Updating Quebec Private Sector Privacy Law – Part 1 of 2
In Quebec, the Commission d’accès à l’Information (or the CAI), was recently seeking comments from local privacy experts on certain potential amendments to the Quebec private sector law, the Act respecting the protection of personal information in the private sector.
Recall that Quebec was the first jurisdiction in Canada to enact a data protection law in 1994. This law definitely needs an update. The challenge is to ensure that the proper amendments are considered. As a matter of fact, this legislation should remain a flexible tool in light on the challenges triggered by internet technologies and other similar innovations.
I have submitted two sets of comments. First, I have submitted specific answers to the 4 questions that the CAI was seeking comments on, jointly with the experts from the CRDP of the University of Montreal: Vincent Gautrais, Karim Benyekhlef, Pierre-Luc Déziel, Pierre Trudel and Nicolas Vermeys.
Our answer addresses the following topics:
1- Definition of personal information
First, the CAI was seeking comments on whether the definition of personal information (“information which relates to a natural person and allows that person to be identified”) should be revised and whether a notion of “sensitive information” should be introduced into the law.
We discuss in our answer the fact that we don’t believe that the definition of personal information should be re-opened at this stage. While we realize that there are many challenges with the current definition of information, we are of the view that these challenges can be addressed with a flexible interpretation. We note that the CAI has interpreted this notion of personal information in a similar way than the OPC has under PIPEDA (which has a similar definition of personal information). We refer to my PhD thesis for some guidance on the type of interpretation that may be useful, for instance an interpretation which takes into account the risk of harm behind the activity of collecting, using or disclosing personal information. We also caution against creating a new category of information which would automatically be considered as “sensitive”.
2- Notion of “File”
The Quebec private sector privacy law (contrary to PIPEPA or the Alberta / B.C. PIPAs) refers to the notion of “file”. For example, s. 4 of the Quebec law provides that:
Any person carrying on an enterprise who may, for a serious and legitimate reason, establish a file on another person must, when establishing the file, enter its object.
Second, the CAI was seeking comments on whether this notion of “file” is still relevant. We raise in our answer that this notion of “file” has not been interpreted to mean a “paper file” and that it is possible to apply this notion to electronic files or similar types of documents. Since the law already provides for an obligation for an organization to identify the purpose of its collection, use and disclosure of personal information, etc. – we articulate the view that this notion of “file” is not problematic.
3- Notion of “Processing”
Third, the CAI was seeking comments on whether the notion of “data processing” should be introduced. In Europe, the Directive 95/46/EC includes this notion which encompasses all data protection activities (collection, use, communication, transmission, storage, etc.). We advise in our letter against such type of amendment for various reasons, including the fact that each data protection activity has its own sets of risks, which should therefore each remain addressed separately in the law.
4- Profiles and Big data
Last, the CAI was seeking comments on whether we should consider introducing specific provisions meant to govern profiles, especially in the context of Big Data. Again, we recommend not introducing amendments meant to govern all profiling activities, one of the reason being that these profiling activities are not necessarily harmful for individuals.
While we don’t recommend to modify the Quebec private sector privacy law to address the four issues discussed above, we are of the view that a more comprehensive discussion is necessary, including on the issues pertaining to the powers of the CAI. We believe that the CAI should increase its collaboration with other Canadian privacy commissioners (i.e., the Privacy Commissioner of Canada, as well as the Alberta and B.C. OIPC). We also recommend redefining the role of the Quebec law in light of other types of tools (self-regulatory, norms, standards, etc.).
To view a full copy of our answer please click here (in French).
I have also submitted a second personal answer in which I provide recommendations on various issues that should be addressed and amendments that I believe should be considered. These include the fact that:
- the notion of “manifest” consent” (s. 14) is, in my view, not flexible enough;
- the law should provide for a new category of information for “employee personal information” to more properly address the reality of the employer-employee relationship;
- the law should be amended to include a business transaction exception;
- s. 22 to 26 dealing with electronic marketing and the transfer of customer files for marketing purposes should be updated to more properly reflect current marketing practices and profiling activities;
- s. 8 (3) pertaining to the legal obligation to disclosure the place where the data is kept should be updated to address the challenges with the use of cloud services; and
- a breach notification obligation should be introduced.
More information on my personal submission will be available very soon on my blog.
This content has been updated on December 4, 2015 at 18 h 20 min.