals with their personal information in an open and accessible format upon request.
Oversight, enforcement, and fines
The discussion paper considers empowering the information and privacy commissioner to issue binding orders and fines on organizations that do not follow the privacy regulations.
De-identified and derived data
The discussion paper proposes defining and regulating “de-identified” and “derived” data.
“De-identified” personal information is data that has been collected and edited to remove a person’s identifiable information. Ontario is considering offering incentives and supports to private institutions to use this type of data preservation since it reduces the harmful effects of any privacy leaks.
“Derived” data is information that private institutions indirectly acquire (e.g., web browsing habits). Ontario is considering developing guidelines for how companies use this type of information.
Data sharing
The Ontario government is examining how data governance can be revised so that information can be shared among organizations to promote economic and societal development.
Ogletree Deakins will continue to monitor the proposed policy changes in Québec and Ontario and will post updates on the Cross-Border and Cybersecurity and Privacy blogs as additional information becomes available.
Michael C. Comartin is a shareholder in the Toronto office of Ogletree Deakins.
Ryan Martin is an associate in the Montréal office of Ogletree Deakins.
Caroline M. DeBruin is a 2020 graduate of Queens University, Faculty of Law, and an articling student in the Toronto office of Ogletree Deakins.
