All Things Newz
Law \ Legal

Québec Privacy Law: Certain Provisions Of The Act To Modernize Legislative Provisions As Regards The Protection Of Personal Information Take Effect September 22, 2022 – Privacy Protection


In our blog published October 12,
2021
, we reported that Québec’s Bill 64, An Act
to modernize legislative provisions as regards the protection of
personal information
, had received assent. As we wrote at the
time, a majority of the changes made by Bill 64 will come into
force on September 22, 2023. However, certain provisions will come
into effect on September 22, 2022.

Some of these changes are less critical, including adjustments
to the operations and powers of the Commission d’accès
à l’information (the “Commission”), which is
the regulatory body responsible for enforcing the various
provisions of Québec’s privacy legislation.

This newsletter outlines four important changes taking effect
September 22, 2022 that will have an impact on businesses operating
in Québec (also referred to as “persons carrying on an
enterprise”).

1. Privacy officer

The person exercising the highest authority in the organization
is now responsible for ensuring implementation of and compliance
with the Act respecting the protection of personal information
in the private sector
.

This individual will exercise the function of the person in
charge of the protection of personal information (privacy officer)
unless he or she delegates this function in writing, in whole or in
part, to another person. The delegate need not be a member of the
organization’s personnel.

The privacy officer’s title and contact information must be
published on the organization’s website, or made available by
any other appropriate means if there is no website.

2. Privacy breaches

The new provisions regarding privacy breaches, called
“confidentiality incidents” in the legislation, also take
effect on September 22, 2022. Similar provisions are already
contained in the federal privacy legislation (PIPEDA) and
Alberta’s Personal Information Protection Act. The new
provisions in Québec are similar but not identical to the
federal provisions (the federal privacy legislation uses the
expression “breaches of security safeguards”).

A confidentiality incident is a case of unauthorized access, use
or communication of personal information. A confidentiality
incident may also be the loss of personal information or any other
breach of the protection of such information.

Any organization that has cause to believe that a
confidentiality incident involving personal information the
organization holds has occurred must take “reasonable”
measures to reduce the risk of injury and to prevent new incidents
of the same nature.

Further, if the incident presents a “risk of serious
injury,” the organization that sustained the breach:

  1. must “promptly” notify the Commission;

  2. must notify any person whose personal information is concerned
    by the incident, but no time limit is specified (and the person
    need not be notified if doing so could hamper an investigation);
    and

  3. may notify any other person or organization that could reduce
    the risk, but this is not an obligation, and any such communication
    must be kept in the organization’s records.

Where the federal privacy legislation refers to a “real
risk of significant harm,” the new Québec provisions
use the concept of a “risk of injury.” In assessing the
risk of injury, the organization must consider the sensitivity of
the information concerned, the anticipated consequences of its use
and the likelihood that the information will be used for injurious
purposes.

Even if a privacy breach does not present a risk of serious
injury, the organization is still required to record it in a
register of confidentiality incidents, which the Commission may
consult.

On June 29, 2022, the Government of Québec released a
draft Regulation respecting confidentiality incidents. As
of the date of this newsletter, the final version has yet to be
published.

The draft Regulation sets out the content that must be included
in the following documents in case of a confidentiality
incident:

  1. notices to the Commission;

  2. notices to the persons concerned; and

  3. the organization’s register of confidentiality incidents
    (this register must be retained for at least five (5) years after
    the organization becomes aware of the incident, compared to a
    minimum retention period of two (2) years in the federal privacy
    legislation).

The details of the draft regulation are quite similar to those
of the federal privacy legislation, but there are certain
differences. Consequently, if a privacy breach occurs, it will be
necessary to distinguish the organization’s obligations under
Québec and federal law.

Also note that when the Commission is made aware of a privacy
breach, it may – after giving the organization the
opportunity to present its own observations – order the
organization to take any measures the Commission deems necessary to
protect the rights of those whose personal information may be
compromised.

3. Sharing personal information in commercial transactions

The federal privacy legislation already allows the disclosure of
personal information in connection with “business
transactions” but there was previously no similar provision in
Québec legislation. As part of the Bill 64 amendments, the
communication of personal information necessary for concluding a
“commercial transaction” are now permitted without the
consent of the persons involved, effective September 22, 2022.

The rules are similar to those in the federal privacy
legislation, with a few nuances. In both jurisdictions, the law
requires a prior agreement between the parties, stipulating several
obligations on the part of the organization receiving the
information.

Under both the federal privacy legislation and the new
Québec provisions, if the transaction is finalized, the
people whose information is being shared must be notified, within a
reasonable time, that the new party now holds their personal
information.

A “commercial transaction” means the alienation or
leasing of all or part of an enterprise or of its assets, a
modification of its legal structure by merger or otherwise, the
obtaining of a loan or any other form of financing by the
enterprise or of a security taken to guarantee any of its
obligations.

4. Biometric characteristics and measurements

Some provisions regarding biometric characteristics and
measurements are already included in the existing Act to
establish a legal framework for information technology
.

Effective September 22, 2022, the creation of a database of
biometric characteristics and measurements must be disclosed to the
Commission promptly, and in all cases at least sixty (60) days
before the database is brought into service.

In addition, it is now mandatory to notify the Commission before
beginning to verify or confirm a person’s identity by using a
process that can record biometric characteristics and
measurements.

According to the Commission, there are three (3) main categories
of biometrics: (1) morphological biometrics (e.g. fingerprints,
facial recognition or the shape of the hands, retina or iris); (2)
behavioural biometrics (e.g. signature, voice print, gait and
keyboard strokes); and (3) biological biometrics (e.g. DNA, blood,
saliva, urine and odours).

Conclusion

As noted above, a much larger set of changes affecting
businesses will come into force on September 22, 2023.
Organizations that do business in Québec will need to make
plans for meeting their new obligations between now and the
implementation date. The Commission has begun to produce documents
about the new legislation (mostly in French only). These have been
somewhat limited so far, but we can expect more information to be
published over the next few months to help businesses with their
compliance processes.

It is also important to keep in mind that beginning on September
22, 2023, steep fines and administrative monetary penalties will be
in place for failure to comply with the Québec law.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.



Source link

Related posts

Hungarian Competition Authority To Propose Sustainable Product Routes And Boost Domestic Production In The Insulation Materials Market – Antitrust, EU Competition

PBGC Finally Publishes Final Rule On Special Financial Assistance Program – Employee Benefits & Compensation

How To Reduce Family Conflict With A Will – Wills/ Intestacy/ Estate Planning