This article discusses the importance of Bill 64 and the amendments that it introduces to Québec's Act respecting the protection of personal information in the private sector ('the Private Sector Act')² (as amended by Bill 64, ('the New Private Sector Act')) with a focus on impacts on Big Data analytics and emerging technologies. Below are the top four reasons for why Bill 64 is a big deal in Canada, but also, globally!

Indeed, the fact that a company is located outside of Québec does not mean it can evade obligations under the Private Sector Act; whenever a company collects personal information ('PII') of individuals located within Québec, regardless of where the company is located, the Private Sector Act applies³.

Reason #1: It will be enforced. And that's new!

The Private Sector Act will shift from being an innocuous regime to providing three distinct enforcement mechanisms with teeth: (i) administrative monetary penalties ('AMPs') of up to CAD 10,000,000 (approx. €7,031,760) or 2% of worldwide turnover⁴; (ii) new penal offences with fines of up to CAD 25,000,000 (approx. €17,579,410) or 4% of worldwide turnover⁵; and (iii) a private right of action ('PRA') allowing individuals to sue organisations for damages⁶.

With new powers to enforce those AMPs, the Québec Commission on Access to Information ('CAI') will become one of the most powerful regulatory bodies in Canada. At the federal level, under the Personal Information Protection and Electronic Documents Act, SC 2000 ('PIPEDA'), the Office of the Privacy Commissioner of Canada ('OPC') still does not have powers to impose fines or make orders, but may rather investigate potential breaches of PIPEDA and issue findings, express an opinion as to whether a complaint was well founded, and make recommendations⁷. The only statutory penalties under PIPEDA consist of fines resulting from penal proceedings, which may be intended in limited cases of investigation obstruction and non-compliance with breach notification requirements⁸.

Many deplore that the new enforcement regime will put brakes on the start-up ecosystem and recent technological momentum in Québec. It should be noted that Bill 64 was amended to add a seventh factor to be considered when determining whether to impose an AMP, as well as its amount, i.e. 'the capacity of the person in default to pay, particularly in light of his or her assets, sales or income'⁹. Without being exhaustive on this topic, the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') does not explicitly include any similar criteria¹⁰.

Bill 64 also creates a PRA for individuals to be compensated for the unlawful infringement of a right conferred by the New Private Sector Act or the privacy articles of the Civil Code of Québec CQLR, c CCQ-1991, with an award of punitive damages of at least CAD 1,000 (approx. €700) when the infringement is intentional or results from a gross fault¹¹.

The CAI has already indicated its intention to embrace its new watchdog role by hiring more competent staff and by issuing fines. Adding to this the increased exposure resulting from the upcoming mandatory data breach reporting mechanism¹², it is not only the amount of financial consequences that will increase, but also chances of suffering them.

Reason #2: It introduces modern proactive obligations aligned with governance, risk, and compliance best practices

While the current version of the Private Sector Act does not explicitly provide the principle of accountability, Bill 64 introduces several new obligations of organisations in this regard, including the implementation of: (i) governance policies for the protection of PII; (ii) a framework on retention and destruction of PII; (iii) a process for dealing with complaints; as well as (iv) a clear definition of the roles and responsibilities of staff members with regard to PII¹³. The foregoing will be under the supervision and responsibility of the 'person in charge of the protection of PII', a role that may be delegated to anyone outside the organisation¹⁴.

In addition, the New Private Sector Act will require organisations to conduct an 'assessment of the privacy-related factors' ('APF') of 'any project of acquisition, development and redesign of an information system or electronic service delivery involving the collection, use, communication, keeping or destruction of personal information'¹⁵.

APFs are just one of the many proactive compliance and risk management mechanisms introduced by Bill 64. Interestingly, Bill 64 also introduces a requirement to perform an APF prior to make cross-border transfers of PII outside of Québec. This was highly debated as the first version of Bill 64 required, as a condition to transfer PII outside of Québec, that the PII importer's jurisdiction offer 'equivalent' protection to that existing in Québec (i.e., at the provincial level). Early criticisms raised concerns about the heaviness of the restrictions on PII transfer, even applicable to transfers between provinces of the same country. As many have pointed out, the proliferation of multiple equivalency and adequacy assessment systems based on local criteria¹⁶ creates barriers to international trade and, in the long run, could lead to the global internet disintegrating.

Subsequent amendments to Bill 64 replaced the requirement for 'equivalent' protection by an 'adequate protection in compliance with generally accepted data protection principles'¹⁷. Similar to a transfer risk assessment ('TIA') to be conducted under the UK GDPR and the GDPR, the AFP must take into account several factors¹⁸ (see below). However, the Québec regime departs from the approach taken under the UK GDPR and the GDPR which require Standard Contractual Clauses ('SCCs') or other pre-approved mechanisms¹⁹, followed by a TIA²⁰ to identify additional protection measures that may be required. Under the New Private Sector Act, the APF will be used as guidance to determine what measures must be implemented.

Table 1 - Comparison between Québec, Canada and the European Union

Taking a global approach to design a legislation agnostic procedure in line with worldwide best practices is a good idea, considering the inherently local - and conflicting - interests that countries encounter when seeking to regulate extraterritorially. Another good idea is to become familiar with a recognised international standard that provides a framework for performing privacy impact assessments²¹, and others that provide with a methodology for implementing good governance on the protection of PII²², under which companies can get certified. While it is still necessary to obtain legal opinions on how these laws apply, these standards are helpful to guide professionals implementing.

Reason #3: It introduces requirements for technological development in an AI-based economy

Bill 64 is also a big thing because of the economic context in which it is being inserted: Québec has recently been consolidating its AI powerhouse status and is multiplying investments in innovation²³. Consequently, it is critical to maintain trust in such technologies; it is not a coincidence that the privacy tech industry is gaining attention²⁴. However, it is a daunting challenge for smaller emerging companies to support this regulatory burden, as Canadian privacy laws, including the New Private Sector Act, do not feature any applicability threshold, unlike several U.S. privacy laws²⁵.

Among those trust-enhancing mechanisms, Bill 64 introduces the concept of Privacy by Default which, in contrast to Privacy by Design under GDPR²⁶, governs the parameters (if any) of tech products and services offered to the public, which must be set, by default, in a way that ensures the highest level of privacy²⁷.

Consistent with this principle, Bill 64 restricts the use of technologies with functions allowing the profiling, localisation, or identification of individuals, implying that such functions will always need to be activated by the concerned individual through an opt-in. Organisations will be required to priorly inform individuals of: (i) the use of such technology; and (ii) how he/she can activate those specific functions²⁸. Bill 64 provides a very broad definition of 'profiling', which encompasses any PII processing made to assess characteristics of an individual in any contexts and for any purposes, including work performance, economic situation, and personal interests²⁹. In contrast, the GDPR provides data subjects to object, at any time, only to specific PII processing (including profiling): (i) made for direct marketing purposes; or (ii) based on public interest or the organisation's legitimate interest³⁰.

The New Private Sector Act will also include new requirements around the use of decisions based exclusively on automated processing of PII³¹. While GDPR addresses a similar topic quite differently³², PIPEDA currently has no similar provision.

Table 2 - Comparison between Québec and the European Union regimes: decisions based solely on automated processing

Unlike the GDPR, Bill 64 does not establish an individual right to not be subject to decisions based solely on automated processing. It rather merely provides an 'opportunity' for the individual to submit observations to an employee, without any formal right to request human intervention in such decision. On the other hand, the GDPR only provides for those rights when the decision produces legal effects concerning the data subject or similarly affects her/him, while the obligations under the Québec regime could be triggered in case of a simple targeted advertisement for shoes.

In the absence of guidance from the CAI, commenters have raised concerns in connection with enforcement of the transparency obligations through regulatory actions that could involve disclosure of trade secrets, sensitive algorithmic process, and private IT systems³³. For instance, InsurTech companies may be worried as the mechanism setting insurance premiums may constitute very sensitive confidential information for them, while not being necessarily relevant to a consumer³⁴. In this regard, it is specified under the GDPR that data subjects' right to access 'should be limited to not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software³⁵'. PIPEDA also provides that access rights are limited when their exercise would reveal 'confidential commercial information³⁶'. According to Bill 64, no exemption will be made in this regard under the New Private Sector Act.

Reason #4: It tackles de-identification in a wider data governance discussion

For many generations, healthcare systems have been accumulating massive amounts of data of great interest to researchers, medical and pharmaceutical companies, and above all, to such systems. Otherwise, data may be scattered in disparate forms and difficult to access where outdated legal safeguards for the protection of PII are in force, as is currently the case in Québec³⁷. At the other end, during the Coronavirus pandemic, the Israeli Government agreed to transfer all vaccination data automatically to a pharmaceutical company, providing it with real-time access to large amounts of data on the effect of their vaccine. Jurisdictions aiming for data governance are likely to implement structures that allow for greater access and use of data while ensuring confidentiality of PII. This may be achieved with the introduction of de-identification statutory requirements that improve trust and access protocols and allow data synthesis to be framed with more certainty.

Bill 64 introduces two types of processes that may be applied to PII to reduce or minimise its identificatory nature: de-identification and anonymisation.

Under Bill 64, PII is de-identified when it no longer allows the concerned individual to be directly identified³⁸. De-identification of PII allows organisations to use such PII without consent to the extent necessary for study, research or statistical purposes³⁹. Indeed, organisations frequently use de-identification to protect privacy of individuals while still extracting business intelligence from the PII, such as MedTech organisations that may want to share de-identified health data with researchers. The New Private Sector Act will also require that organisations using de-identified information take reasonable steps to mitigate the risk of anyone identifying an individual using de-identified information⁴⁰. Here is another situation that will require the performance of an APF.

According to Bill 64, information is anonymised to the extent it is at all times reasonable to expect, in the circumstances, that it irreversibly no longer allows the individual it concerns to be identified, whether directly or indirectly⁴¹. Still, the field of de-identification science suggests that re-identification of individuals, rather than being hard, is sometimes surprisingly easy. It is difficult for organisations to predict the type and amount of external information that an adversary will be able to access, and that difficulty may result in some residual re-identification risk - even for the best-intentioned de-identification processes⁴².

Bill 64 also requires that PII anonymisation be made in accordance with 'generally accepted best practices' and with criteria and procedures prescribed under regulation to come⁴³. There is often at least some residual risk that re-identification might be possible, if not with techniques and data that are available today, then perhaps with techniques and data that might become available in the future. Despite the fact that uncertainty remains around the re-identification risk threshold that would disqualify a dataset from being properly 'anonymized' in accordance with Bill 64, the explicit reference made to industry best practices ensures durability through technological advances and could facilitate the harmonisation with other standards prescribed under foreign regulations such as the Health Insurance Portability and Accountability Act of 1996 ('HIPAA'), the GDPR, and others, which is critical.

Finally, while PII anonymisation was initially proposed under Bill 64 as an equivalent alternative to PII destruction, Bill 64's final form integrates an important amendment requiring organisations to demonstrate a 'serious and legitimate purpose' in order to use anonymised PII⁴⁴. This additional limitation could have critical impacts on the AI and Big Data analytics industry. It also creates interpretative issues since it is understood from the whole text of the new Private Sector Act that anonymized data does not constitute PII, and therefore, this specific article may be interpreted as overstepping the fundamental object of this law⁴⁵. In contrast, both the GDPR⁴⁶and PIPEDA⁴⁷ fully exclude 'anonymous information' from their respective scope.  

What's next?

New requirements under Bill 64 will come into force in three annual stages: four in September 2022 (including the appointment of a privacy officer and breach reporting requirements), most in September 2023, and a last one in September 2024 (a data portability right for individuals).

It is obvious that the Québec reform is strongly inspired by the European regime, and may be viewed as an attempt from La Belle Province to model its own data governance regime on the GDPR's privacy standards. Indeed, the New Private Sector Act includes noteworthy distinctive features, some being firmly rooted in the Canadian privacy tradition⁴⁸. While the federal⁴⁹ and Ontario⁵⁰ governments recently made first steps toward the adoption of new privacy legislations, it is fervently hoped that proposed initiatives will prioritise harmonisation, which will greatly benefit to all Canadian companies and innovators.

Vanessa Henri Associate
[email protected]
William Deneault-Rouillard Associate
[email protected]
Fasken Martineau DuMoulin LLP, Montreal

1. Available at: http://www.assnat.qc.ca/en/travaux-parlementaires/projets-loi/projet-loi-64-42-1.html?appelant=MC
2. Available at: http://www.legisquebec.gouv.qc.ca/en/pdf/cs/P-39.1.pdf
3. See: https://priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2021/pipeda-2021-001/#fn19Joint investigation of Clearview AI, Inc. by the Office of the Privacy Commissioner of Canada, the Commission d’accès à l’information du Québec, the Information and Privacy Commissioner for British Columbia, and the Information Privacy Commissioner of Alberta, PIPEDA Findings #2021-001, February 2, 2021; https://www.canlii.org/fr/qc/qccai/doc/2018/2018qccai245/2018qccai245.htmlFirquet c. Acti-Com, 2018 QCCAI 245 (CanLII); https://www.canlii.org/fr/qc/qccs/doc/2008/2008qccs1455/2008qccs1455.htmlSerres Floraplus inc. c. Norséco inc., 2008 QCCS 1455 (CanLII); Guilmain, A. & Douville, D., "https://www.fasken.com/en/knowledge/2019/05/van-the-quebec-private-sector-privacy-act/The Québec Private Sector Privacy Act: When does it Apply to Organizations Outside of Québec?," Fasken Bulletin, May 16, 2019; Geist, M., “https://lawcat.berkeley.edu/record/1117679Is there a there there? Toward greater certainty for internet jurisdiction,” Berkeley Technology Law Journal, Vol. 16, #3, p. 1345 (2001).
4. Article 90.12 of the New Private Sector Act.
5. Ibid., Article 91.
6. Ibid., Article 93.1.
7. See: PIPEDA, s. 12-13.
8. See: PIPEDA, s. 28. I
9. See: Article 90.2(2) of the New Private Sector Act.
10. Article 83(2) of the GDPR.
11. Article 93.1 of the New Private Sector Act.
12. Ibid., Article 3.5.
13. Ibid., Article 3.2.
14. Ibid., Article 3.1.
15. Ibid., Article 3.3.
16. See for instance: India's Personal Data Protection Bill (tabled in 2019), which proposes to require that certain types of PII be stored in India: 'critical personal data' must be stored and processed only in India, while 'sensitive personal information' must be stored within India but may be 'copied' elsewhere provided the destination country applies sufficient privacy protections to the data and does not impede Indian law enforcement access to the data.
17. Article 17 of the New Private Sector Act.
18. Id.
19. Article 46 of the GDPR.
20. European Data Protection Board, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, Nov. 10, 2020.
21. See: https://www.iso.org/standard/62289.html
22. See: https://www.iso.org/standard/71670.html
23. See: https://montrealgazette.com/news/local-news/artificial-intelligence-expert-moves-to-montreal-because-its-an-ai-hub
24. See: https://www.priv.gc.ca/en/blog/20210412/
25. For instance:  the California Consumer Privacy Act applies to businesses that: (i) have annual gross revenue of over USD 25 million; buy, receive, sell or share the PII of 50,000 or more California consumers, households or devices for commercial purposes each year; or derive 50% or more of annual revenue from selling consumer PII (CCPA, s. 1798.140).
26. Article 25 of the GDPR.
27. Article 9.1 of the New Private Sector Act.
28. Article 8.1 of the New Private Sector Act.
29. Ibid.: i.e., 'the collection and use of personal information to assess certain characteristics of a natural person, in particular for the purpose of analyzing that person's work performance, economic situation, health, personal preferences, interests or behaviour.'
30. Article 21 of the GDPR.
31. Article 12.1 of the New Private Sector Act.
32. Articles 15 and 22 of the GDPR.
33. Only available in French at : https://bac-quebec.qc.ca/media/5919/20210527_memoire_pl64-commission-institutions.pdf
34. Ibid.
35. Recital 63 of the GDPR.
36. Article 9(3)(b) of PIPEDA.
37. Article 21 of the Private Sector Act; https://www.cca-reports.ca/wp-content/uploads/2018/10/healthdatafullreporten.pdfAccessing Health and Health-Related Data in Canada. Council of Canadian Academies Report, 2015, Ottawa, pp. 47, 51, 82; One of the most controversial aspects of Québec privacy laws for the research sector is the often lengthy and uncertain process researchers must go through to gain access to PII databases held by public bodies and private enterprises. The CAI generally grants the necessary approval after a year or more, while research funds are granted over a three-year cycle.
38. Article 12 of the Private Sector Act.
39. Ibid.
40. Ibid.
41. Article 23 of the Private Sector Act.
42. According to a https://dataprivacylab.org/projects/identifiability/paper1.pdf?fbclid=IwAR2qeD2uXtZmaUUPQzAStNoO1n2pAQpfzzhnDYg4WPN-yhjZ8oTBHmpmhowlandmark study, 87% of Americans can be uniquely identified from their ZIP code, date of birth and sex. According to https://www.cs.utexas.edu/~shmat/shmat_oak08netflix.pdfanother, more than 80% of users of a flagship subscription DVD rental service could be uniquely identified by when and how they rated any three movies they had rented.
43. Article 23 of the Private Sector Act.
44. Ibid.
45. Article 1 of the New Private Sector Act: 'The object of this Act is to establish, for the exercise of the rights conferred by articles 35 to 40 of the Civil Code concerning the protection of personal information, particular rules with respect to personal information relating to other persons which a person collects, holds, uses or communicates to third persons in the course of carrying on an enterprise […].'
46. Recital 26 of the GDPR.
47. Schedule 1, s. 4.5.3. of PIPEDA.
48. For instance, consent is preserved as the sole legal basis for processing.
49. https://parl.ca/DocumentViewer/en/43-2/bill/C-11/first-readingBill C-11, An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts; this bill has not been subject to any legislative developments from 2020 and its future is now uncertain.
50.   In June 2021, the Ontario Government published https://www.ontariocanada.com/registry/showAttachment.do?postingId=37468&attachmentId=49462a white paper setting out a model for a new provincial statute.