Updating Quebec Private Sector Privacy Law – Part 2 of 2
In Quebec, the privacy regulator, the Commission d’accès à l’Information (or CAI), was recently seeking comments from local privacy experts on certain potential amendments to the Quebec private sector law, the Act respecting the protection of personal information in the private sector (“APPIPS”).
Recall that Quebec was the first jurisdiction in Canada to enact a data protection law back in 1994. This law definitely needs an update. The challenge is to ensure that the proper amendments are considered. As a matter of fact, this legislation should remain a flexible tool in light on the challenges triggered by internet and technological innovations.
I have submitted two sets of comments. First, I have submitted specific answers to the 4 questions that the CAI was seeking comments on, jointly with the experts from the CRDP of the University of Montreal. The questions pertain to whether the wording of the notion of personal information should be revised, whether a notion of “sensitive information” should be introduced into the law, whether the notion of “file” is still relevant, whether the notion of “data processing” should be introduced into the law, and, whether, we should consider introducing specific provisions meant to govern profiles, especially in the context of Big Data. I have blogged about our answer last week (here) and you can view a full copy of the answer here (French only).
I have also submit another personal submission in which I provide recommendations on various issues which are the following ones:
1- Consent (Manifest vs. Implicit)
Under s.14 of the APPIPS, “Consent to the collection, communication or use of personal information must be manifest, free, enlightened and given for specific purposes (…).” The notion of “manifest” consent is usually interpreted as an explicit type consent (i.e. “opt-in”). Contrary to PIPEDA, the Alberta PIPA and the B.C. PIPA which include a concept of “implied” consent (which is especially relevant in certain situations involving non-sensitive information), the APPIPS offers no such flexibility in the form of consent that may be obtained.
With respect to APPIPS, it is my opinion that this notion of “manifest” consent should be updated to ensure that it is better adapted to new realities. This comment should be read together with my other comments relating to the need for a separate category for employee personal information (see section 2- below), the need for an exception for business transactions (see section 3- below), as well as my comments pertaining to the need to better address new advertising initiatives (see section 4- below).
2- Employee Personal Information
In Quebec, the legal framework is more stringent than the framework in the rest of Canada in terms of what you can collect and how you can use personal information in the employment context. For example, while under PIPEDA, the Alberta PIPA and the B.C. PIPA, employee personal information can in some cases be collected without consent, you don’t have this flexibility in Quebec.
Under s. 7.3 of PIPEDA, s. 15 of the Alberta PIPA and s. 23 of the B.C. PIPA, employers are able to collect, use and disclose employee personal information without consent if the information is reasonably needed to establish, manage or terminate employment, provided the employee (or applicant, as the case may be) in question be properly notified why the information is being or may be collected, used or disclosed.
The legal framework is different in Quebec. Under the APPIPS, an applicant shall provide consent to the collection and use of his/her personal information. In addition, no employer may refuse to employ an individual by reason of the applicant’s refusal to disclose personal information except where the collection of that information is necessary for the conclusion or performance of a contract. This criteria of “necessity” is interpreted stringently and in case of doubt, personal information is deemed to be non-necessary. Consent from employees is not valid if the information is not considered as necessary.
I argue that this “valid and free consent” requirement from the APPIPS does not properly reflect the employer-employee relationship. Employers will necessarily need to collect employee personal information to manage their employees. Another question worth asking is whether employees’ consent will truly be voluntary and “free”.
3- Business Transaction Exception
The APPIPS, under s.14, states that individuals must provide their “manifest” consent to the collection, use and disclosure of their personal information. When businesses consider entering into a business transaction (such as the purchase or sale of a business, the acquisition or sale of assets, etc.), several challenges arise from this notion of “manifest” consent. Indeed, it may be difficult or even impossible for a business to obtain the consent of its customers or employees to disclose their information either at the due diligence stage or at closing. To address such situations, other laws in Canada, PIPEDA (with recent S-4 amendments), the Alberta PIPA and the B.C. PIPA each has a business transaction exception.
Under these exceptions, organizations that are parties to a commercial transaction are able to use and disclose personal information necessary to determine whether the parties wish to proceed with the transaction without the knowledge or consent of the persons concerned, if they conclude a confidentiality agreement. If the transaction does not occur, the information should be returned or destroyed within a reasonable time. If the transaction is completed, one of the parties shall, within a reasonable time following the closing of the transaction, notify the persons concerned that a transaction has been concluded and that their personal information has been disclosed and transferred to the purchaser as part of this transaction.
Quebec is therefore the only jurisdiction in Canada that does not have such business transaction exception in its data protection law. I submit that the APPIPS should be amended to include a “business transaction exception” similar to the one we find under other Canadian jurisdictions. I have raised my concern on this issue on many occasions over recent years.
4- Marketing Lists and Electronic Communications
Under the APPIPS, s. 22 to 26 regulate the use of personal information for marketing purposes. Note, these provisions date back to the negotiations which that took place back in 1993. The purpose of these provisions (from reading the parliamentary debates) was to allow companies to use or transfer their customer lists for marketing purposes. However, under the APPIPS, certain requirements must be met: 1) there must be a contract preventing the third party to use the list for purposes other than marketing purposes; 2) before the transfer, the persons concerned must have had the valuable opportunity to refuse the transfer (i.e. be able to opt-out); and 3) this transfer must not infringe the privacy of those involved. This last section has been interpreted in one case (Deschênes c. Groupe Jean Coutu, PV 98 08 42 (C.A.I.)) which involved a pharmacist’s sale of his list of diabetic patients.
These provisions regulate any “nominative list” defined initially as “a list of names, phone numbers, geographical addresses of natural persons”. In 2006, the concept of email address was included with the wording: “or technological addresses where a natural person may receive communication of technological documents or information” to better reflect the reality of customer lists being used in email marketing campaigns. As this section (s. 22 to 26) is specifically intended to govern information included in such “nominative list” (which is basic contact information), any new targeted, contextual or behavioral marketing initiatives would fall outside the scope of this section and would therefore be illegal unless a “manifest” consent (i.e. opt-in or express consent) is first obtained from individuals and this, even if the information used is not sensitive. I know for a fact (through clients) that Quebec residents are often excluded from such marketing initiatives for this reason. Given that increasingly, analytical tools are used to specifically target individuals according to their interests, this section of the APPIPS should be updated to address and regulate profiling and targeting marketing activities.
The new Canadian anti-spam law (“CASL”) came into force in July 2014, and it should be noted that the provisions of the APPIPS are not as stringent as those of CASL. While I do not recommend that the APPIPS be amended to be aligned with CASL, the industry may appreciate obtaining the assurance from the the CAI that the APPIPS still applies to their local (i.e. Quebec) operations involving the sending of commercial electronic messages.
5- Place of Storage
Section 8 (3) of the APPIPS states: “The person who collects personal information from the person concerned must, when establishing a file on that person, inform him (…) 3 ° of where file will be kept as well as access or correction rights.” This notion of “place” which dates back to the original version of the APPIPS (1993) has never been interpreted by the CAI or by relevant Quebec courts. It is not clear whether the law refers to a physical address or a particular jurisdiction. Moreover, this provision may be problematic for businesses using cloud computing services. I have already published on this specific issue, and have articulated the view that the APPIPS should be amended to instead emphasize on the obligation to notify individuals of the fact that their information may be transferred outside of Quebec (or Canada), and that, once transferred, this information will be subject to these foreign laws.
6- Breach Notification Obligation
The CAI, in its 2011 report (five-year review), was raising the importance of having companies notify individuals affected by a security breach involving their personal information. This allows to mitigate risk in certain situations, for example in situations where affected individuals are likely to suffer damage resulting from the security breach. In the context of the recent proposed amendments to PIPEDA through bill S- 4, I have testified to the effect that this notion of breach notification obligation was necessary. I recommend the introduction of a requirement to notify individuals affected by a security breach in the APPIPS, similar to the obligation found under PIPEDA (with recent S-4 amendments) and the Alberta PIPA.
For more information or to read my personal submission, please click here (French only).
This content has been updated on December 11, 2015 at 10 h 58 min.