For several years, the legislative trend in G20 countries has been to strengthen privacy protection. The entry into force in 2018 of the General Data Protection Regulation (GDPR), a legislative measure of the European Union, has also contributed to putting pressure on our governments. "Not to mention that there is an expectation among the general public in Quebec, especially following the leak scandals," emphasizes Me Elisa Henry. Tabled on June 12, 2020 in the National Assembly of Quebec, Bill 64 proposing to modernize the Personal Information Protection Act includes new requirements for organizations and businesses.

Overview of the main new features currently under study

● Penalties. The Commission d’accès à l’information (CAI) will have the power to impose fines of up to $10 million or 2% of the turnover of the previous fiscal year. In the event of a repeat offence, the fine will be $25 million or 4%.

● Obligation to notify security incidents. In the event of a security incident creating a “risk of serious harm”, the company must notify the persons concerned and notify the Commission for Access to Information.

● Obligation to adopt the principle of confidentiality by design ( privacy by default ). "This approach would be cumbersome to implement for the industry. A person who wants to develop a new IT tool or software will have to prove its merits by processing as little personal data as possible. In addition, for each new IT project, an assessment of the factors relating to privacy will have to be carried out."

● A compliance officer per company . By default, the company president is recognized as the privacy officer. However, he can delegate this function to a member of his staff.

● Privacy impact assessment outside Quebec. “Before being able to transfer personal information outside the province, for example to host data on the servers of a company offering a cloud solution based in Ontario, or to entrust its payroll system to a service provider based in California, the company will have to do a privacy impact assessment, taking into account in particular the level of protection offered by the foreign jurisdiction,” explains Mr. Henry. The company will have to take into account not only written law, but also administrative practices, the way the law is applied and establish its equivalence before being able to transfer the data. I don’t see how companies will be able to assess foreign law. This is a herculean task that requires months of work by the European Commission when it embarks on this exercise to grant the status of adequate jurisdiction to a state. The bill indicates that a list of states with equivalent legal systems will be published by the government. I think that, here too, the Quebec government has neither realized the arduous task that awaits it, nor the harmful consequences that such a measure could have on the Quebec economy."

New rights granted to the individual

● Right to be forgotten . For example, individuals may ask an organization to dereference or deindex online content linked to their name. This right is framed in the bill. There must be a balance between fundamental freedom and freedom of expression to prevent a politician, for example, from being able to order search engines to deindex all negative press articles about them.

● Right to object to automatic data processing . This new provision gives individuals a (limited) right to algorithmic transparency, that is, to be informed of such processing, the information used, the factors and parameters taken into account, to have errors corrected and to present observations to an employee of the company. “We thus wish to avoid the “black box” phenomenon where companies could make decisions based on an algorithm, without human intervention, without the knowledge of Quebecers,” explains Mr. Henry.

● Right to data portability . “If, for example, we want to change social networks, this right will allow us to transport our data to another entity easily, in a structured manner.”

Four steps to prepare for it

The bill is still being debated, but one thing is certain: businesses will have to adjust on several levels. Here are four actions to take now to prepare the ground.

1. Map your data, both internal and external . “If I’m a small business and I only have two subcontractors, it will go quickly, but sometimes it’s more complicated,” observes Mr. Henry. “You have to know where my data is and what our subcontractors are doing with our data.” This mapping will provide a good overall picture of the processing of personal information in your company before implementing new measures.

2. Assess information security . How do I protect myself when a third party handles my data? Do I have backups? Who hosts my data and who has access to it? If I archive physical copies in filing cabinets, how do I secure them? “This exercise allows us to see where the security breaches are and to plug them with the right tools or resources,” says Mr. Henry. “It’s an essential step that can take several weeks, but it will allow us to turn around quickly once the bill is passed.”

3. Aim for IT harmonization . Ensure that the IT tools used are flexible and interconnected. “To meet demands for deindexing or data portability, it will be necessary to ensure that the company’s systems talk to each other. Ideally, harmonize employee data management systems and customer data management systems so as not to have to play in a multitude of different systems.”

4. Follow the progress of the bill to stay informed . “And if there is a new wave of public consultations, entrepreneurs can submit their opinions. It is a democratic exercise, it is important to make your voice heard, because this law will have a significant impact on all businesses.”