At the beginning of last fall, the National Assembly adopted a new law on the protection of personal data. While the interpretation of certain provisions still needs clarification, all companies stand to benefit from complying with them as quickly as possible. Such obligations will become increasingly stringent over the next three years.
As Me William Deneault-Rouillard, a lawyer specializing in personal information management, data governance, cybersecurity and commercial law at Fasken said during the Cybersecurity 20/20 event organized by Novipro in October 2021, "The vast majority of the changes will come into force in September 2023."
With his colleague Me Antoine Aylwin, a partner at Fasken, he presented an overview of the changes involved for private sector organizations through the adoption of this law aimed at modernizing legislative provisions relating to the protection of personal information.
The two lawyers explained that the new law requires companies to protect “private information collected, used, communicated, retained or destroyed”. This protection covers all quantities of information, the medium upon which it is recorded, its purpose, and its sensitivity.
According to the law, sensitive data [sic] is information “that creates a high degree of expectation of privacy, due to its biometric or otherwise intimate medical nature.”
Management of personal data
Explains Dominique Derrier, Chief Information Security Officer (CISO) at NOVIPRO, “According 2022 NOVIPRO/Léger IT Portrait analysis, more than half (57%) of Quebec organizations hold confidential information and 100% have confidential HR information.” These statistics demonstrate the urgency of complying with the requirements of Bill 64.
Download the Portrait of IT 2022
A survey of 500 decision-makers from Canadian companies about their IT challenges
A company collecting personal data will have to specify the purpose of its use and must obtain approval from the persons concerned. These individuals must also be notified if their information is communicated to third parties.
Exporting private information will remain possible under the new law, but a risk analysis must be carried out first. This means an agreement has to be reached in all the States concerned - not countries – and this agreement must provide a “level of protection that meets globally recognized principles,” a concept that is still somewhat vague for the moment.
Depersonalization and anonymization
A company wishing to deviate from its initial objective in the processing of personal information will have to obtain consent for a second time, unless it depersonalizes it using secret key cryptography, hashing or tokenization techniques. Its use of the data must then be restricted to three activities: research, compilation of statistics, and the carrying out of a study.
“But this private information will remain subject to the law,” insists Me Deneault-Rouillard.
The lawyer adds that following the de-identification process, the company will have to take “reasonable measures” to prevent the subjects of this personal information from being re-identified.
The law stipulates that as soon as the personal information’s usage is over, it must be destroyed, or anonymized. If the company opts for the second strategy, it can continue to analyze the information, but only for "serious and legitimate purposes," while ensuring that the identity of the person remain anonymous "at all times."
If a privacy incident occurs, i.e. personal information is misused or disclosed, lost or accessed without authorization, the company should take prompt action to reduce any risk of harm.
As of September 2022, all events of this order must be recorded in a register. If they are likely to cause "serious harm" - another concept that still needs to be clarified -, the Commission d'accès à l'information of Quebec and all persons concerned need to be notified.
Failure by companies to comply with all the provisions of the law will expose them to heavy penalties, these being a fine of up to 10 million dollars or the equivalent of 2% of turnover.
“The Commission d'accès à l'information, which will apply these sanctions, will take into account various criteria, including repetition, duration, the nature, the seriousness, and the sensitivity of the personal information involved”, explains Me Aylwin.
He adds that restorative measures and collaboration with the Commission d'accès à l'information will also be considered, in addition to the company's ability to pay.
When all is said and done, as ever, prevention is much better than any cure.