Introduction

The Act to Modernize Legislative Provisions respecting the Protection of Personal Information ("Bill 64" or the "Bill") received royal assent on September 22, 2021, and is set to bring important changes to the Province of Québec's Act Respecting the Protection of Personal Information in the Private Sector ("Private Sector Act"). Previously, we described which changes have the greatest potential to impact businesses operating in Québec. As part of a new series of blogs on how businesses can best prepare for the introduction of these new obligations, this blog discusses the requirements for cross-border transfers of personal information that are set to enter into force on September 22nd, 2023.

Following in the footsteps of the European General Data Protection Regulation ("GDPR"), Bill 64 introduces new operational requirements that  businesses must follow before they communicate personal information outside of Québec. These new requirements include:

  • Conducting a prior privacy impact assessment (a "PIA");
  • Determining whether the information communicated would receive "adequate protection" in the target jurisdiction; and
  • Entering into written agreements that take into account the results of the PIAs and, if applicable, include terms to mitigate the risks identified in the PIAs.

Changes to the Existing Regime

Prior to the introduction of Bill 64, the Private Sector Act included requirements for businesses making cross-border transfers or entrusting a third party outside Québec with personal information. The Private Sector Act specified that transferring personal information to third parties for processing or retention was permissible without prior consent on the condition that it was essential for the original business purposes. This provision was subsequently strengthened by clarifications from the Comission d'accès à l'information (the "CAI").1 Transfers must be established through a written contract that included: (1) the scope of the mandate; (2) the purposes for which the third party would use the information; (3) the categories of persons who would have access; and (4) the obligation to maintain confidentiality of the personal information.

In addition, businesses must take all reasonable measures prior to the transfer to ensure that: 1) the information is not used for purposes other than those consented to, or communicated to third persons without consent; and 2) in the case of nominative lists, individuals have an opportunity to object to their personal information being used for commercial or philanthropic purposes.

Bill 64 overhauls the existing requirements for cross-border data transfers outside of Québec. In addition to basic contractual requirements, businesses will now need to disclose the possibility that the personal information being collected could be communicated outside of Québec at both the time of collection of personal information and upon request.2

Businesses are now also tasked with conducting assessments of privacy-related factors prior to communications of personal information outside of Québec. Such PIAs must specifically take into account:

  • the sensitivity of the information;
  • the purposes for which the information is to be used;
  • the protection measures, including contractual measures, that would apply to the communication; and
  • the legal framework applicable in the State in which the information would be communicated, including the data protection principles applicable in the foreign State.3

The CAI has published some guidance on what the contents of a PIA could be in the context of the establishment of a new project, which may share some similarities with those expected for cross-border data transfer PIAs. These factors include:

  • The goals of the transfer and internal procedures implicated;
  • The parties involved, whether internal or third party, including their roles and responsibilities;
  • An overall description of the location of personal information during the transfer;
  • The risks involved with the transfer of personal information; and
  • A periodic review of the risk factors.

Only if a PIA establishes that the information would receive "adequate protection, in particular in light of generally recognized principles regarding the protection of personal information" can the business communicate the data outside of the Province.4 It should be noted that these requirements are separate from, and in addition to, consent requirements or other obligations applicable to disclosures of personal information to third parties.

Finally, if the PIA yields positive results, the businesses must enter into a written agreement that takes into account the results of the assessment, and include terms to mitigate risks identified by the assessment5 (a topic which we will discuss in greater details in an upcoming article).

Comparison with Existing Privacy Regimes

Businesses already familiar with the requirements for cross-border data transfers specified in PIPEDA and the GDPR will identify notable differences in the Bill 64 regime that may have an impact on their cross-border data transfers processes.

PIPEDA's current requirements for cross-border data transfer stem from the principle of accountability.6 Businesses are responsible for personal information in their possession, and PIPEDA requires the implementation of contractual provisions to provide a "comparable level of protection" for information processed across borders.7 These requirements extend to third party service providers located abroad who process personal information. Though the privacy regime of the receiving jurisdiction is relevant in assessing whether or not personal information is afforded a "comparable level of protection," contractual measures and oversight measures like regular auditing are also factored into the assessment.8 Further, PIPEDA does not require a privacy impact assessment in connection with cross-border data transfers.

The GDPR's requirements for cross-border data transfers are closer to Bill 64's approach and, as mentioned above, were likely a source of inspiration for the Quebec legislator. The GDPR establishes a number of mechanisms through which personal information can be transferred outside of the EU, including through the use of standard contractual clauses or binding corporate rules or with the individual's explicit consent. The GDPR also allows for transfers of personal information to jurisdictions that the European Commission has decided "ensures an adequate level of protection"9, and the GDPR tasks the European Commission with assessing the state of the law in jurisdictions around the world and making these "adequacy decisions."

Bill 64's cross-border transfer obligations sit between the PIPEDA and GDPR measures. Originally, Bill 64 was more similar to the GDPR model whereby the Minister Responsible for Democratic Institutions, Electoral Reform and Access to Information was tasked with publishing a list of jurisdictions deemed adequate with Quebec's privacy regime as the sole benchmark. Industry stakeholders argued this would complicate interprovincial data flows, which prompted the adoption of a standard closer to PIPEDA's by requiring businesses to assess adequacy against "generally accepted data protection principles."10 In the same stroke, the legislator removed the provision setting out the Minister's responsibility to publish a list of jurisdictions deemed adequate. As a consequence, unlike with GDPR, the burden to determine if a jurisdiction is adequate now falls solely on the shoulders of organization making the cross-border data transfer.

Notable Points and Outstanding Questions

There are a number of outstanding questions of concern to businesses with respect to Bill 64's requirements for cross-border data transfers.

The first, and arguably most consequential for Canadian businesses, is that the provision makes no distinction between international and inter-provincial transfers of personal information. Though the text of the law does not explicitly state this principle, the positions taken by members of the National Assembly during Bill 64's introduction, and the provision read as a whole, indicates that the intent is for the provision to apply to all jurisdictions outside of Quebec, hence other Canadian provinces, and not only international transfers of personal information.

Second, Bill 64 imposes an onerous standard for PIAs where data is transferred across borders. Bill 64 is ambiguous regarding the frequency at which business should conduct PIAs as it simply states that a PIA need to be conducted "before communicating personal information outside Québec". For instance, for businesses that conduct regular data transfers to the United States, it is unclear whether or not these assessments would need to take place prior to each individual transfer of data, or if one PIA, covering all its data transfers to the United States would be sufficient.

The law also does not specify, once an initial PIA has been conducted, under which legislative or jurisprudential developments would warrant a new privacy impact assessment. Though the CAI's guidance document suggests a periodic review, how frequently this review should be conducted is still unclear. The example of the United States also raises the question of whether specific PIAs are required for each State to which data is transferred, as privacy legislations vary from State to State. In addition, the quantities or categories of data that can be effectively grouped under each assessment is also left unclear. Financial considerations resultant from these ambiguities may prove burdensome for businesses with less financial capacity to absorb frequent PIA requirements.

A third ambiguity concerns Section 17's description of "adequate protection in compliance with generally accepted data protection principles." Bill 64's standard departs from PIPEDA's "comparable level of protection" standard, and the GDPR's "adequacy decision" standard, both of which are anchored in specific legislative and regulatory obligations. By comparison, Bill 64 takes a liberal approach with reference to data protection principles. What has yet to be seen is what constitutes "generally accepted principles" for the purposes of assessing the level of protection in target jurisdictions. Although the evolution of Bill 64 discussed above suggests that those principles are not limited to those found in Québec privacy law, one may wonder whether, in practice, Quebec privacy law may become, as was provided in the original version of the Bill, the standard against which adequacy will be measured, absent further clarification from the legislator or the CAI.

Concrete Steps for Businesses to Take

Make Inventories of Personal Information Collected, and Frequent Locations of Transfer

As a first step to assess what changes businesses may require for compliance, an inventory of collected personal information and where personal information is commonly stored and communicated to is of paramount importance. The inventory should specifically consider two particular factors addressed in Bill 64; sensitivity of the personal information and the purposes for which the information is used.

Once an inventory of the type of information is undertaken, an assessment of where information is stored and transferred is the next essential step. Businesses should obtain clarity on the destination of all their data exports in order to complete the next steps.

Update Privacy Policies and Terms of Agreements

In order to effectively comply with Bill 64's informational obligations, businesses must disclose the possibility that personal information may be transferred outside of Quebec when it is initially collected.11 Businesses may need to update their privacy policies to account for the practices of cross-border data transfers that are essential to the business, and for potential future cross-border transfers.

Prepare Template Privacy Impact Assessments

Bill 64's PIA obligations have the potential to be onerous, but compliance costs can be mitigated by the effective use of model PIAs. Businesses should consider preparing PIA templates that are tailored to commonly collected personal information and the specific jurisdictions personal information may be transferred to. Privacy related factors, including those specified in Bill 64 like sensitivity and purposes of personal information, should serve as the central pillar of the assessment.12 By having a standard set of PIA documentation and implementing processes to monitor changes in their data transfer practices as well as changes to privacy laws of target jurisdictions, businesses can mitigate the costs associated with conducting PIAs. The CAI may issue guidance documents and regulations that could resolve the above mentioned ambiguities, which businesses should be attentive to.

Prepare Model Clauses to Provide Adequate Protections

Finally, businesses should develop a template cross-border data transfer agreement adapted to their needs For an in-depth consideration of contractual protection measures, stay tuned for a future McCarthy Tétrault TechLex article on the topic.

Conclusion

Bill 64 imposes new obligations on businesses involved in cross-border transfers of personal information related to Quebec residents. Private sector businesses should anticipate the entry into force of these obligations on September 22nd, 2023 by taking concrete steps to ensure that processes are compliant, and seek expert advice when necessary.

Footnotes

1Act respecting the protection of personal information in the private sector, CQLR c P-39.1 s 20 (February 1, 2021).

2Act respecting the protection of personal information in the private sector, CQLR c P-39.1, section 8 al 2, as amended by Bill 64 [the "Amended Private Sector Act"].

3. Amended Private Sector Act, section 17.

4. Amended Private Sector Act, section 17 al 2.

5. Amended Private Sector Act, section 17 al 2.

6PIPEDA, Schedule 1, section 4.1

7PIPEDA, Schedule 1, section 4.1.3.

8PIPEDA Case Summary #2007-365, "Responsibility of Canadian Financial Institutions in SWIFT's disclosure of personal information to US authorities considered" < https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2007/pipeda-2007-365/>.

9. GDPR, Art. 45(1).

10. Amended Private Sector Act, section 17 al 2.

11. Amended Private Sector Act, Section 8(2).

12. Amended Private Sector Act, section 17(1-2).

To view the original article click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.