New PI Rules in Canada, Part I – CEOs are Accountable for Personal Information

Quebec passed Bill 64 in September 2021, dramtically updating the Act Respecting the Protection of Personal Information in the Private Sector (“PPIPS”). Just as the California Consumer Privacy Act (2018) set a new National standard for the US, Quebec has set a new privacy standard for Canada.

Most organizations who operate in Canada cannot have one set of policies and procdedures for Quebec and a different set for the rest of Canada. Besides, BC, Alberta and Ontario are all updating their laws in the coming months.

PPIPS will come into force in 3 stages

In stage 1, on September 22, 2022 the following parts of the law will come into force:

1. The appointment of a Privacy Officer (section 3.1);
2. The obligation to report to the Commission d’accès à l’information and to the persons concerned any privacy incidents involving personal information in the company’s possession that present a risk of serious harm (sections 3.5 to 3.8);
3. The right to disclose personal information without the consent of the person concerned when it is necessary for the purpose of concluding a commercial transaction (section 18.4);
4. The right to disclose personal information without the consent of the persons concerned when using that information for study or research purposes or for the production of statistics (sections 21 to 21.0.2).

In this first series of articles on Bill 64, let’s unpack these new obligations for ALL organizations who operate in Canada. This first article focusses on:

1. The appointment of a Privacy Officer (section 3.1);

Section 3.1 states: “Any person carrying on an enterprise is responsible for protecting the personal information held by the person.

Within the enterprise, the person exercising the highest authority shall see to ensuring that this Act is implemented and complied with. That person shall exercise the function of person in charge of the protection of personal information; he may delegate all or part of that function in writing to a personnel member.

The title and contact information of the person in charge of the protection of personal information must be published on the enterprise’s website or, if the enterprise does not have a website, be made available by any other appropriate means.”

Quebec is holding everyone in the organization responsible for the protection of personal information. Do not be surprised if certain people within the organization are called out and fined due to their lack of action resulting in a breach of personal data.

But if you are going to hold all persons responsible it must include the most senior executives. The “highest authorty.” Clearly Quebec intends to fine some CEOs right out of the gate and make an example out of them. By making the “highest authority” accountable to “ensure this Act is implemented and complied with” they have left no wiggle room for the most senior person in the organization.

The first question the CAI will ask in any investigation is “Who is in charge of Personal Information within this organization?” and the answer better be, “all of us, including our CEO.”

The enforcement of PPIPS comes in 3 forms and each one has a significant price tag, as outlined clearly by our friends at BLG

1. Administrative monetary penalties
The AMPs would apply to a broad range of contraventions: failure to comply with transparency requirements; collection, communication, use or destruction of personal information in contravention of the statute; failure to report a breach; and non-compliance with the automated decisions provision (s. 90.1). For businesses, the CAI would be empowered to impose penalties of a maximum of C$10,000,000 or, if greater, the amount corresponding to 2 per cent of worldwide turnover for the preceding fiscal year (s. 90.12). Bill 64 would require that the CAI develop and make public a general framework for the application of AMPs, specifying various elements listed in the bill (s. 90.2). Bill 64 provides for a notification procedure before the imposition of an AMP (s. 90.3 and 90.4), an internal review process (s. 90.6, 90.7 and 90.8) and a right to contest the review decision before the Court of Québec.

2. Penal regime
The Private Sector Act currently includes a penal regime allowing the province’s attorney general to seek fines before the courts for violation of the statute. However, these provisions have never been used. Under Bill 64, the CAI would be empowered to institute penal proceedings. Bill 64 would also substantially increase the potential fines. From the current maximum of C$10,000 for a first offence and C$20,000 for a second, the maximum fine would become C$25,000,000, or, if greater, the amount corresponding to 4 per cent of worldwide turnover for the preceding fiscal year (s. 91). In the case of a subsequent offence, the fines would be doubled (s. 92.1). The penal regime applies to more offences than the AMPs, including: interfering with the CAI’s investigation and identifying or attempting to identify a natural person by using de-identified information without the authorization of the person holding the information or by using anonymized information (s. 91).

3. Private right of action
Individuals are currently able to bring privacy actions before Québec courts for privacy violations based on the privacy provisions of the Civil Code of Québec. Bill 64 would create a private right of action allowing individuals to be compensated for the unlawful infringement of a right conferred by the statute or the privacy articles of the Civil Code, unless the damage results from “superior force” (s. 93.1). This provision may translate in Québec becoming an even friendlier jurisdiction for privacy class actions. The statute also provides for the award of punitive damages of at least C$1,000 where the infringement is intentional or results from a gross fault.

While all organizations have until September 22, 2022 to have this policy documented and in place, why wait?

Step 1 is to appoint the CEO as Chief Privacy Officer and decide who and how they will delegate the the day-to-day role. We recommend that person be a direct report to the CEO so all parties are always well informed and nothing gets lost or misinterpreted in internal communications. Their title and contact details must be published on your website(s).

In the next article we will take a deeper dive into Confidentiality Incident Reporting requirements that every organization in Canada will have to create a documented plan for, complete with staff training and plans for annual reviews.

The team at Newport Thomson have mapped out the steps to compliance and are happy to share those with any organization looking to bring their data management practices up to date and comply with PPIPS. Contact info@newportthomson.com and ask for a PPIPS Compliance Map.

Leave A Reply