We can say that cybersecurity and the protection of personal information are subjects that have come up quite frequently in the news in recent years. In fact, there are few months when we do not learn about a new data breach.
It is in this context that the Government of Quebec has decided to modernize its Act respecting the protection of personal information in the private sector, which saw the light of day in 1994. Bill 64, whose consultations ended this week at the National Assembly, aims to modernize several legislative provisions relating to the protection of personal information.
Droit-inc spoke with Me Vanessa Deschênes, lawyer and leader of the Data Protection, Privacy and Cybersecurity sector at Robic, to understand a little better what this law provides.
Droit-inc: Can we say that Quebec was due for a reform of the Act respecting the protection of personal information in the private sector…?
Vanessa Deschênes: Yes, indeed. In fact, it should be remembered that the two laws, both public and private sector laws on the protection of personal information, date from 1994.
The landscape of the protection of personal information has obviously changed a lot since that time, in particular because of the great importance that digital technology is now taking in our lives. This is one of the reasons why it was long awaited.
I would say that there is also the fact that in 2018 the General Data Protection Regulation (GDPR) entered into force in Europe. Canada, at present, via its federal law, enjoys an equivalence status … But since European law has changed, Canada will have to be reassessed as to its status as an equivalence with regard to the GDPR. So we are talking about Canada, but also the provinces, including Quebec, since they also have their own laws.
Does that mean that Canada will have to do the same?
Yes. In fact, Canada has not tabled a bill, but discussions have already been initiated for several years for reform at the federal level. There have also been consultations at the federal level on specific portions, in particular consent. The federal government is working on a new version of the law.
This new version offers many amendments… Which are the most important, in your opinion?
It really is a major reform… so there are a lot of major changes! Obviously, the increase in penalties is one element. We are talking about the possibility of imposing fines of up to $ 25 million; this is a drastic change from the previous private sector law regime. The amounts are significantly higher than what currently exists.
There is also the introduction of new rights for individuals; I am thinking in particular of the concept of data portability.
An obligation to report and notify confidentiality incidents is also introduced, which does not currently exist in Quebec law, but which also exists in federal law and in Alberta.
The other major changes revolve around what I would call compliance. We have a lot of additional elements concerning the operationalization of the law.
For example, we introduce the concept of assessing privacy areas. We also ask to create policies and procedures, and possibly to publish them, so that adds a lot, from an administrative point of view, for organizations.
Do you think this is enough? Do you find that something is missing?
We know that the legislation is strongly inspired by the GDPR, which is considered, at present, as the world standard for the protection of personal information. So that I think that already there, it shows a good effort of enhancement on the part of Quebec.
What emerged from the specific consultations, for example, in relation to consent, therefore an element that is not found in the current bill, is the exception relating to the employer-employee relationship.
This is an exception that can already be found in the western provinces, such as Alberta and British Columbia. The employer-employee relationship is still a special relationship, where the notion of consent is a bit illusory, if I may say so. Because when one accepts a job, inevitably, the employer has to collect personal information … So, to what extent does the employee have the choice or not to give his consent? We can ask ourselves the question.
What several stakeholders have also raised, including the Privacy Commissioner of Canada, is that in 2020, the protection of personal information cannot be based on consent alone. Given the use of technology, consent in some cases becomes a bit illusory …
So the bill should possibly provide for other mechanisms, a bit like we find elsewhere in Europe, via the GDPR, to protect personal information.
Is this a bill that has enough “teeth”, in your opinion?
I think everyone agrees that the protection of personal information must be taken seriously. And that is the message the government wishes to send, by providing for tougher penalties.
During the special committee on the bill, opinions were divided on questions relating to sanctions… In fact, the question was not whether the bill had enough teeth, but rather whether it had any. too much, given the Quebec reality!
As I mentioned, the bill is very much inspired by European regulations … And what some speakers have raised is the fact that yes, it is important to send a clear message, but at the same time, Quebec does not necessarily have the same population as in Europe.
And we must not forget either that Bill 64, if we take the section of the private sector, it targets any type of business, therefore both large multinationals and SMEs, which, let us remember, constitute the big majority of Quebec businesses.
I think the experts who have expressed reservations just want to make sure that the expected result will be the right one, in the sense that we must not forget that the majority of companies want to do well and act in good faith.
The Law is based on the main principles, it is written in a broad and flexible way … and that can lead to interpretation.
What emerges is: is there a way to send a clear message, but perhaps to have an approach with a gradation of sanctions, for example?
Or to have an approach a bit like we see now at the federal level, or what the Access to Information Commission is also doing? That is to say that if there is a complaint filed, we see with the company, if indeed, its practices are contrary to the law, and if so, we suggest that it change its ways of doing things.
Most of the time, companies have put in place practices according to their interpretation of the law … And once the Access to Information Commission says: “no, that’s not all exactly as it should be interpreted ”, the vast majority of companies will make these changes.
It’s a little more that, fear: we do not want to penalize companies that may have done things badly, but not on a voluntary basis.
Do you think that this will change a lot of things for companies and the way they collect and manage personal information?
If the bill is passed as is, I would tend to say yes! The project has an impact in the operationalization of the measures.
If I come back to the privacy impact assessment, if it’s adopted as is, it’s going to require companies to create new procedures …
The way the bill is drafted, it is said that each time a company has a new project, in which there is the use of information technologies, in particular, it will have to make an assessment of the factors relating to private life.
Take the example of a company that is 100% digital: that means that every time it creates something, it will have to do an evaluation. So it can get a bit heavy.
This is why often, what the experts have sent as a message is: yes, we should possibly better supervise our companies … And even, what came out a lot, is the role of support, that is to say of the State or the Access to Information Commission. They say that companies need to have guides, precisely because they want to do things well. But the way the law is worded is a bit hazy.
So if at least we are able to support our businesses, at the end of the day, everyone will benefit. We just have to make sure that the expected result is achieved by the type of legislative provisions that we are going to include in the law.
Sometimes creating too heavy a process, is that really the right solution? It is about finding a balance between protecting the public’s personal information, and also being able to allow our businesses to innovate.
This is the reason why there are debates on the subject, it is really not an easy balance to find. But ultimately, the legislator must decide.
Could that mean, for example, that companies must hire someone specifically to take care of this aspect?
In fact, the bill says in black and white that the company must have a privacy officer.
By default, this is the person who has the highest authority within the organization … And this function can be delegated. But for sure depending on the nature of the company’s operations, yes, it can amount to a full-time job – for one person, and even several people.
This is sort of what businesses have raised as a point: yes, we take it seriously, but we also need to be supported.
The fact remains that in Quebec, experts in the field, whether in terms of cybersecurity or the protection of personal information, there are not that many! So if all companies start wanting to hire specialists, there will certainly not be enough!
It remains to be seen what the legislator will decide …