Quebec’s proposed modernization of its private sector privacy legislation (Quebec Privacy Act) certainly contains a number of additional operationally burdensome demands on enterprises. However, the proposed amendments in Bill 64 contain several pragmatic, or even business-friendly, provisions. These provisions are not as headline grabbing as big administrative monetary penalties or the right to de-indexing / right to erasure. In this post, I review several of the pragmatic and business-friendly provisions that might otherwise be overlooked.
Business contact information is excluded
Section 93(3) of Bill 64 clarifies that the Quebec Privacy Act does not apply to personal information concerning the performance of duties within an enterprise by the individual, including the individual’s name, title, and duties, work address, work email address and work telephone number.
The exclusion of “org chart” and business contact information is entirely sensible and consistent with reasonable expectations. Moreover, Quebec has avoided overthinking this exception. The Quebec approach stands in contrast to the federal Personal Information Protection and Electronic Documents Act (PIPEDA)and Alberta’s Personal Information Protection Act. Under PIPEDA and Alberta PIPA, business contact information is only exempted to the extent it is being used for business contact purposes. That narrow exception is out of touch with reality and overly restrictive given the relative sensitivity of that information.
Data analytics are okay
The Quebec government appears to understand that modern businesses have a legitimate interest in conducting data analytics. Helpfully, section 102 of Bill 64 provides that consent is not required to de-identify data and use that data for research and the preparation of statistics. Moreover, the Quebec government has set a low and reasonable threshold for de-identification for these internal data analytics uses. Information is de-identified if it no longer allows the person concerned to be directlyidentified.
In section 111 of Bill 64, Quebec also proposes that an organization can retain data indefinitely if it is anonymized. The amendments clarify that information is anonymized if it irreversibly no longer allows the person to be identified directly or indirectly. Information must be anonymized according to generally accepted best practices.
This statutory distinction between de-identification and anonymization is helpful. Moreover, the lower standard of de-identification for internal data analytics comports with business needs and balances the interests of individuals with those of the organizations they do business with.
Outsourcing is okay
The federal Privacy Commissioner has had a hard time coming to grips with how to handle outsourcing under PIPEDA. Unsatisfied with the accountability principle, Commissioner Therrien attempted a short-lived interpretation of PIPEDA that would have required consent to transfer personal information for processing. A hue and cry followed. This episode seems to have been a cautionary tale for those drafting the proposed amendments to the Quebec Privacy Act.
Section 107 of Bill 64 recognizes the reality of outsourcing and supply chains. No consent is required to transfer information to an agent or service provider, provided it is necessary to the performance of that agency or the outsourced services.
Moreover, Quebec has also helpfully clarified that a data processing agreement is required and provided guidance on its minimum content. This is an improvement over PIPEDA. Clause 4.1.3 of Schedule 1 to PIPEDA requires an organization to use contractual or other means to protect personal information when it is transferred to a third party. However, the vagueness of the wording has left privacy-minded organizations in uphill battles with some large SaaS service providers to get data processing agreements in place. The Quebec government is giving these customers a leg-up by requiring that transfers to agents and service providers must be documented in a writing and must specify the measures the agent or service provider must take to protect the confidentiality of the information, to protect the information from unauthorized use, and to ensure the information is deleted after the expiry of the agency or service contract.
Moreover, Quebec is imposing direct obligations on the processor (the direct application of PIPEDA to processors is another contested area under PIPEDA). The agent or service provider must notify the client “without delay” of any violation or attempted violation of the obligation of confidentiality and allow for verification relating to confidentiality requirements.
These provisions should help take the wind out of arguments about whether a service provider needs to permit some kind of audit right. These provisions also clarify that service providers must notify their clients of security breaches – something altogether missed in PIPEDA. Unfortunately, the extension of notification requirements to “attempted violation” of confidentiality obligations is too broad. It will be interesting to see if this wording gets modified, since on any particular day, a SaaS provider fends off many, many “attempts”.
Commercial transactions…
Privacy Isn’t Dead. Far From It.
Welcome! The fact that you’re reading this means that you probably care deeply about…