Privacy Risks Increase in Canada

22 Sep Privacy Risks Increase in Canada

Kelly Harris and Jane Huang

Quebec’s private sector privacy law implements significant changes as the second round of amendments introduced by Law 25 come into force September 22, 2023. These updates aim to bolster data protection, align with international privacy standards, and address emerging challenges brought about by technological advancements.

Key new Privacy Obligations when collecting personal information from individuals in Quebec:

1. Requirement for Policies and Plans

Organizations lacking a comprehensive privacy policy must now establish and implement governance policies and practices related to the protection of personal information (“PI”). These policies should outline procedures for collecting and destroying PI, define organizational roles and responsibilities, and establish a process for addressing complaints concerning PI protection.

2. Privacy Impact Assessments

Privacy impact assessments (PIAs) are now mandatory before sharing personal information outside of Quebec, even if it remains within the organization or is transferred to a vendor in another Canadian province or territory. PIAs are also required before embarking on projects involving the acquisition, development, or overhaul of an information system that deals with PI. Specific criteria outlined by the law must be considered during PIAs, and records of the analysis must be created and retained.

3. Automated Decision-Making Processes

Individuals in Quebec now have the right to be informed when their PI is used for decisions made solely through automated processing, without human intervention. Organizations must disclose this use at the time of decision-making. Individuals also have the right to request information about how their PI was used, the factors behind the decision, and the right to correct the PI used for the decision.

4. Consent – Profiling, Minors

The new law emphasizes obtaining clear, informed consent from individuals for collecting, using, and disclosing their PI. All consent must be explicit, voluntary, and granted for specific purposes.

If technology is used to identify, locate, or profile individuals, they must be informed, and an opt-in feature must be provided. “Profiling” refers to the collection and use of PI to assess characteristics such as economic situation, health, preferences, interests, or behavior. Consider whether this may now require individuals expressly consent to your organization’s current website or digital advertising practices.

Collecting PI from minors under 14 is prohibited without parental or guardian consent, except when it is clearly for the minor’s benefit. Note that this is different than the current federal guidance, which recommends parental/guardian consent for children under 13.

5. Retention, Use, and Non-Communication of Information

The new regulations explicitly prohibit using PI for purposes other than those for which it was originally collected. PI can only be repurposed without the individual’s consent if it aligns with the original purpose, clearly benefits the individual, prevents fraud or enhances security, delivers requested products or services, or supports research (and is de-identified).

6. New Privacy Rights

Quebec has introduced European Union-style individual privacy rights. The “right to be forgotten” is now in effect, allowing individuals to request the deletion of their PI in specific situations, and organizations must establish mechanisms for facilitating this process. The “data portability” right, effective in September 2024, will allow individuals to request the transfer of their PI from one organization to another.

Increased Penalties

To ensure compliance, the new law grants enhanced enforcement powers and imposes significant penalties for violations. The Commission d’accès à l’information (CAI) will continue to oversee compliance and enforcement.

Penalties for non-compliance may include administrative fines or criminal charges, depending on the severity of the violation. Maximum administrative monetary penalties for non-compliance are now the greater of $10 million or 2% of worldwide turnover for the previous fiscal year. The maximum fine for a penal offense have increased to up to $25 million or 4% of worldwide turnover for the previous fiscal year. Subsequent offenses will incur doubled fines. Individuals now have a private right of action, allowing them to seek a minimum of $1,000 in punitive damages for intentional non-compliance or gross faults in privacy legislation.

As enforcement of these new provisions intensifies, businesses should proactively prepare for these stringent requirements. Similar amendments to federal and other provincial privacy laws will likely follow suit, as Canada aligns its privacy regime with global norms and standards.

Organizations engaging with Canadian consumers and their personal information should closely monitor the evolving landscape of privacy obligations, as privacy risk in Canada will continue to increase.