Request for retailer feedback on Quebec Bill 64
September 14, 2020Bill 64 modernizes the framework applicable to the protection of personal information in various laws, including the Act respecting access to documents held by public bodies and the protection of personal information and the Act respecting the protection of personal information in the private sector.
This bill could have major impacts on your retail operations since it tightens up the management of the confidential data that you collect from your employees and customers.
After reading the background information, please provide your feedback on this issue, by September 18, 2020 to Jean-François Belleau at jfbelleau@cccd-rcc.org.
Thank you for participating in order to enrich our discussions with the government.
Background information
General context
Bill 64 draws heavily on the General Data Protection Regulation (GDPR) adopted by the European Parliament a few years ago. Indeed, the analysis of the bill reveals many similarities with the GDPR both in terms of the rights of individuals and with respect to the obligations of companies.
New rights for individuals
Currently, under the Quebec Private Sector Act, individuals have the right to be informed in order to obtain their consent, access their personal information and correct it. Bill 64 gives them additional rights, bringing them closer to those provided for by the GDPR.
The consent of the individual
As a basic premise, in order to give consent, he must be informed. In order to obtain such consent, the information to be communicated to the person must be written in plain language, including the purposes and means by which the information is collected, the rights of individuals and, if applicable, the name of the third party (e.g. Air Miles, Aeroplan, etc.) for whom the collection is made and the possibility that the information will be disclosed outside of the province of Quebec.
Second, the bill states that, at “request on his part,” the individual must be informed of the type of information collected, the categories of persons who have access to that information within the organization, their shelf life and the contact information of the privacy officer.
In addition, as in the GDPR, consent to the collection, use or disclosure of personal information must be requested separately from any other information provided to the individual. In other words, the various membership forms that have loyalty programs can no longer include a paragraph with a checkbox for consent, this item will have to be the subject of a separate form.
However, there are exceptions to the new consent regime, particularly where the use of personal information is necessary for research or statistical production and is depersonalized, i.e. it no longer allows the person to be directly identified.
Additional rights conferred by Bill 64
Bill 64 also introduces new rights for individuals.
- The right to be forgotten (right to deference, Bill 64, section 113). Bill 64 allows a person to require an organization to stop publishing personal information or deindex a hyperlink that provides access to that information when its dissemination seriously damages the person’s reputation or privacy and when that harm clearly outweighs the public interest in knowing that information.
- The right to data portability, that is, the right of an individual to receive personal information that he has provided to an organization in a structured and commonly used technology format. At the request of this person, this information must be passed on to any other person or organization.
- Technology rights: In this case, the person must, in addition to the above, be informed of the use of a particular technology and, if necessary, the means available to disable the functions used for identification, location or profiling.
New obligations imposed on businesses
Bill 64 also provides additional obligations for organizations that align with those provided for by the GDPR.
- Businesses will be required to appoint a person to be responsible for protecting personal information within organizations.
- Bill 64 also introduces the concept of “privacy by default” which are default parameters whereby companies that offer technology goods or services and collect personal information must ensure that the parameters of goods or services provide the “highest level of default confidentiality.” For example, all devices sold will have to be delivered with all location settings turned off.
- When it comes to disclosure outside Quebec (e.g., data sharing with Air Miles, Aeroplan, etc.), section 103 of Bill 64 introduces a new regime. Indeed, before transferring personal information outside Quebec, including human resources information, an impact assessment will have to be carried out to demonstrate that the information would benefit from protection equivalent to that provided by the new regime. To simplify this process, the Minister will publish a list of countries where privacy laws offer protection equivalent to that offered in Quebec. From now on, in the event of security incidents, Bill 64 provides for a notification obligation of the Access to Information Commission and, if necessary, of the individuals concerned, as well as the maintenance of a register, thus approaching Articles 33 and 34 of the GDPR.
New regime of judicial and/or administrative sanctions
- Bill 64 will significantly increase the fines that can be imposed on private and public sector entities that do not comply with provincial privacy legislation.
- Private sector entities could be subject to fines ranging from $15,000 to $25,000,000, or up to 4% of the previous fiscal year’s global revenue, depending on the highest amount. This represents a significant increase from the current maximum penalty of $50,000 and would make the Private Sector Act the most punitive privacy law in Canada.
- In addition, Bill 64 would give the Access to Information Commission the power to impose administrative monetary penalties for certain offences as a result of a notice of non-compliance – with a maximum of $10,000,000 or, if higher, an amount equal to 2% of the previous fiscal year’s global turnover.
Consultation elements
It is clear that all of the proposed measures are profoundly changing the legal and regulatory environment that governs the management of the personal data you collect in your day-to-day operations. In addition to the issue of sanctions, which we believe are disproportionate, we have tried to consolidate the bill’s measures into six questions.
New consumer rights
- Does the new requirement to create a separate consent form be an issue for your organization, if not briefly described.
- Is the right to be forgotten and portability of data as described above an issue, if so, please clarify the nature of the data.
- How do you perceive having to inform the consumer of the use of a particular technology and, if so, the means at their disposal to disable the functions used for identification, location or profiling? (For example, when selling a smartphone)
- We can imagine that the issue of default privacy will pose a challenge to electronic retailers especially those who sell smartphones, under this provision the devices should be sold with the privacy settings preset to the maximum. This is an example. Do you see any other impacts?
- The requirement to conduct an impact study before entering into a few data migration contracts outside Quebec to demonstrate that data protection legislation is equal to or greater than that proposed in Quebec is a big part of this reform. For the Retail council of Canada (RCC), it is easy to imagine the overall impact of such a measure, but we would need to know the position and the impact that the adoption of this measure will have on your organization.
- The proposed reform includes two types of sanctions, with legal penalties of up to $25 million and administrative penalties of up to $10 million. In addition to the eccentricity of the amounts involved, this type of sanction raises the issue of the “border” of responsibilities for data collection and storage. In the case of a merchant who has a contractual agreement with an external supplier (Air Miles, Aeroplan, etc.), where the retailer’s liability ends and the supplier’s liability begins, the bill is unclear on this issue. So we want to know if your service contracts generally trace the responsibility of the parties in data management.
When providing feedback, be ensures that all of specific responses will be treated confidentially and will only be used to prepare the RCC’s guidelines for the parliamentary committee. You may choose not to identify your company or organization in your comments if you wish.
Please send any feedback to Jean-François Belleau at jfbelleau@cccd-rcc.org by September 18, 2020.