Roxane Fortin Lecompte Lawyer

Bill 64, also known as the Act to modernize legislative provisions as regards the protection of personal information, was adopted on September 21, 2021, by the National Assembly of Québec. This new bill amends some 20 laws relating to the protection of personal information, including the Act respecting Access to documents held by public bodies and the Protection of personal information ("Access Act"), the Act respecting the protection of personal information in the private sector (“ARPIPS”) and the Act to establish a legal framework for information technology (“AELFIT”). While these changes will affect both public bodies and private businesses, this article focuses exclusively on the new requirements for public bodies covered by the Access Act.  We have prepared an amended version of the Access Act in order to reflect the exact changes brought about by Bill 64. 1. Strengthening consent mechanisms and increasing individual control over personal information By way of Bill 64, some important changes were made to the notion of consent when disclosing personal information to public bodies. From now on, any time an individual’s consent is required by the Access Act, public bodies must ensure that the concerned individual’s consent is given separately from any other disclosed information (s. 53.1). Furthermore, any consent to the collection of sensitive personal information (e.g., health or financial information that gives rise to a reasonable expectation of privacy) will have to be expressly obtained from the data subject (s. 59). The amended Access Act now also provides that minors under the age of 14 must have a parent or a guardian consent to the collection of their personal information. For minors over the age of 14, consent can be given either directly by the minor or by their parent or guardian (s. 53.1). The right to data portability is one of the new rights enforced by Bill 64. These added provisions to the Access Act allow data subjects to obtain data that a public body holds on them in a structured and commonly used technological format and to demand that this data be released to a third party (s. 84). Whenever a public body renders a decision based exclusively on automated processing of personal information, the affected individual must be informed of this process. If the decision produces legal effects or otherwise affects the individual concerned, upon request, the public body must also disclose to the individual (i) the personal information used in reaching the decision, (ii) the reasons and main factors leading to the decision, and (iii) the individual’s right to have this personal information rectified (s. 65.2).  Furthermore, public bodies that use technology to identify, locate or profile an individual must now inform the affected individual of the use of such technology and the means that are available to them in order to disable such functions (s. 65.0.1). 2. New personal data protection mechanisms Public bodies will now be required to conduct a privacy impact assessment whenever they seek to implement or update any information system that involves the collection, use, disclosure, retention or destruction of personal data (s. 63.5). This obligation will effectively compel public bodies to consider the privacy and personal information protection risks involved in a certain project at its outset. In fact, the Access Act now states that every public body must create an access to information committee, whose responsibilities will include offering their observations in such circumstances. 3. Promoting transparency and accountability for public bodies The changes brought about by Bill 64 also aim to increase the transparency of processes employed by public bodies in collecting and using personal data, as well as placing an emphasis on accountability. As such, public bodies will now have to publish on their websites the rules that govern their handling of personal data in clear and simple language (s. 63.3). These rules may take the form of a policy, directive or guide and must set out the various responsibilities of staff members with respect to personal information. Training and awareness programs for staff should also be listed. Any public body that collects personal information through technological means will likewise be required to publish a privacy policy on their website. The policy will have to be drafted in clear and simple language (s. 63.4). The government may eventually adopt regulations to specify the required content of such privacy policies. Moving forward, public bodies will also have to inform data subjects of any personal data transfer outside of the province of Quebec (s. 65). Any such transfer will also need to undergo a privacy impact assessment, which will include an analysis of the legal framework applicable in the State where the personal information will be transferred (s. 70.1). Furthermore, any transfer of personal data outside of Quebec must be subject to a written agreement that takes into account, in particular, the results of the privacy impact assessment and, if applicable, the agreed-upon terms to mitigate the risks identified in the assessment (s. 70.1). A public body that wishes to entrust a person or body outside of Quebec with the task of collecting, using, communicating or retaining personal information on its behalf will have to undertake a similar exercise (s. 70.1 (3)). 4. Managing confidentiality incidents Where a public body has reason to believe that a confidentiality incident (which is defined in Bill 64 as the access, use, disclosure or loss of personal information) has occurred, public bodies will be required to take reasonable steps to mitigate the injury caused to the affected individuals and to reduce the risk of further confidentiality incidents occurring in the future (s. 63.7). In addition, where the confidentiality incident poses a risk of serious harm to the affected individuals, these individuals and the Commission d’accès à l’information (“CAI”) must be notified (unless doing so would interfere with an investigation to prevent, detect or suppress crime or violations of law) (s. 63.7). Public bodies must now also keep a register of confidentiality incidents (s. 63.10), a copy of which must be sent to the CAI upon request. 5. Increased powers for the CAI Bill 64 also grants the CAI an arsenal of new powers aiming to ensure that public bodies, as well as private companies, comply with privacy laws. For example, in the event of a confidentiality incident, the CAI may order any public body to take appropriate action to protect the rights of affected individuals, after allowing the public body to make representations (s. 127.2). Furthermore, the CAI now has the power to impose substantial administrative monetary penalties, the value of which may reach up to $150,000 for public bodies (s. 159). In the event of repeat offences, fines will be doubled (s. 164.1). 6. Coming into force The amendments made by Bill 64 will come into force in several stages. Most of the new provisions of the Access Act [DM1] will come into force two years after the date of assent, which was granted on September 22, 2021. However, some specific provisions will take effect one year after that date, including: The requirements regarding actions to be taken in response to confidentiality incidents (s. 63.7) and the powers of the CAI upon disclosure by an organization of a confidentiality incident (s. 137.2); and The exception to disclosure without consent for research purposes (s. 67.2.1). Conclusion The clock is now ticking for public bodies to implement the necessary changes in order to comply with the new privacy requirements outlined in Bill 64, which received official assent on September 22, 2021. We invite you to consult our privacy specialists to help ensure proper compliance with the new requirements of the updated Access Act. The Lavery team would be more than pleased to answer any questions you may have regarding the upcoming changes and the potential impacts on your org

Bill 64, also known as the Act to modernize legislative provisions respecting the protection of personal information, was adopted on September 21, 2021, by the National Assembly of Québec. It amends some 20 laws relating to the protection of personal information, including the Act respecting access to documents held by public bodies ("Access Act"), the Act respecting the protection of personal information in the private sector ("Private Sector Act") and the Act respecting the legal framework for information technology. While the changes will affect both public bodies and private businesses, this publication will focus on providing an overview of the new requirements for private businesses covered by the Private Sector Act. We have prepared an amended version of the Private Sector Act in order to reflect the exact changes brought about by Bill 64. Essentially, the amended Private Sector Act aims to give individuals greater control over their personal information and promote the protection of personal information by making businesses more accountable and introducing new mechanisms to ensure compliance with Québec’s privacy rules. The following is a summary of the main amendments adopted by the legislator and the new requirements imposed on businesses in this area. It is important to note that, for the most part, the new privacy regime will come into effect in two years. 1. Increasing transparency and individual control over personal information The new Private Sector Act establishes the right of individuals to access information about themselves collected by businesses in a structured and commonly used technological format. Data subjects will now also be able to require a business to disclose such information to a third party, as long as the information was not “created or inferred” by the business (s. 27). This right is commonly referred to as the “right to data portability.” Businesses now have an obligation to destroy personal information once the purposes for which it was collected or used have been fulfilled. Alternatively, businesses may anonymize personal information in accordance with generally accepted best practices in order to use it for meaningful and legitimate purposes (s. 23). However, it is important that the identity of concerned individuals can never again be inferred from the retained information. This is a significant change for private businesses which, under the current law, can still retain personal information that has lapsed. In addition, Bill 64 provides individuals with a right to “de-indexation.” In other words, businesses will now have to de-index any hyperlink that leads to an individual’s personal information where dissemination of such personal information goes against the law or a court order (s. 28.1). Additionally, whenever a business uses personal information to render a decision based exclusively on an automated processing of such information, it must inform the concerned individual of the process at the latest when the decision is made (s. 12.1). The individual must likewise be made aware of their right to have the information rectified (s. 12.1). Bill 64 provides that the release and use of nominative lists by a private company for commercial or philanthropic prospecting purposes are now subject to the consent of concerned data subjects. Furthermore, in an effort to increase transparency, businesses will now be required to publish their rules of governance with respect to personal information in simple and clear terms on their website (s. 3.2). These rules may take the form of a policy, directive or guide and must, among other things, set out the various responsibilities of staff members with respect to personal information. In addition, businesses that collect personal information through technology will also be required to adopt and publish a privacy policy in plain language on their website when they collect personal information (s. 8.2). The amended Private Sector Act further provides that businesses that refuse access to information requests, in addition to giving reasons for their refusal and indicating the relevant sections of the Act, must now assist applicants in understanding why their request was denied when asked to (s. 34). 2. Promoting privacy and corporate accountability Bill 64 aims to make businesses more accountable for the protection of personal information, as exemplified by the new requirement for businesses to appoint a Chief Privacy Officer within their organization. By default, the role will fall upon the most senior person in the organization (s. 3.1). In addition, businesses will be required to conduct privacy impact assessments (“PIA”) for any information system acquisition, development or redesign project involving the collection, use, disclosure, retention or destruction of personal information (s. 3.3). This obligation forces businesses to consider the privacy and personal information protection risks involved in a project at its outset. The PIA must be proportionate to the sensitivity of the information involved, the purpose for which it is to be used, its quantity, distribution and medium (s. 3.3). Businesses will likewise be required to conduct a PIA when they intend to disclose personal information outside Québec. In these cases, the purpose of the PIA will be to determine whether the information will be adequately protected in accordance with generally accepted privacy principles (s. 17). The extra-provincial release of personal information must also be subject to a written agreement that takes into account, among other things, the results of the PIA and, if applicable, the terms and conditions agreed to in order to mitigate identified risks (s. 17(2)). The disclosure of personal information by businesses for study, research or statistical purposes is also subject to a PIA (s. 21). The law is substantially modified in this regard, in that a third party wishing to use personal information for such purposes must submit a written request to the Commission d'accès à l'information (“CAI”), attach a detailed description of their research activities and disclose a list of all persons and organizations to which it has made similar requests (s. 21.01.1 and 21.01.02). Businesses may also disclose personal information to a third party, without the consent of the individual, in the course of performing a service or for the purposes of a business contract. The mandate must be set out in a written contract, which must include the privacy safeguards to be followed by the agent or service provider (s. 18.3). The release of personal information without the consent of concerned individuals as part of a commercial transaction between private companies is subject to certain specific requirements (s. 18.4). The amended Private Sector Act now defines a business transaction as “the sale or lease of all or part of an enterprise or its assets, a change in its legal structure by merger or otherwise, the obtaining of a loan or other form of financing by it, or the taking of a security interest to secure an obligation of the enterprise” (s. 18.4). Bill 64 enshrines the concept of “privacy by default,” which means that businesses that collect personal information by offering a technological product or service to the public with various privacy settings must ensure that these settings provide the highest level of privacy by default, without any intervention on behalf of their users (s. 9.1). This does not apply to cookies. Where a business has reason to believe that a privacy incident has occurred, it must take reasonable steps to reduce the risk of harm and the reoccurrence of similar incidents (s. 3.5). A privacy incident is defined as “the access, use, disclosure or loss of personal information” (s. 3.6). In addition, businesses are required to notify concerned individuals and the CAI for each incident that presents a serious risk of harm, which is assessed in light of the sensitivity of the concerned information, the apprehended consequences of its use and the likelihood that it will be used for a harmful purpose (s. 3.7). Companies will furthermore be required to keep a confidentiality incident log that must be made available to the CAI upon request (s. 3.8). 3. Strengthening the consent regime Bill 64 modifies the Private Sector Act to ensure that any consent provided for in the Act is clear, free and informed and given for specific purposes. This means that consent must be requested for each of the purposes of the collection, in simple and clear terms and in a clearly distinct manner, to avoid consent being obtained through complex terms of use that are difficult for individuals to understand (art. 14). The amended Private Sector Act now provides that minors under the age of 14 must have a parent or a guardian consent to the collection of their personal information. For minors over the age of 14, consent can be given either directly by the minor or by their parent or guardian (s. 14). Within an organization, consent to the disclosure of sensitive personal information (e.g., health or other intimate information) must be expressly given by individuals (s. 12). 4. Ensuring better compliance The Private Sector Act has likewise been amended by adding new mechanisms to ensure that businesses subject to the Private Sector Act comply with its requirements. Firstly, the CAI is given the power to impose hefty dissuasive administrative monetary penalties on offenders, which can be as high as $10,000,000 or 2% of the company's worldwide turnover (s. 90.12). In the event of a repeat offence, the fine will be doubled (s. 92.1). In addition, when a confidentiality incident occurs within a company, the CAI may order it to take measures to protect the rights of affected individuals, after allowing the company to make observations (s. 81.3). Secondly, new criminal offences are added to the Private Sector Act, which may also lead to the imposition of severe fines. For offending companies, such fines can reach up to $25,000,000 or 4% of their worldwide turnover (s. 91). Finally, Bill 64 creates a new private right of action. Essentially, it provides that when an unlawful infringement of a right conferred by the Private Sector Act or by articles 35 to 40 of the Civil Code of Québec results in prejudice and the infringement is intentional or the result of gross negligence, the courts may award punitive damages of at least $1,000 (s. 93.1). 5. Coming into force The amendments made by Bill 64 will come into force in several stages. Most of the new provisions of the Private Sector Act will come into force two years after the date of assent, which was granted on September 22, 2021. However, some specific provisions will take effect one year after that date, including: The requirement for businesses to designate a Chief Privacy Officer (s. 3.1); The obligation to report privacy incidents (s. 3.5 to 3.8); The exception for disclosure of personal information in the course of a commercial transaction (s. 18.4); and The exception to disclosure of personal information for study or research purposes (s. 21 to 21.0.2). Finally, the provision enshrining the right to portability of personal information (s. 27) will come into force three years after the date of official assent. The Lavery team would be more than pleased to answer any questions you may have regarding the upcoming changes and the potential impact of Bill 64 on your business. The information and comments contained in this document do not constitute legal advice. They are intended solely for the use of the reader, who assumes full responsibility for its content, for their own purposes.

On April 6, 2021, the Court of Appeal, per Justice Mark Schrager, rendered an interesting decision in Bank of Nova Scotia c. Davidovit (2021 QCCA 551). The Bank of Nova Scotia (the “Bank”) had granted a commercial loan to a company, of which Aaron Davidovit (“Davidovit” or the “Surety”) was the principal, for the operation of a gym. Under a clause contained in the personal guarantee (suretyship) signed by Davidovit, he was to reimburse all costs and expenses incurred by the Bank to collect amounts owed to it by the principal debtor or Surety, including, but not limited to, legal fees on a solicitor/client basis (the “Clause”). The Bank was claiming $31,145.22 in extrajudicial fees and legal costs from Davidovit, while the amount claimed from the Surety in capital and interest amounted to $35,004.49. The trial judgment The trial judge, the Honourable Frédéric Bachand, concluded that the contract of suretyship was a contract of adhesion within the meaning of article 1379 of the Civil Code of Québec (the “C.C.Q.”) and agreed with Davidovit’s arguments that the Clause was invalid because it was excessively and unreasonably detrimental to the adhering party and contrary to the requirements of good faith, in violation of article 1437 C.C.Q. Justice Bachand emphasizes two main problems with the Clause: (i) it was unilateral, thus giving a disproportionate advantage to the Bank while the Surety did not benefit from such an advantage; (ii) it could restrict access to justice in that it could deter the Surety (who was already vulnerable vis-a-vis his opponent) from contesting the Bank’s claim, the Clause thus doing little to promote the rule of law.  Appeal decision The Court of Appeal reversed Justice Bachand’s judgment on the invalidity of the Clause, but confirmed Davidovit’s personal condemnation as Surety. Firstly, the Court of Appeal pointed out that a unilateral clause is not in itself abusive. All of a borrower’s obligations under a loan agreement or a surety’s obligations under a contract of suretyship are unilateral, but that this fact alone cannot determine whether a clause is abusive. The logic applied by the trial judge would lead to the conclusion that the repayment of a balance due at the end of a loan is abusive, because it is unilateral. Secondly, the fact that one party finds itself at a disadvantage is also not reason to conclude that a clause is abusive. Section 23 of the Quebec Charter of Human Rights and Freedoms, raised by Justice Bachand in dealing with equality of arms in a judicial process, did not apply in this case, despite the fact that a bank may appear to have more means to initiate legal proceedings than a surety does. Thirdly, just because the law provides for a monetary sanction, such as payment of legal fees or other damages (e.g. in application of article 54 or 342 of the Code of Civil Procedure) for an abusive situation (e.g. a frivolous defence of a surety), this does not mean that contracting parties cannot agree to provide for such payment. The judges of the Court of Appeal held that, on the contrary, a clause for the reimbursement of extrajudicial costs and fees allows for legitimate claims to be pursued before the courts against principal debtors and sureties who refuse to pay. Justice Schrager also took the liberty of commenting on the trial judge’s conclusion regarding the qualification of the contract of suretyship as a contract of adhesion. However, considering that neither party questioned this qualification, the Court of Appeal did not formally rule on this aspect, but pointed out that the mere fact that the terms of a contract appear on a preprinted form does not necessarily mean that it constitutes a contract of adhesion, although a preprinted form may be an indication that the terms imposed are not negotiable. The reasonableness of the amount claimed under the Clause Although valid, the Clause must still be subject to control by the courts to ensure that the amount claimed for extrajudicial costs and fees is not abusive and is claimed in good faith. The Court found that the reimbursement of more than $31,000 in legal fees where the principal claim amounts to just over $35,000 is unreasonable and disproportionate. Given 1) the complexity of the case, 2) the amount of the claim against the Surety, 3) that the burden of demonstrating the reasonableness of the costs was on the Bank, 4) that claims for reimbursement of extrajudicial costs and fees must be exercised reasonably and in good faith (in accordance with articles, 6, 7 and 1375 C.C.Q.), the Court of Appeal reduced the claim and arbitrarily established it at $12,000. Conclusion Clauses for the reimbursement of extrajudicial fees have a certain acceptability in society, particularly in the commercial sphere. Even in a contract of adhesion, they are not necessarily abusive and invalid, but their application is subject to control by the courts so that they are exercised reasonably and in good faith.

On March 26, 2021, the Superior Court rendered a decision dismissing a class action against the Investment Industry Regulatory Organization of Canada (“IIROC”) on the loss of personal information of thousands of Canadian investors.1 The lack of evidence of compensable injury and IIROC’s diligent behaviour are the main reasons for the dismissal of the class action. The Facts On February 22, 2013, an inspector working for IIROC forgot his laptop computer in a public place. The computer, which contained the personal information of approximately 50,000 Canadians, was never found. The information had originally been collected by various securities brokers who were under inspection by IIROC. Mr. Lamoureux, whose personal information was on the computer, brought a class action on behalf of all persons whose personal information was lost in the incident. He claimed compensatory damages for the stress, anxiety and worries associated with the loss of personal information, as well as compensation for the injury associated with the identity theft or attempted identity theft of members. He also claimed punitive damages for unlawful and intentional infringement of the right to privacy protected by the Quebec Charter of Human Rights and Freedoms. On this point, the members claimed that IIROC had been reckless and had delayed in notifying affected persons and brokers, as well as relevant authorities. Decision The class action is dismissed in its entirety. Compensatory damages The Superior Court started by acknowledging IIROC’s admission that it was at fault for the loss of the computer, and that the computer was not encrypted as it should have been to comply with IIROC policies. With respect to compensatory damages, the Court reiterated the principle according to which the existence of fault does not presume the existence of injury; each case must be analyzed on the basis of the evidence.2 In this case, the injury alleged by the members can be summarized as follows: They suffered worry, anger, stress and anxiety about the incident. They were forced to monitor their financial accounts, and in particular their credit cards and bank accounts. They were inconvenienced and wasted time in having to deal with credit agencies and ensuring that their personal information was protected. They felt shame and suffered delays caused by identity checks on their credit applications attributable to flags on their files. In its analysis, the Court held that, apart from the fact that the members were generally troubled by the loss of their personal information, there was no evidence of any particular and significant difficulties related to their mental state. Relying on Mustapha v. Culligan of Canada Ltd.,3 the Court reiterated that “the law does not recognize upset, disgust, anxiety, agitation or other mental states that fall short of injury.” If the injury is not serious and prolonged, and is limited to ordinary discomforts and fears that are inherent to life in society, it does not constitute compensable injury. In this case, the Court found that the negative feelings experienced as a result of the loss of personal information did not rise above the level of ordinary discomforts, anxieties and fears that people living in society routinely accept. Having to monitor one’s personal accounts more closely does not qualify as a compensable injury, as the courts equate this practice with that of [translation] “a reasonable person who protects their assets.”4 The Court also considered the fact that IIROC provided members with free credit monitoring and protection services. It thus concluded that, in this respect, there was no injury to compensate. Finally, the experts who were mandated to analyze the circumstances and wrongful use of the investors’ personal information found that there was no clear indication of wrongful use of the information by a person or group of persons, although evidence of wrongful use of personal information is not necessary to assert a claim. Punitive damages The plaintiff, on behalf of the members of the class action, also sought punitive damages on the grounds that IIROC had been reckless in its handling of the incident. To analyze IIROC’s diligence, the Court noted the following facts.  IIROC launched an internal investigation in the week that followed that of February 22, 2013, the date on which the computer was lost. On March 4, 2013, the investigation revealed that the computer likely contained the personal information of thousands of Canadians. IIROC filed a police report. On March 6, 2013, it mandated Deloitte to identify what personal information was lost and who were the affected persons and brokerage firms, and to help it manage the risks and obligations associated with the loss of the personal information. On March 22, 2013, Deloitte informed IIROC that the computer contained “highly sensitive” and “increased sensitivity” information about thousands of Canadian investors. On March 27, 2013, IIROC notified the Commission d’accès à l’information du Québec and the Office of the Privacy Commissioner of Canada. On April 8 and 9, 2013, IIROC met with representatives of the affected brokerage firms, and simultaneously mandated credit agencies to implement safeguards for investors and brokerage firms. IIROC also set up a bilingual call center, issued a press release about the loss of the computer and sent a letter to affected investors. The Court also accepted expert evidence according to which IIROC’s response was consistent with industry best practices, and that the measures put in place were appropriate in the circumstances and consistent with other responses to similar incidents. In light of the evidence, the Court concluded that the loss of the unencrypted laptop computer and the resulting violation of the right to privacy were isolated and unintentional. It therefore dismissed the claim for punitive damages. The outcome is that IIROC was not reckless: it rather acted in a timely manner. Comments This decision introduces a basis for analyzing the diligent conduct of a company should the personal information that it holds be compromised, and confirms that a prompt and diligent response to a security incident can safeguard against a civil suit. It also confirms that the mere loss of personal information, no matter how sensitive, is not in itself sufficient to justify financial compensation, and that it must be proven that injury was suffered. Furthermore, ordinary annoyances and temporary inconveniences do not constitute compensable injury, and monitoring financial accounts is not exceptional, but is rather considered the standard practice expected of a reasonable person protecting their assets. At the time of writing this bulletin, the time limit for appeal has not expired and the plaintiff has not announced whether he intends to appeal the judgment. Lamoureux v. Organisme canadien de réglementation du commerce des valeurs mobilières (OCRCVM), 2021 QCCS 1093. Sofio v. Organisme canadien de réglementation du commerce des valeurs mobilières (OCRCVM), 2014 QCCS 4061, paras. 21 and 22. Mustapha v. Culligan of Canada Ltd., 2008 SCC 27 [2008] 2 SCR 114. Lamoureux v. Organisme canadien de réglementation du commerce des valeurs mobilières, 2021 QCCS 1093, para. 73.