Quebec is the first province to take a stab at modernizing privacy protections in Canada
Squeaked in on June 12, just before the summer recess, the title of this bill says it all “An Act to modernize legislative provisions as regards the protection of personal information”. This is Quebec turning up the dial on privacy and aligning themselves with the European Union’s General Data Protection Regulation (GDPR) and comes shortly after the Federal Government of Canada released a statement on reforming Canada’s Privacy Act. (Department of Justice)
We’ve been predicting that big changes were coming to Canadian privacy laws ever since GDPR came out and have been advising clients to adopt the principle of Privacy by Design and build privacy into their applications and systems now to avoid costly re-writes later. This advice has been echoed by Bill 64 and I think that one of the most important clauses can be found at the bottom of page 36 of the bill.
Any person carrying on an enterprise who collects personal information when offering
a technological product or service must ensure that the parameters of the product or
service provide the highest level of confidentiality by default, without any intervention
by the person concerned.
This is key.
If this bill is implemented as currently written, this codifies Privacy by Design and Privacy by Default into Quebec law. People won’t have to go fiddling around with various privacy settings or worry about new features being turned on without their knowledge. *cough* *cough* Facebook…
What does this mean for your company?
Here are a few of the changes (and improvements) for the protection of Personally Identifiable Information (PII) in Quebec that are proposed by this Bill.
Companies are now required to have a Data Protection Officer (DPO)
The DPO will be responsible for enforcing data privacy within the organization. This isn’t just a matter of assigning a title to some poor compliance officer either. Bill 64 requires that the DPO be identified by name and position on the organization’s website as well as be given authority to suggest data privacy controls, including:
Assigning responsibility for protection of PII within a project
Documentation of controls and responsibilities
Training activities for personnel
Many organizations will find that they need to make big changes to their website privacy policies in order to meet the requirements of Bill 64. Some of the details that will have to be published include:
Information on how data is protected through its full data life cycle – acquisition to destruction
Definition of the roles and responsibilities of the company’s personnel
A process for dealing with complaints
A process for exporting data in a usable format
Privacy Impact Assessment (PIA) must be performed
Bill 64 requires organizations perform a PIA for all collection of PII data. This assessment must be performed before the data collection begins and must include a reason for the collection of data. This is an end to collecting PII “just because” and is a direct result of Privacy by Design.
Any person carrying on an enterprise must conduct an assessment of the privacy-related
factors of any information system project or electronic service delivery project involving
the collection, use, communication, keeping or destruction of personal information
While the DPO doesn’t have to be the person actually performing the PIA, they must be involved in the process. They will also be responsible for ensuring that all data collected can be exported and shared in a commonly used format. A PIA must be performed when exporting data outside of Quebec. This has the interesting effect of making Quebec a safe haven for personal information. Organizations that keep their data in Quebec may experience a competitive advantage when it comes to privacy conscious consumers. Quebec will publish a list of States that are considered to have equivalent data protection frameworks in place - a direct challenge to the rest of Canada to keep pace.
Mandatory Breach Reporting
Disappointingly, Bill 64 does not introduce hard timelines for Breach Reporting. All breaches of confidentiality must be reported “promptly” to the Quebec privacy commissioner. Hopefully the final version of the bill will provide hard timelines for notifications. In addition to mandatory reporting, organizations must also keep a log of all breaches and be ready to hand it over to the privacy commissioner when asked.
Without going into more detail, there are a number of other new requirements and clauses included in Bill 64, including:
Access to Data
Destruction of Data
De-indexing (Right to be Forgotten)
Overall this is a very positive step forward for Privacy in Canada and is a direct rebuke to the approaches that large organizations have taken towards data privacy over the last decade. While this Bill is only proposed at this point, it mirrors the direction that privacy legislation is moving around the world. This is a great first step for Canada to meet the requirements set out by GDPR and should ensure that we are able to maintain our status as a nation with equivalent data protections under that Regulation.