Both the Quebec and the federal governments have enacted privacy legislation. The Civil Code of Quebec (CCQ) and the Act respecting the Protection of Personal Information in the Private Sector (Quebec Privacy Act)1 govern the protection of personal information that is collected, held or disclosed in the course of carrying on an enterprise in Quebec. The Canadian federal parliament also adopted the Personal Information Protection and Electronic Documents Act (PIPEDA), which came into force in 2004.2 On September 21 2021, the Quebec National assembly adopted the Act to modernize legislative provisions as regards the protection of personal information (Act 25), which introduces a number of significant changes to the Quebec Protection Act, most of which came into force on September 22, 2023.

I. Provincial Laws and Regulations

(a) CCQ

The CCQ contains provisions dealing with the administration of information about individuals and the protection of their reputation and privacy. Sections 35 to 41 of the CCQ and the Quebec Privacy Act enshrine an individual’s right to have their reputation and privacy respected and prohibit invasion of that privacy.

It is noteworthy that the CCQ cites examples of what constitutes an invasion of privacy, without being exhaustive on the matter.

These examples include the intentional interception or use of private communications and the keeping of an individual’s private life under observation by any means. These sections will affect, for example, the ability of employers to tape or film employees as a means of accumulating evidence, although this is permitted under certain circumstances.

The CCQ sets out a two-step test when gathering a file on another person: (i) the person who establishes a file on another person shall have “serious and legitimate reason for doing so”, and the person may only gather (ii) information deemed relevant to the stated objective of the file.3 The term “Relevant” has been interpreted narrowly and has been referring to the concept of “necessity” in the Quebec Privacy Act.4 More precisely, establishing a file is deemed necessary only when doing so would allow achieving the “serious and legitimate reason” stated before establishing the file.5 While the CCQ sets out some general principles for privacy rights, the Quebec Privacy Act sets out a more comprehensive set of rules applying to persons conducting business as defined under section 1525 of the CCQ.

b) The Quebec Privacy Act

Objective, Scope, and Definitions

The primary objective of the Quebec Privacy Act is to create a set of rules for the protection of (i) personal information that is collected, held, used, or communicated to third persons in the course of (ii) “carrying on an enterprise”. An additional distinction is made for (iii) “sensitive personal information”.

(i) Personal Information |  In the context of the Quebec Privacy Act, personal information is defined as any information that relates to a natural person and directly or indirectly allows that person to be identified. Although a case-by-case analysis must be conducted, this definition only applies to information concerning a natural person and excludes most sensitive business information, such as a business’s financial information or trade secrets.

(ii) Enterprise |  This term is defined in section 1525 of the CCQ as “the carrying on by one or more persons of an organized economic activity, whether or not it is commercial in nature, consisting of producing, administering or alienating property or providing a service.” 

(iii) Sensitive Personal Information | The information is deemed sensitive due to its nature (e.g., medical record, biometric data, etc.), the context in which it is collected or because there is a high level of reasonable expectation of privacy. Personal information held by professional orders is also subject to the Quebec Privacy Act.

Collection 

Any person carrying on an enterprise who, for a serious and legitimate reason, collects personal information on another person must determine the purposes for collecting the information before doing so and may collect only the information necessary for those purposes

Provided that personal information is collected under the Quebec Privacy Act, it may only be used for purposes stated at collection. However, the consent of the person concerned may be obtained in order to use such personal information for any other purpose or before it is communicated to third parties. The person’s consent must be manifest, free, and given for a specific purpose. Collecting a minor’s information, who is under 14 years of age, must be done with the consent of the person having parental authority or of the tutor, unless doing so is clearly for the minor’s benefit. 

Access by the Person Concerned and Disclosure to Third Parties 

Under the Quebec Privacy Act, businesses that collect personal information are required to inform individuals of the purposes for which the information is collected, the means by which the information is collected, the rights of access, the rectification provided by law and the person’s right to withdraw consent to the communication or use of the information collected. Provisions of the Quebec Privacy Act address the right of the individual concerned to access their personal information and to rectify any inaccuracies contained in such information by adding, deleting or commenting on information. In some instances, the person carrying on an enterprise will have the right to refuse access, partially or totally. Any dispute arising from the right of the individual to access personal information shall be submitted to the Commission d’accès à l’information (CAI), a specialized tribunal. 

As a general rule, the communication/disclosure of personal information by a person to third parties without consent is prohibited. However, the Quebec Privacy Act also provides for certain exceptional situations where an enterprise can communicate/may disclose personal information regarding a natural person to a third party without consent (including communications to the attorney of the person holding the file, to a person responsible, by law, for the prevention, detection, repression of crime or statutory offences who requires it in the performance of their duties; or if the information is needed for the prosecution of an offence or to a person to whom it is necessary to communicate the information). Other exceptions relate to: 

  • The communication to a person to whom it is necessary to communicate under the law or a collective agreement and who requires it in the performance of their duties.
  • A public body in compliance with the representatives’ functions or the implementation of a program.
  • A person or body having the power to compel communication.
  • In cases of emergency where life, health or safety is threatened.
  • An authorized person in the context of a study, record or statistical purposes.
  • A person authorized by law to recover debts. 
  • Third parties to whom nominative lists are communicated in accordance with the Quebec Privacy Act. 

Authorized personnel within an enterprise, agents, mandataries and parties to a contract for work and services have access, without the authorization of the person concerned, to personal information needed for the performance of their duties. The Quebec Privacy Act also deals with the rights of a person carrying on an enterprise to use or communicate a nominative list (a list of clients, for example). It enacts rules by which business development using nominative lists can/may be conducted. If applicable, individuals must be informed of the name of any third parties to whom it is necessary to communicate the information and of the possibility that it could be communicated outside Quebec. The information must be provided in clear and simple language. Implied consent is possible in specific circumstances.

Safeguards: Governance Policies & Practices, Privacy Impact Assessment (PIA), and Privacy by Default

The Quebec Privacy Act now requires enterprises to designate a person to be in charge of protecting personal information and who will be responsible for implementing privacy safeguards in accordance with the law. By default, this person is the one with the highest authority within the company; however, the role may be delegated to any employee in writing. In addition, a person carrying on an enterprise must take the necessary security measures to ensure the protection of the personal information collected, used, communicated, kept or destroyed and which are reasonable given the sensitivity of the information, the purposes for which it is to be used, the quantity and distribution of the information and the medium on which it is stored. Moreover, privacy by default is now enshrined in the Quebec Privacy Act, as enterprises offering a technological product or service that has privacy parameters are required to ensure that the privacy parameters provide the highest level of confidentiality by default—without any intervention by the person concerned. This parameter requirement does not apply to privacy settings for browser cookies. Companies that collect personal information through technological means must publish a confidentiality policy drafted in clear and simple language on the enterprise’s website, if applicable. 

Since September 22, 2023, companies have been required to have a greater understanding of the personal information they hold and their use of it. A PIA must be done regarding the acquisition, development and redesign of an information system involving the collection, use, communication, keeping or destruction of personal information. In addition, enterprises are required to conduct a PIA before communicating any personal information outside of Quebec. The PIA needs to consider the sensitivity of the information, the purposes for which it is to be used, the protection measures, including contractual ones, that would apply to it, and the legal framework applicable in the State to which the information will be communicated. Additionally, transfers of personal information outside of Quebec will need to be governed by a written contract that considers any weaknesses identified by the PIA and, if applicable, the terms agreed on to mitigate the risk identified in the PIA.  

Confidentiality Incident Notification

Since September 22, 2022, the Quebec Privacy Act has imposed mandatory notification in case of a confidentiality incident if it presents a risk of serious injury. A confidentiality incident is defined as any unauthorized access, use, disclosure, loss of or any other breach in the protection of personal information in an enterprise’s custody. Enterprises must promptly notify the CAI and the affected individuals unless doing so would hamper a criminal or statutory offence investigation. The Regulation Respecting Confidentiality Incidents specifies the content of the notification to be sent if enterprises are not using the form provided by the CAI to report a breach. Enterprises are required to maintain a registry of all confidentiality incidents, including incidents not meeting the “risk of serious injury” threshold, and make them available to the CAI upon request. Such a registry should be maintained for at least five years after an incident.

Enforcement Mechanisms

The Quebec Privacy Act now provides for greater enforcement mechanisms.

The new regime gives the CAI the power to impose administrative monetary penalties of up to $10 million, or an amount corresponding to 2% of worldwide turnover for the preceding fiscal year. These fines could apply to a wide range of violations, including the failure to report a privacy breach. Furthermore, the CAI has the right to institute criminal proceedings for an offence under the Quebec Privacy Act. These criminal proceedings may lead to fines of up to $25 million, or an amount corresponding to 4% of worldwide sales for the previous fiscal year. These amounts are doubled in the event of a repeat offence.

(c) Regulation Respecting the Anonymization of Personal Information

The Regulation Respecting the Anonymization of Personal Information came into force on May 30, 2024. This regulation provides a framework for enterprises to apply when anonymizing personal information as required by the Quebec Privacy Act if the personal information is not deleted. Similarly to the PIA, the enterprise must conduct a risk assessment before, during, and after the anonymization process. They must keep a register recording:

  • A description of the personal information that has been anonymized.
  • The purposes for which the body intends to use the anonymized information.
  • The anonymization techniques used.
  • The protection and security measures established
  • The date on which a re-identification risk analysis was last conducted. 

Enterprises are not required to demonstrate a 0% risk of re-identification. Instead, they must show that the residual risk of re-identification is very low. Anonymization techniques must be consistent with generally accepted best practices and provide reasonable protection as well as security measures to reduce the risk of re-identification. The methods chosen are selected based on the preliminary analysis of the re-identification risks.

II. Federal privacy protection legislation

(a) PIPEDA

Scope and Application

The federal PIPEDA legislation is very similar to the Quebec Privacy Act before the amendments introduced by Act 25. It applies to every enterprise (i.e., an association, a partnership, a person, a trade union) concerning personal information that is collected, held, used or disclosed in the course of commercial activities. Since many of these provisions in the federal act are akin to the Quebec Privacy Act, it will apply whenever personal information is disclosed outside the province of Quebec and to all organizations that are federally regulated (such as banks, railways, and airlines). This legislation applies to “personal information” defined as information about an identifiable individual, not including the name, title, business address or telephone number of an employee of an organization.

PIPEDA’s Fair Information Principles 

PIPEDA establishes ten fair information principles governing the collection, use, and disclosure of personal information. The principles can be summarized as follows:

  • Subject only to specified exceptions, information shall not be collected, used or disclosed without the knowledge, and consent of the individual to whom it pertains.
  • Generally, organizations will be required to collect personal information solely from the individual to whom the information pertains and only after disclosing to the individual how the information will be used and disclosed.
  • The information may only be used or disclosed in the manner identified at the time of collection unless further consent is obtained from the individual; an individual may withdraw a previously given consent. 
  • The individual to whom the information pertains may, by written request, obtain information regarding the existence, use, and disclosure of their personal information. Subject to certain exceptions, the individual may obtain access to the information, challenge the accuracy of the information, and have the information corrected where appropriate.
  • Personal information is to be retained only as long as it is necessary to fulfill the purpose for which it was collected, or to permit an individual to access their information pursuant to a request for access.
  • Personal information must be protected by security safeguards appropriate to its sensitivity. These safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use or modification. These methods of protection should include physical, organizational, and technological measures. PIPEDA is creating a mandatory breach reporting regime that came into force in 2018 through the Breach of Security Safeguards Regulations.
  • The organization shall make specific information about its policies and practices relating to the management of personal information readily available to individuals. Furthermore, the organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the PIPEDA.

Dispute Resolution Mechanism 

Any dispute arising from an individual’s right to access or any complaint regarding the respect of PIPEDA shall be submitted to the Office of the Privacy Commissioner of Canada for investigation. Upon the filing of the Privacy Commissioner of Canada’s (Privacy Commissioner) report on the dispute/complaint, a complainant may apply to the Federal Court for a hearing. On reasonable notice, the Privacy Commissioner may also audit an organization’s personal information management and practices.

(b) Bill C-27

In June 2022, the Honourable François-Philippe Champagne, Minister of Innovation, Science and Industry, introduced Bill C-27. The introduction and first reading of Bill C-27 took place on June 16, 2022, and it is now, as of June 2024, in consideration in committee.

Consumer Privacy Protection Act (CPPA)

If passed, Bill C-27 would enact the CPPA, which would overhaul the federal government’s approach to regulating privacy in the private sector and consequently repeal parts of PIPEDA that regulate the processing of personal information. The CPPA redrafts PIPEDA’s Schedule of privacy principles into substantive provisions, and many of PIPEDA’s obligations have been carried over into the CPPA. However, the CPPA would also create several new and enhanced obligations for private sector organizations, including:

  • An obligation to implement a privacy management program that includes policies, practices, and procedures designed to ensure compliance with the CPPA and to provide Privacy Commissioner with access to those policies, practices and procedures upon request.
  • Requirements to provide plain-language explanations about the processing of personal information, both in connection with obtaining valid consent and to meet transparency requirements under the CPPA.
  • Data portability rights to give individuals greater control over the transfer of their personal information from one organization to another.
  • The obligation to allow individuals to request that the organization dispose of their personal information, subject to limited exceptions.
  • New transparency requirements that apply to automated decision-making systems like algorithms and artificial intelligence (AI), requiring businesses to explain how such systems are utilized.
  • Rules governing how and when de-identified information derived from personal information may be created, used and shared.
  • An obligation for organizations to de-identify personal information prior to sharing it with parties in the context of a proposed business transaction, for example, in the due diligence phase.
  • A designated special status for the personal information of minors.

Enforcement of the CPPA 

The maximum penalty for administrative sanctions is the higher of $10 million, or an amount corresponding to 3% of worldwide turnover for the preceding fiscal year. When determining the penalty to be imposed, the Privacy Commissioner must consider, non-exhaustively, the following: 

  • The nature and scope of the contravention. 
  • Any evidence that the organization exercised due diligence to avoid the contravention.
  • Whether the organization made reasonable efforts to mitigate or reverse the contravention’s effects.
  • The organization’s ability to pay the penalty and if paying the fine will affect the organization’s ability to carry on its business.

Ceiling amounts for penal sanctions could be up to the higher of $25 million, or an amount corresponding to 5% of worldwide turnover for the preceding fiscal year.

Bill C-27 would also enact the PIDPTA, which establishes an administrative tribunal to hear appeals of certain decisions made by the Privacy Commissioner under the CPPA and imposes penalties for contravention of some of its provisions. A complainant would have thirty days after the day on which the Privacy Commissioner renders the decision. 

Artificial Intelligence and Data Act (AIDA)

Bill C-27 enacts the AIDA, which regulates international/interprovincial trade and commerce in AI systems by requiring that certain persons adopt measures to mitigate risks of harm and biased output related to high-impact systems. The term “high-impact systems” is yet to be defined in a coming regulation, but the following factors could be included in the regulation to assess the AI system6

  • Evidence of risk of harm to health and safety.
  • Risk of adverse impact on human rights.
  • The severity of the potential harm.
  • The scale of use.
  • The nature of harms or adverse impacts that have already taken place.

III. Canada's Anti-Spam Legislation

CASL introduced measures to address the problems of unsolicited commercial e-mails (spam), phishing, spyware, and malware.

Scope and Definitions 

CASL prohibits sending commercial electronic messages (CEM) to an electronic address by means of a computer system located in Canada without the recipient’s prior consent (opt-in system). This prohibition covers all forms of telecommunication, including e-mail, instant messaging, and telephone, as well as all forms of messages, including text, sound, voice or image. A CEM is one designed to encourage participation in a “commercial activity”. It is important to note that an electronic message that contains a request for consent to send a CEM is also prohibited by CASL.

Recipients’ consent may be expressed or implied in certain situations. Implied consent is deemed to exist when there is an “existing business relationship” between the recipient and the sender, for instance, the recipient’s purchase or lease from the sender of a product, good or service within two years preceding the message. Implied consent can also arise where a contract is entered into between the recipient and the sender or where the recipient accepts a business, investment or gaming application to the sender within a six-month period preceding the commercial electronic message. CASL also provides a few “limited” circumstances where consent would not be required before sending a commercial electronic message.

Once express or implied consent exists, any CEM has to contain an unsubscribe mechanism that allows the recipient to unsubscribe using the same electronic means by which the message was sent or, if impracticable, another electronic means by which an unsubscribe directive can be given. The message must also contain a link to a website or an electronic address accessible with a browser where the recipient can unsubscribe. Any CEM that fails to comply with this or other specified requirements violates the law as soon as transmission is initiated whether or not the message is received.

Enforcement of CASL

CASL provides for a private right of action created for persons affected by infringements to the legislation. This private right of action was supposed to come into force on July 1, 2017, but has yet to be implemented. Applications to exercise a private right of action can be made to the Federal Court of Canada or the Superior Court of a province. Upon demonstrating a violation to CASL, an applicant will be entitled to compensation for damages suffered due to the violation and, depending on the specific violation, a maximum of $200 for each contravention, not exceeding $1,000,000 for each day.

CASL, PIPEDA, and Bill C-27

CASL also amends PIPEDA by adding to its provisions a prohibition on collecting an individual’s electronic address using a computer program designed for that purpose, collecting personal information through unauthorized access to a computer system, and using such illegally collected information. The private right of action created by CASL will also apply to these prohibitions, thus adding teeth to PIPEDA, which has provided only one remedy so far, i.e., a complaint to the Privacy Commissioner’s Office.

On the recommendation of the Minister of Industry, the Governor General in Council has made the Electronic Commerce Protection Regulations (Regulations). It provides new exemptions for certain business activities that are now outside the intended scope of CASL.

The Regulations propose a broader definition of “personal relationship”, which now includes: 

  • Broader exemptions about messages sent in a business-to-business context.
  • Clarification on when CASL will not apply to messages sent from outside Canada.
  • An exemption for messages sent to satisfy legal obligations.
  • An exemption for messages that are solicited or sent in response to complaints or requests.
  • Conditions for the use of consents obtained by third parties.
  • Provisions related to the installation of certain computer programs by telecommunication service providers.

Footnotes

1   R.S.Q., c. P-39.1.

2   R.S.C. 2000, c. 5.

3   Art 37, CCQ.

4   Art 5, Quebec Privacy Act.

5  

See Syndicat des employées et employés professionnels et de bureau, section locale 57 et Caisse populaire St-Stanislas de Montréal, 1998 CanLII 27651 (QC SAT) citing Regroupement des comités de logement et association de locataires du Québec c. Corporation des propriétaires immobiliers du Québec (CORPIQ).

連絡先

Imran Ahmad
Imran Ahmad
Canadian Head of Technology and Co-Head of Cybersecurity and Data Privacy, Canada
Email
imran.ahmad@nortonrosefulbright.com
T: +1 416 202 6708

Subscribe and stay up to date with the latest legal news, information and events . . .

Register now