Privacy legislation
Content
I. Quebec privacy protection legislation
(a) Civil Code of Quebec
The Civil Code contains provisions dealing with the administration of information pertaining to individuals as well as the protection of their reputation and privacy. Sections 35 to 41 of the Civil Code and the Quebec Protection Act enshrine an individual’s right to respect for their reputation and privacy and prohibit invasion of that privacy.
It is noteworthy that the Civil Code cites examples of what constitutes an invasion of privacy, without being exhaustive on the matter. These examples include the intentional interception or use of private communications and the keeping of an individual’s private life under observation by any means. These sections will affect, for example, the ability of employers to tape or film employees as means of accumulating evidence, although it is still permitted under certain circumstances.
The Civil Code also provides that anyone who establishes a file on another person must have a serious reason for doing so and may gather only information relevant to the stated objective of the file. Relevance has been interpreted as referring to the concept of “necessity.”
b) Quebec Protection Act
The primary objective of the Quebec Protection Act is to create a set of rules for the protection of personal information that is collected, held, used or communicated to third persons in the course of “carrying on an enterprise.” The term “enterprise” is defined in article 1525 of the Civil Code as “the carrying on by one or more persons of an organized economic activity, whether or not it is commercial in nature, consisting of producing, administering or alienating property, or providing a service.”
Personal information is defined as any information that relates to a “natural person” and allows that person to be identified, whatever its medium and the form in which it is accessible, whether written, graphic, taped, filmed, computerized or other. Any person carrying on an enterprise who, for a serious and legitimate reason, collects personal information on another person must determine the purposes for collecting the information before doing so, and may collect only the information necessary for the purposes determined before collecting it. This legislation only applies to information that concerns a natural person.
Provided that personal information is collected in accordance with the Quebec Protection Act, it may only be used for the purposes stated at collection. However, the consent of the person concerned may be obtained in order to use such personal information for any other purpose or before it is communicated to third parties. Consent of the person concerned must be manifest, free and given for a specific purpose. Under Act 25, businesses that collect personal information will be required to inform individuals of the purposes for which the information is collected, the means by which the information is collected, the rights of access and rectification provided by law and of the person’s right to withdraw consent to the communication or use of the information collected. If applicable, individuals must be informed of any third parties to whom it is necessary to communicate the information and of the possibility that the information could be communicated outside Quebec. The information must be provided in clear and simple language. Implied consent is possible in specific circumstances.
The Quebec Protection Act also states that a person carrying on an enterprise must take the necessary security measures to ensure the protection of the personal information collected, used, communicated, kept or destroyed and that are reasonable given the sensitivity of the information, the purposes for which it is to be used, the quantity and distribution of the information and the medium on which it is stored. Under Act 25, enterprises offering a technological product or service that has privacy parameters will be required to ensure that the privacy parameters offer the highest level of confidentiality by default – without any intervention by the person concerned.
Act 25 will also require enterprises to designate a person to be in charge of the protection of personal information, and who will be responsible for implementing privacy safeguards in accordance with the law. By default, this person is the one with the highest authority within the company, however, the role may be delegated to any employee by writing.
As a general rule, the communication/disclosure of personal information by a person to third parties without consent is prohibited. However, the Quebec Protection Act also provides certain exceptional situations where an enterprise can communicate/may disclose personal information regarding a natural person to a third person without consent (including communication to the attorney of the person holding the file, to a person responsible, by law, for the prevention, detection, repression of crime or statutory offences who requires it in the performance of their duties; or if the information is needed for the prosecution of an offence, or to a person to whom it is necessary to communicate the information). Other exceptions relate to the communication to a person to whom it is necessary to communicate under the law or a collective agreement and who requires it in the performance of their duties; to a public body in compliance with the representatives’ functions or the implementation of a program; to a person or body having the power to compel communication; in cases of emergency where life, health or safety is threatened; to an authorized person in the context of a study, record or statistical purposes; to a person authorized by law to recover debts; and to third parties to whom nominative lists are communicated in accordance with the Act. Authorized personnel within an enterprise, agents, mandataries and parties to a contract for work and services have access without the authorization of the person concerned, to personal information needed for the performance of their duties. The Act also deals with the rights of a person carrying on an enterprise to use or communicate a nominative list (a list of clients, for example), and enacts rules by which business development using nominative lists can/may be conducted.
If the information is communicated outside the Province of Quebec, measures must be taken to ensure that the information will not be used for purposes not relevant to the object of the file. The Quebec Protection Act establishes that a person carrying on an enterprise in Quebec who wishes to communicate, outside of Quebec, information relating to persons residing in Quebec or to entrust a person outside of Quebec with the task of holding, using or communicating such information, must refuse to do so if they believe that it won’t receive the proper protection. Under Act 25, enterprises will be required to conduct a privacy impact assessment (PIA) prior to communicating any personal information outside of Quebec. The PIA will need to take into account the sensitivity of the information, the purposes for which it is to be used, the protection measures, including contractual ones, that would apply to it and the legal framework applicable in the State to which the information will be communicated. Additionally, transfers of personal information outside of Quebec will need to be governed by a written contract that takes into account any weaknesses identified by the PIA.
Other provisions in the Quebec Protection Act address the right of the individual concerned to access their personal information and to rectify any inaccuracies contained in such information by adding, deleting or commenting on information. In certain cases, the person carrying on an enterprise will have the right to refuse access, whether partially or totally. Any dispute arising from the right of the individual concerned to access personal information shall be submitted to the Commission d’accès à l’information (CAI), a specialized tribunal. Personal information held by professional orders is also subject to the Act.
One of the most noteworthy amendments to the Quebec Protection Act brought by Act 25 is the mandatory reporting of “confidentiality incidents”, defined as any unauthorized access, use, disclosure, loss of, or any other breach in the protection of personal information in an enterprise’s custody. Enterprises will be required to notify affected individuals and report to the CAI any confidentiality incident that presents a “risk of serious injury” to one or more individuals. Act 25 will further require enterprises to maintain a registry of all confidentially incidents, including incidents not meeting the “risk of serious injury” threshold, and make them available to the CAI upon request. Such registry should be maintained for at least 5 years after an incident.
Finally, Act 25 greatly increases the fines that can be imposed for violations of the Quebec Protection Act. This new regime gives the Commission d’accès à l’information the power to impose administrative monetary penalties of up to $10 million, or an amount corresponding to 2% of worldwide turnover for the preceding fiscal year. These fines could apply to a wide range of violations, including the failure to report a privacy breach. Furthermore, Act 25 gives the Commission the right to institute criminal proceedings for an offence under the Quebec Protection Act. These criminal proceedings may lead to fines of up to $25 million, or an amount corresponding to 4% of worldwide sales for the previous fiscal year. These amounts are doubled in the event of a repeat offence.
II. Federal privacy protection legislation (PIPEDA)
The federal PIPEDA legislation is very similar to the Quebec Protection Act before the amendments brought forth by the Act 25. It applies to every organization (i.e. an association, a partnership, a person, a trade union) with respect to personal information that is collected, held, used or disclosed in the course of commercial activities. Since many of these provisions in the federal acts are akin to the Quebec Protection Act, it will apply whenever personal information is disclosed outside the province of Quebec, as well as to all organizations that are federally regulated (such as banks, railways and airlines). This legislation applies to personal information, i.e. information about an identifiable individual, not including the name, title or business address or telephone number of an employee of an organization.
PIPEDA establishes a number of key principles governing the collection, use and disclosure of personal information, which can be summarized as follows:
- Subject only to specified exceptions, information shall not be collected, used or disclosed without the knowledge and consent of the individual to whom it pertains.
- Generally, organizations will be required to collect personal information solely from the individual to whom the information pertains and only after disclosing to the individual how the information will be used and disclosed.
- The information may only be used or disclosed in the manner identified at the time of collection unless further consent is obtained from the individual; an individual may withdraw a previously given consent.
- The individual to whom the information pertains may, by written request, obtain information regarding the existence, use and disclosure of their personal information and, subject to certain exceptions, obtain access to the information; an individual may also challenge the accuracy of the information and have the information corrected where appropriate.
- Personal information is to be retained only as long as is necessary to fulfill the purpose for which it was collected, or to permit an individual to access their information pursuant to a request for access.
- Personal information must be protected by security safeguards appropriate to the sensitivity of the information, which shall protect the personal information against loss or theft, as well as unauthorized access, disclosure, copying, use or modification. These methods of protection should include physical, organizational and technological measures. PIPEDA creates a mandatory breach reporting regime that is expected to come into force in 2018.
- The organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information. Furthermore, the organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the Act.
Any dispute arising from the right to access of an individual, or any complaint regarding the respect of the Act shall be submitted to the Office of the Privacy Commissioner of Canada for investigation. Upon filing of the Commissioner’s report on the dispute/ complaint, a complainant may apply to the Federal Court for hearing. The Commissioner may also, on reasonable notice, audit the personal information management and practices of an organization.
We note that in June, 2022, the Honourable François-Philippe Champagne, Minister of Innovation, Science and Industry, introduced the Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts (Bill C-27). The introduction and first reading of Bill C-27 took place on June 16, 2022 and, as at January 2023, is at second reading in the House of Commons.
If passed, this highly anticipated bill would overhaul the federal government’s approach to regulating privacy in the private sector by enacting the new Consumer Privacy Protection Act (CPPA) and consequently repealing parts of PIPEDA that regulate the processing of personal information. Second, the bill would also enact the Personal Information and Data Protection Tribunal Act, which establishes an administrative tribunal to hear appeals of certain decisions made by the Privacy Commissioner of Canada under the CPPA and imposes penalties for contravention of some of its provisions. Third, it enacts the Artificial Intelligence and Data Act, serving to regulate international and interprovincial trade and commerce in artificial intelligence (AI) systems by requiring that certain persons adopt measures to mitigate risks of harm and biased output related to high-impact AI systems. The CPPA redrafts PIPEDA’s schedule of privacy principles into substantive provisions in the body of the Act and many of PIPEDA’s obligations have been carried over into the CPPA. However, the CPPA would also create several new and enhanced obligations for private sector organizations including:
- an obligation to implement a privacy management program that includes policies, practices and procedures designed to ensure compliance with the CPPA and to provide the Commissioner with access to those policies, practices and procedures upon request;
- requirements to provide plain-language explanations about the processing of personal information, both in connection with obtaining valid consent and to meet transparency requirements under the CPPA;
- data portability rights to give individuals greater control over the transfer of their personal information from one organization to another;
- the obligation to allow individuals to request that the organization dispose of their personal information, subject to limited exceptions;
- new transparency requirements that apply to automated decision-making systems like algorithms and AI, requiring businesses to explain how such systems are utilized;
- rules governing how and when de-identified information derived from personal information may be created, used and shared;
- an obligation for organizations to de-identify personal information prior to sharing it with parties in the context of a proposed business transaction, for example, in the due diligence phase; and
- a designated special status for the personal information of minors.
III. Canada's Anti-Spam Legislation
Canada’s Anti-Spam Legislation (CASL), came into force on July 1, 2014 and introduced measures to address problems of unsolicited commercial e-mails (spam), as well as phishing, spyware and malware (these prohibitions came into force on January 1, 2015).
CASL prohibits sending commercial electronic messages to an electronic address by means of a computer system located in Canada without the recipient’s prior consent (opt in system). This prohibition covers all forms of telecommunication, including e-mail, instant messaging and telephone, and all forms of messages, including text, sound, voice or image. A “commercial electronic message” is one designed to encourage participation in a “commercial activity.” It is important to note that an electronic message that contains a request for consent to send a commercial electronic message also constitutes a “commercial electronic message” prohibited by CASL.
Recipients’ consent may be expressed or implied in certain situations. Implied consent is deemed to exist when there is an “existing business relationship” between the recipient and the sender, for instance the recipient’s purchase or lease from the sender of a product, good or service within two years preceding the message. Implied consent can also arise where a contract is entered into between the recipient and the sender or the recipient accepts a business, investment or gaming application to the sender within a six-month period preceding the commercial electronic message. CASL also provides a few “limited” circumstances where consent would not be required prior to the sending of a commercial electronic message.
Once express or implied consent exists, any commercial electronic message has to contain an unsubscribe mechanism that allows the recipient to unsubscribe using the same electronic means by which the message was sent or, if impracticable, another electronic means by which an unsubscribe directive can be given. The message must also contain a link to a website or an electronic address accessible with a browser where the recipient can unsubscribe. Any commercial electronic message that fails to comply with this or other specified requirements violates the law as soon as transmission is initiated, whether or not the message is actually received.
CASL provides for a private right of action created for persons affected by contraventions to CASL. This private right of action was supposed to come into force on July 1, 2017, but has been suspended for an undetermined period of time. Application exercising a private right of action can be made to the Federal Court of Canada or the Superior Court of a province. Upon demonstrating a violation to CASL, an applicant will be entitled to compensation for damages suffered as a result of the violation and, depending on the specific violation, a maximum of $200 for each contravention, not exceeding $1,000,000 for each day.
CASL also amends PIPEDA by adding to its provisions a prohibition to collect an individual’s electronic address using a computer program designed for that purpose, collecting personal information through unauthorized access to a computer system and using such illegally-collected information. The private right of action created by CASL will also apply to these prohibitions, thus adding teeth to PIPEDA, which provided only one remedy so far, i.e. a complaint to the Privacy Commissioner’s Office.
The Governor General in Council on the recommendation of the Minister of Industry, has made the Electronic Commerce Protection Regulations.3 It aims to define key terms and offer within two years preceding the commercial electronic message, or where the recipient has made an inquiry or exceptions in the CASL and to respond to business concerns. It provides new exemptions for certain business activities that are now outside the intended scope of the Act.
The Regulations propose a broader definition of “personal relationship” which now includes virtual relationship between individuals. The Regulations also include:
- broader exemptions about messages sent in a business-to- business context;
- clarification on when CASL will not apply to messages sent from outside Canada;
- an exemption for messages sent to satisfy legal obligations;
- an exemption for messages that are solicited or sent in response to complaints or requests;
- conditions for the use of consents obtained by third parties; and
- provisions related to the installation of certain computer programs by telecommunication service providers.
Subscribe and stay up to date with the latest legal news, information and events . . .