Key differences between the new federal and Quebec privacy bills

  • January 13, 2021
  • François Joli-CĹ“ur

In June 2020, QuĂ©bec became the first Canadian province to propose a major privacy reform when the government introduced Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, which modifies QuĂ©bec’s private and public-sector privacy statutes. The Canadian government followed on November 17 with the introduction of Bill C-11, An Act to Enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts. Bill C-11 would modernize the federal private-sector privacy regime, by replacing the privacy provisions of the Personal Information Protection and Electronic Documents Act (PIPEDA) with the Consumer Privacy Protection Act (CPPA).

The two bills are long and complex pieces of legislation and this article is not a comprehensive review.1 Rather, it highlights certain key differences between the proposed CPPA and Bill 64’s proposed amendments to QuĂ©bec’s Act Respecting the Protection of Personal Information in the Private Sector (ARPPIPS), focusing on the following topics: the enforcement regime, cross-border transfer restrictions, consent and individual rights.

Enforcement: A different approach to penalties and private right of action

Risks of non-compliance would increase significantly as both bills introduce large penalties: $10,000,000 or, if greater, the amount corresponding to a percentage of the organization’s global gross revenues in its previous year — 3% for Bill C-11 and 2% for Bill 64 (CCPA, s. 94 and proposed ARPPIPS, s. 90.12). The most egregious violations would constitute an offence punishable with higher fines in the case of conviction (CPPA, s. 125 and proposed ARPPIPS, s. 91).

However, the process for imposing these fines differs. Like the European General Data Protection Regulation (GDPR), QuĂ©bec’s Bill 64 would give the Commission d’accès Ă  l’information (CAI) the ability to directly impose administrative monetary penalties (s. 90.2). Bill C-11 does not empower the Office of the Privacy Commissioner of Canada (OPC) to impose penalties directly. It would only be able to recommend that the newly created Personal Information and Data Protection Tribunal (Tribunal) impose penalties (s. 93). Further, organizations would have a due diligence defence under the federal statute (s. 94(3)), not under Bill 64.

Both bills provide for a new private right of action (PRA). The QuĂ©bec bill would allow individuals to seek compensation for the unlawful infringement of a right conferred by the statute or the privacy articles of the Civil Code of QuĂ©bec (s. 93.1). The PRA is not as broad under Bill C-11. Any individual (not only the complainant) affected by a CPPA contravention would have a cause of action against the organization, but only if: (i) the OPC or the Tribunal find that the organization has contravened the CPPA, or (ii) the organization is found guilty of an offence (s. 106). Despite its narrower scope, Bill C-11’s PRA could lead to a spike in class actions, especially in provinces that do not have a statutory or common law privacy tort. We can expect organizations to seek appeals and judicial reviews when the OPC or Tribunal concludes to a contravention in order to avoid or delay private claims, including class actions.

Cross-border transfers

Restrictions on cross-border transfers of personal information can cause significant challenges for businesses. Bill 64 and Bill C-11 regulate these transfers in radically different manners.

Bill 64 seems to take inspiration from the GDPR. It requires organizations to perform a privacy impact assessment (PIA) prior to transferring personal information outside of QuĂ©bec to assess whether the information will receive a level of protection equivalent to the one granted under QuĂ©bec law (s. 17). The PIA would have to take into account the sensitivity of the information and the purposes for which it will be used and the protection measures that would apply. Perhaps more importantly, it would also need to consider “the legal framework applicable in the State in which the information would be communicated, including the legal framework’s degree of equivalency with the personal information protection principles applicable in QuĂ©bec.” If, following this PIA, the organization concludes that the foreign legislation is not equivalent, it must not communicate the personal information. The bill also requires the government to publish a list of States whose legal framework governing personal information is equivalent to the QuĂ©bec framework (s. 17.1). Many stakeholders have criticized this provision during the consultation hearings, since it would create a great burden on businesses operating in QuĂ©bec.

Bill C-11 takes a much more liberal approach: organizations would only have a transparency obligation. They would need to make available details as to whether or not the organization carries on any international or interprovincial transfer or disclosure of personal information but only to the extent such transfer or disclosure may have reasonably foreseeable privacy implications (s. 62(2)(d)). It is not really clear at this stage how the “foreseeable privacy implications” concept translates in practice.

Consent

Despite calls to draw inspiration from the GDPR and adopt alternative legal basis, consent remains at the centre of both proposals. The two bills aim to reinforce consent and make it more meaningful. For instance, under the CPPA, an organization would have to provide specific information in plain language in order to obtain valid consent (s. 15(3)). The Québec bill requires that consent be given for specific purposes and requested for each purpose, in clear and simple language and separately from any other information provided to the person concerned (s. 14).

A major difference between the two bills is CPPA’s new exception allowing organizations to collect and use personal information without consent for specified “legitimate business activities” (e.g., activities necessary to provide a product or necessary for the organization’s information, system or network security). The exception would apply if a reasonable person would expect such a collection or use for the specified business activity, if the personal information is not collected or used for the purpose of influencing the individual’s behaviour or decisions (s. 18). Organizations have welcomed this proposal to grant them more flexibility for routine commercial activities that involve less privacy risks for individuals.

Individual rights

PIPEDA and the ARPPIPS currently grant individuals a right to access and right of rectification. Globally, recent privacy laws have introduced new rights and the new bills follow this trend:

  • Right to disposal/right to de-indexation. The CPPA includes a “right to disposal” under which individuals will be able to request that organizations permanently delete their personal information, subject to certain exceptions (s. 55). This right does not appear to encompass a right to de-indexation or right to be forgotten, as opposed to Bill 64 (s. 28.1).
  • Right to mobility/data portability. Bill 64 includes a new right that echoes the GDPR’s right to “data portability”: individuals would have the right to request that organizations provide them with computerized personal information in a structured, commonly used technological format and ask for its communication to any person or body authorized by law to collect it (s. 27). In comparison, the CPPA would only grant a limited “right to mobility”, allowing individuals to request organizations to transfer their personal information to another one, if both organizations are subject to a data mobility framework provided under the regulations (s. 72).
  • Automated decision-making. The CPPA would grant individuals a new right to receive an explanation about the use of an automated decision system to make a prediction, recommendation or decision about them and of how personal information was used to that effect (s. 63(3)). Bill 64 introduces a slightly broader right with respect to automatic decision-making: in addition to requesting information, individuals would have an opportunity to submit observations to a member of the personnel of the organization who is in a position to review the decision made by automated means (s. 12.1).

The bills are likely to evolve before they reach their final form, but organizations are already thinking about how to adapt their practices, policies and procedure. What stands out is that organizations that operate nationally will face greater risks in Québec in the case of non-compliance and will need to operationalize more complex requirements.


François Joli-Coeur is a Senior Associate in Borden Ladner Gervais LLP’s Privacy and Data Protection Group. He primarily advises international and domestic clients on compliance and risk issues pertaining to privacy and anti-spam legislation, cybersecurity and data breach management. He also advises clients on information technology, telecommunications and consumer protection law, and is the author of many publications and frequent speaker at conferences on privacy law.

End notes

1 For a more comprehensive analysis of both bills, see summaries prepared by the BLG privacy team: Canada’s Consumer Privacy Protection Act: Impact for businesses and Proposed amendments to QuĂ©bec privacy law: Impact for businesses.