Last September 22, many changes were made to Quebec's Act respecting the protection of personal information in the private sector1 (the Act) that are described at greater length in an earlier legal update.
It is important to note that the Act and these changes apply to private enterprises and to the information they collect on their employees.2
Here is a quick look at some of the changes that came into effect on September 22, 2023.
Adoption and publication of policies protecting personal information
Enterprises must establish and implement governance policies and practices protecting personal information and publish detailed information about those policies and practices on their website. The goal is to “provide a framework for the keeping and destruction of the information, define the roles and responsibilities of the members of […] personnel throughout the life cycle of the information and provide a process for dealing with complaints regarding the protection of the information.”3
If information is collected through technological means allowing a person or employee to be identified, located or profiled, the enterprise must first inform the person. This obligation is especially important in that it may apply in cases where the technologically collected information deals with employee work performance. This type of collection will need to be governed by a confidentiality policy that is “drafted in clear and simple language,” published on the enterprise’s website and disseminated to the employees.4
Furthermore, if the technology used to collect personal information offers profiling, location and identification functions, the persons concerned must be informed of the use of such technology and of the means available “to activate”5 the functions.
Enterprises would therefore be well-advised to adopt and publish the requisite policies or, if they already have such policies in place, update them to ensure that they comply with the provisions of the Act.
Privacy impact assessment
Enterprises subject to the Act must now conduct a privacy impact assessment (PIA) under certain circumstances, notably before implementing any project to acquire, develop or overhaul an information system or electronic service delivery system involving the collection, use, communication, keeping or destruction of personal information.6 The Commission d’accès à l’information has a guide (available in French only) that walks enterprises through this assessment. The guide also gives examples of projects for which such an assessment may become mandatory. These include the development of a new information system, the use of an algorithmic or artificial intelligence system, the installation of a video-surveillance system as well as the merger and acquisition of organizations.
When such an assessment is required, the person responsible for protecting personal information will need to be consulted at the time of the project’s inception. The assessment must be proportional to certain factors, such as the sensitivity of the information in question and its intended use.
A PIA will also need to be conducted whenever the release of personal information outside Quebec is being considered.7
New requirements before releasing personal information outside Quebec
Before personal information can be released outside Quebec, an enterprise must conduct a PIA that takes into consideration such factors as the information’s sensitivity, the protection measures that would apply to it abroad, and the legal framework applicable in the state in which the information would be released. The information may only be released outside Quebec if the assessment, once completed, establishes that it would receive adequate protection in light of generally recognized principles regarding the protection of personal information. A written agreement that takes into account the assessment’s results and the terms agreed on to mitigate the risks identified will need to be entered into between the parties concerned by the release outside Quebec.
This is a crucial element that all enterprises should consider if they do business with third-party cloud service providers whose servers may be established outside Quebec.
Information collection and consent
When an enterprise collects personal information (for example, on its employees or during the hiring process), it must now, when the information is collected and subsequently on request, inform the person (i) of the purposes for which the information is collected, (ii) of the means by which the information is collected, (iii) of the rights of access and rectification, (iv) of the person’s right to withdraw consent to the communication or use of the information collected, and (v) of the possibility that the information could be released outside Quebec.8
If the information is being collected for a third person, the person concerned must be informed of the name of that third person. If the information collected must be communicated to a third person, that third person’s name or category must be disclosed. This requirement might apply, for instance, in cases where a criminal background check is conducted by an external firm.
The Act also sets out new requirements regarding consent to the collection of personal information. Note, first, that the consent given by the person concerned by the collection of personal information must be manifest, free and enlightened, and be given for specific purposes.9 Under the changes made to the Act, consent is now valid only for the time necessary to achieve the purposes for which it was requested. If an enterprise wants to use the information for a purpose other than that for which it was originally collected, it must, at least in theory, obtain a new consent, subject to the exceptions provided for in the Act.10
Other changes
The Act also sets out new obligations relating, more specifically, to the destruction and anonymization of personal information that has served its purpose. For more information on these other changes to the Act that came into effect on September 22, 2023, and for a review of the changes that came into effect in September of 2022, we invite you to consult our previous publication.
Conclusion
This overview of the changes to the Act reveals that the legislator intended to enhance the protection afforded to information collected by enterprises. In addition to this, new sanctions may also be coming into effect: monetary administrative penalties of up to $10 million or, if greater, 2% of the worldwide turnover for the preceding fiscal year. The penal sanctions are even more onerous, reaching up to $25 million or, if greater, the amount corresponding to 4% of the worldwide turnover for the preceding fiscal year.
At the same time, enterprises will also need to actively prepare themselves for the coming into effect, on September 22, 2024, of the obligations relating to the right to data portability.11 This right will allow any person from whom personal information has been collected to ask that it be released to him or her in a structured, commonly used technological format.
The authors wish to thank Cécilia Barrette-Leduc, articling student, for her help in preparing this legal update.