Questions and answers – Bill 64

Appearance before the National Assembly of Quebec by the Privacy Commissioner of Canada

September 24, 2020

The following questions and answers provide additional information related to advice provided by Privacy Commissioner Daniel Therrien during his appearance before the Committee on Institutions of the National Assembly of Quebec regarding Bill 64, An Act to modernize legislative provisions as regards the protection of personal information.

---

Privacy as a Human Right: Applicable Legal Framework

• Privacy is recognized as a human right in Quebec law. The right to privacy is protected by the Charter of human rights and freedoms, in section 5 amongst others, and a chapter of the Civil Code of Québec is devoted to it (articles 35 to 41).
• The legislation amended by Bill 64 implements the rights guaranteed by the Charter of human rights and freedoms and by the Civil Code of Québec, which both have quasi-constitutional status.
• The right to privacy is also protected by section 8 of the Canadian Charter of Rights and Freedoms, particularly in relation to unreasonable searches and seizures by the state. The Supreme Court has recognized that privacy is a fundamental value and that the legislation protecting personal information in the public and private sectors has quasi-constitutional status.
• In Europe, the right to privacy is set out in the European Convention on Human Rights, the Treaty on the Functioning of the European Union and the Charter of Fundamental Rights of the European Union. The General Data Protection Regulation (GDPR) makes explicit reference to these documents and is designed to protect fundamental rights.

Consent Provisions

• There are limits to consent, especially in the digital age.
• That being said, there is still a role for consent in the law. Enhanced consent requirements in Bill 64 will help to ensure more informed consent is obtained from individuals.
• Under both of Quebec’s private and public sector acts^{Footnote 1} consent must be:
  • free and informed;
  • given for specific purposes;
  • requested for each such purposes in clear and simple language and requested separately from any other information;
  • not obtained from individuals under 14; and
  • express when it concerns sensitive personal information.^{Footnote 2}
• Pursuant to Bill 64, anyone collecting personal information^{Footnote 3} must also inform the person from whom the information is collected of:
  • the person’s right to withdraw^{Footnote 4} consent (private sector only);
  • if applicable, the name of the third party for whom the information is being collected and the possibility the information could be shared outside Quebec;
  • on request, the personal information collected from the person, the categories of people who will have access to the information within the company, the duration of time the information will be retained, and the contact information for the person in charge of the protection of personal information;
  • whether the request is mandatory or optional^{Footnote 5} (public sector only); and
  • the consequences of refusing to respond to the request, or for withdrawing^{Footnote 6} consent pursuant to an optional request (public sector only).
• In our Guidelines for Obtaining Meaningful Consent, we specify that individuals should be informed of:
  • what personal information is being collected;
  • with which parties personal information is being shared;
  • for what purposes personal information is collected, used or disclosed; and
  • the risk of harm and other consequences (the requirement of notification of transfers outside of Quebec falls under this category).
• We also recommend that consent be obtained from parents or guardians for minors under the age of 13.

Sensitive information

• Under Bill 64, both the private and public sector Acts will be amended to state that when consent is sought, express consent is required for sensitive personal information.^{Footnote 7}
• Personal information is sensitive if, due to its nature or the context of its use or disclosure, it entails a high level of reasonable expectation of privacy.^{Footnote 8}
• A contextual approach is entirely appropriate.
• Although the Personal Information Protection and Electronic Document Act (PIPEDA) also takes a contextual approach, it references two specific examples: medical records and income records.
• This has two implications: consent should generally be express, and safeguards must be appropriate to the sensitivity of the information.^{Footnote 9}
• Article 9 of the GDPR^{Footnote 10} prohibits processing of “special categories” of personal information unless specific conditions are met, for example, explicit consent, legal obligations and public interest. The categories include:
  • personal data revealing racial or ethnic origin, sexual orientation, political views, religious or philosophical beliefs, or union membership;
  • genetic data;
  • biometric data processed for the purpose of uniquely identifying a natural person; and
  • health data

Exceptions to Consent

Consistent Use

• Consent has its limits. Privacy protection cannot rely solely on consent.
• We support adopting exceptions that allow information to be used in the public interest or for legitimate business purposes, provided that fundamental rights are respected.
• The notion of consistent use can be viewed as a form of balance between privacy with other legitimate interests. However, this notion could be interpreted very broadly and give rise to all sorts of uses that may not necessarily respect rights.
• There is a similar “consistent use” provision in the federal Privacy Act, but it does not include the limits provided for in Bill 64 (direct and relevant connection).^{Footnote 11}
  • Some government departments have interpreted the provision to mean anything related to the administration of their enabling legislation (e.g., the Income Tax Act for the Canada Revenue Agency).
• For a purpose to be considered consistent, QC’s public sector act already requires that there be a “direct and relevant connection”. Bill 64 extends this requirement to the private sector.
  • While this clarification useful, the provision does not require that the potential impact on privacy be considered. This should be explicitly required in the law, as is the case for the exception to consent to disclose information for study, research or statistical purposes. Adding such a condition is very important, in our view.
• Regarding QC’s private sector act, Bill 64 states that “the search for commercial clients or philanthropic donors may not be considered a consistent purpose.”^{Footnote 12}

For the Benefit of the Person

• Bill 64 includes an exception to consent when the use is clearly for the benefit of the person concerned.^{Footnote 13}
• We support such a provision. It is analogous to:
  • subparagraph 8(2)(m)(ii) of the Privacy Act — personal information may be disclosed for any purpose where, in the opinion of the head of the institution, disclosure would clearly benefit the individual to whom the information relates;
  • paragraph 7(1)(a) of PIPEDA — an organization may collect personal information without the knowledge or consent of the individual only if the collection is clearly in the interests of the individual and consent cannot be obtained in a timely way; and
  • Article 6.1(d) of the GDPR — processing is lawful if it is necessary in order to protect the vital interests of the data subject or of another natural person.^{Footnote 14}

Research/Statistical Use

• There are two exceptions in Bill 64 dealing with research and statistical use:
  1. Personal information can be used within the institution/enterprise without the consent of the person concerned if its use is necessary for study or research purposes or for the production of statistics and if the information is de-identified.^{Footnote 15}
  2. Personal information can be disclosed without the consent of the persons concerned to a person or body wishing to use the information for study or research purposes or for the production of statistics, subject to additional requirements (further details below).^{Footnote 16}

Internal Use of De-identified Information

• We support the provision allowing for internal use of de-identified information for study, research or statistical purposes. However, the definition of “de-identified information” is overly broad and should be amended, in our view. (See answer regarding de-identified and anonymized information)
• Importantly, the Bill provides that anyone who identifies or attempts to identify a person using de-identified information without the authorization of the person holding the information commits an offence and is liable to a fine of up to $50,000 (in case of a natural person) or up to $25 million or, if greater, the amount corresponding to 4% of worldwide turnover (all other cases).^{Footnote 17}
• In the context of PIPEDA reform, Innovation, Science and Economic Development Canada (ISED) proposes instituting a risk-based approach in which de-identified information could be defined and its use allowed in certain circumstances, while providing penalties for re-identification, in an attempt to address privacy concerns and enable innovation.

External Disclosure of Personal Information

• We agree with the Commission d’accès à l’information (CAI) that this provision should be amended to limit its scope to research conducted in the public interest, and that procedural and governance conditions should be added.
• Ontario’s Freedom of Information and Protection of Privacy Act (FIPPA) sets limits on allowable purposes and establishes a clear governance model:^{Footnote 18}
  • Disclosure is permitted for the following purposes: (a) the management or allocation of resources; (b) the planning for the delivery of programs and services provided or funded by the Government of Ontario, including services provided or funded in whole or in part or directly or indirectly; and (c) the evaluation of those programs and services.
  • There are clear limits on the use and disclosure of personal information, requirements for safeguarding it, and other protective measures in the law.
  • The Ontario Commissioner has an oversight role, as well as specific order-making powers.
• That being said, the regime under Bill 64 governing the disclosure of information for research purposes already includes some interesting guidelines, including the obligation under both QC’s public sector act and QC’s private sector act to conduct a privacy impact assessment (PIA) before disclosing the information.
• More specifically, a PIA must conclude that^{Footnote 19}:
  • the objective can be achieved only if the information is released in a manner allowing the persons concerned to be identified;
  • it is unreasonable to require the person or body to obtain the consent of the persons concerned;
  • the objective outweighs the impact of disclosing and using the information on the privacy of the persons concerned (implies a balancing test);
  • the personal information is used in such a manner as to ensure confidentiality; and
  • only the necessary information is disclosed.
• In addition to the PIA, Bill 64 requires, under both Acts, that the researcher or research body (1) submit a request in writing explaining the purpose of the study, research or production of statistics; and (2) submit an agreement to the CAI that covers, among other things, access restrictions, purpose limitations, retention, destruction, and breach reporting.
• There is no obligation for the CAI to review or approve the agreement.
• Current research provisions in federal law include:
  • Paragraph 8(2)(j) of the Privacy Act - personal information under the control of a government institution may be disclosed without consent to any person or body for research or statistical purposes if the head of the government institution:
    • is satisfied that the purpose for which the information is disclosed cannot reasonably be accomplished unless the information is provided in a form that would identify the individual to whom it relates; and
    • obtains from the person or body a written undertaking that no subsequent disclosure of the information will be made in a form that could reasonably be expected to identify the individual to whom it relates.
  • Paragraphs 7(2)(c) and 7(3)(f) of PIPEDA - an organization may use and disclose personal information without the knowledge or consent of the individual only if the use is for statistical, or scholarly study or research, purposes that cannot be achieved without using the information; the information is used in a manner that will ensure its confidentiality; it is impracticable to obtain consent; and the organization informs the Commissioner of the use before the information is used.
• In our Report on obtaining meaningful consent, we recommended a new exception to consent to allow for socially beneficial uses of information (not limited to study, research or statistical use). Such exceptions would need to be limited to circumstances where the societal benefits clearly outweigh the privacy incursions and where several prior conditions must be met. These could include an organization having to demonstrate on request that:
  • it is necessary to use the personal information;
  • it is impracticable to obtain consent;
  • pseudonymized data will be used to the extent possible;
  • societal benefits clearly outweigh any privacy incursions;
  • a PIA was conducted in advance;
  • the organization has notified the Office of the Privacy Commissioner (OPC) in advance;
  • the organization has issued a public notice describing its practices; and
  • individuals retain the right to object.

Service Providers

• This provision sets clear requirements for service providers (“the agent or the person performing the contract”) to safeguard information and outlines the responsibilities of service providers.
• From the outset, companies have welcomed this clarification of expectations regarding the use of service providers or agents.
• According to Bill 64, a person may, without the consent of the person concerned, communicate personal information to a service provider if this communication is necessary for the exercise of a mandate or the execution of a contract The Bill^{Footnote 20} requires that outsourcing arrangements be subject to a written agreement entered into by the organization and the service provider which must provide:
  • a description of the measures taken by the service provider to ensure the confidentiality of the personal information (e.g. security safeguards);
  • an obligation for the service provider to use the information only for the purposes of rendering the services and not keep such information after the expiry of the contract; and
  • an obligation for the service provider to notify the privacy officer without delay of any actual or attempted violation of the confidentiality of the disclosed information and to allow the person in charge of personal information to conduct any verification relating to confidentiality requirements.
• Note: Rules on transfers outside of Quebec would apply if the service provider is located outside of Quebec.

Business Transaction

• We support this provision.
• In practice it is difficult to obtain consent in these circumstances.
  • This provision is in line with the exception in other jurisdictions.
  • It is similar to the provisions in PIPEDA dealing with potential (s. 7.2(1)) and completed (s. 7.2(2)) business transactions.
  • There is an exception to consent related to commercial transactions^{Footnote 21} — when there is a transfer of ownership of part or all of an enterprise.
  • An agreement must first be entered into in which the other party undertakes:
    • to use the information only for finalizing the commercial transaction;
    • to not disclose the information without the consent of the person concerned, unless authorized to do so by the Act;
    • to take the measures required to protect the confidentiality of the information; and
    • to destroy the information if the commercial transaction is not completed or if using the information is no longer necessary for finalizing the commercial transaction.^{Footnote 22}
• Where the transaction has been completed and the other party wishes to continue using the information or to disclose it, that party may use or communicate it only in accordance with Quebec’s private sector act. Within a reasonable time after the commercial transaction is concluded, that party must notify the person concerned that it now holds personal information concerning them because of the transaction.^{Footnote 23}

Compatibility with the GDPR

• Quebec’s Bill 64 introduces several new exceptions to consent. Although the Quebec bill seems to follow the GDPR in many respects, such is not the case for all the new exceptions to consent.
• Bill 64 continues the existing orientation of Quebec’s consent-based law, in which the use or disclosure of information is prohibited unless the person concerned has consented to it.
• The Bill adds a certain number of exceptions to consent to those currently in force but does not introduce any legal grounds for data processing like those found in the GDPR, nor does it appear to try to reflect the GDPR’s legal grounds.
• In fact, a new exception to consent for commercial transactions appears to be more in line with existing measures in Canadian legislation. The requirements proposed under this provision closely mirror those in the private sector legislation of British Columbia and Alberta and in PIPEDA.
• Clearly, the exception to consent in Bill 64 applying to consistent uses and uses for study or research purposes or for the production of statistics would operate in a similar manner to a provision of the GDPR which prohibits further processing of data that is inconsistent with the originally identified purposes.
• The GDPR states that further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should not be considered incompatible.
• In addition, the exceptions for the use or disclosure of information without consent for study or research purposes or for the production of statistics could in certain cases support the public interest.
• As to whether the new exceptions in Bill 64 meet the GDPR’s requirements related to the legal bases for processing of personal data, in particular the requirement of a legitimate interest or a “task carried out in the public interest”, this would be determined on a case-by-case basis.

Is Bill 64 Stricter Than the GDPR?

• A number of stakeholders have cautioned you against adopting legislation that would be more restrictive than the GDPR or other legislation in our economic zone.
• In this regard, my suggestion would be to not be afraid to use the GDPR as a source of inspiration, but to avoid going further unless you consider it necessary (since the GDPR is not perfect).
• Here are some areas where Bill 64 would be stricter than the GDPR:
  • Cross-border data flows: It is a good idea to ask businesses to use PIAs to assess impacts on privacy, but the bill is less flexible than the GDPR in that it does not establish any mechanisms for authorizing transfers, such as model contract clauses, codes of conduct and binding corporate rules.
  • Obligation to conduct a PIA: The GDPR limits this obligation to the processing of data that could create significant risks to rights and freedoms.
  • Automated decision-making: In the GDPR, the right not to be subject to an automated decision is limited to decisions “which [produce] legal effects” or affect the individual “significantly”. In addition, this right does not apply in certain situations, for example, where the decision is necessary for the performance of a contract.
  • In this respect, Bill 64 applies to all decisions based solely on automated processing, without exception, but only provides a right to transparency, rather than a right to object.
• Here are some areas where you might want to adopt stricter rules than those in the GDPR:
  • Confidentiality by default: Section 9.1 of QC’s private sector act requires businesses to ensure by default that the parameters of their products or services provide the highest level of confidentiality, without any involvement by the person concerned. The GDPR requires taking “appropriate measures” to implement data protection principles in a contextual manner.

De-identified vs Anonymized Information

• Bill 64 provides that personal information is de-identified if it no longer allows the person concerned to be directly identified.^{Footnote 24}
• Personal information is anonymized if it irreversibly no longer allows the person to be identified directly or indirectly.^{Footnote 25}
• The Bill allows for the internal use of personal information without consent if its use is necessary for study or research purposes or for the production of statistics and the use of the information is de-identified.^{Footnote 26}
• Anonymization is offered as an alternative to destruction of personal information when the purposes for which the information was collected or used are achieved.^{Footnote 27}
• It is an offence to identify or attempt to identify a natural person using de-identified information without the authorization of the person or public body holding the information or using anonymized information, subject to fines of varying magnitude, depending on the sector.^{Footnote 28}
• Given that de-identified information can always be re-identified, within a range of probability, privacy law should continue to apply to it, while providing increased flexibility for its use through exceptions. Bill 64 does this, while offering protection through increased enforcement power for the CAI, and meaningful fines for re-identification or use of anonymized information.
• That being said, we recommend that the definition be amended to take into account:
  • the fact that information can be combined with other information to identify an individual and should be taken into consideration in an assessment of whether it allows an individual to be directly identified; and
  • a requirement for bodies to take measures to maintain silos between de-identified information and information that allows them to be associated with a specific individual.
• On the other hand, whether true anonymization is possible, particularly in a big data environment, has been called into question.
  • ISED in its PIPEDA white paper: “The idea that the anonymization of information, which would render such information outside the scope of privacy legislation, is practically attainable, is unlikely.”
• We recommend against anonymization as an alternative to destruction. By requiring that information be destroyed after the purposes for which it was collected or used have been fulfilled, this effectively removes the risk of potential long-term inappropriate use of the information.

Demonstrable Accountability

• In terms of accountability, the Bill requires the person exercising the “highest authority” within the public body or enterprise to ensure implementation and compliance with the law. All or part of these functions may be delegated.
• The public body or enterprise must also develop and implement governance rules, policies, and procedures regarding personal information and have them published on its website.^{Footnote 29}
• The Bill also provides that this accountability must be demonstrable:
  • The Bill provides the CAI with authority to demand any information or documents to verify compliance with the Act or the regulations (with no threshold). Specifically, it gives the CAI the ability to request information “to verify compliance” with the Act from any person whether subject to the Act or not.^{Footnote 30}
  • As well, both the public^{Footnote 31} and private^{Footnote 32} sectors are required to conduct PIAs of any information system project or electronic service delivery project involving the collection, use, disclosure, retention or destruction of personal information.

Order-Making Powers

• The CAI currently has order-making powers under both Quebec’s public sector act and QC’s private sector act.^{Footnote 33}
• With respect to mandatory breach notification obligations under Bill 64, the CAI may also order any person, after giving them the opportunity to submit observations, to take any measure to protect the rights of the persons concerned that are granted by the Acts.^{Footnote 34}

Administrative Monetary Penalties

• The regime proposed by Bill 64 provides for meaningful administrative monetary penalties (AMPs) but also contains provisions to ensure fairness:
  • The CAI must publish a framework for the application of AMPs.
  • The decision to impose an AMP must be guided by criteria set out in the law, including the seriousness of the failure to comply with the law, sensitivity of the information, number of people affected, etc.
  • The CAI must notify the organization of the non-compliance in advance of issuing an AMP, and the organization may submit observations.
  • The organization may apply to the CAI for a review of the decision.
  • There is a right to contest the CAI’s decision before the Court of Quebec.

Penal Provisions

• Bill 64 replaces QC’s private sector act’s current penal provisions to include the following:^{Footnote 35}

  91. Anyone who

  (1) collects, holds, communicates to third persons or uses personal information in contravention of this Act,

  (2) fails to report, where required to do so, a confidentiality incident to the Commission or to the persons concerned,

  (3) identifies or attempts to identify a natural person using de-identified information without the authorization of the person holding the information or using anonymized information,

  (4) is a personal information agent and contravenes any of sections 70, 70.1, 71, 72, 78, 79 and 79.1,

  (5) impedes the progress of an inquiry or inspection of the Commission or the hearing of an application by the Commission by providing it with false or inaccurate information, by omitting to provide information it requires or otherwise,

  (6) contravenes section 81.1,

  (7) refuses or neglects to comply, within the specified time, with a demand made under section 81.2, or

  (8) fails to comply with an order of the Commission

  commits an offence and is liable to a fine of $5,000 to $50,000 in the case of a natural person and, in all other cases, of $15,000 to $25,000,000, or, if greater, the amount corresponding to 4% of worldwide turnover for the preceding fiscal year.

• The Bill replaces sections 158 to 162 of QC’s public sector act to include the following:^{Footnote 36}

  158. Anyone who

  (1) denies or impedes access to a document or information that is accessible by law, in particular by destroying, modifying or concealing the document or by unduly delaying its release,

  (2) grants access to a document to which the law does not allow access or to which a public body refuses access in accordance with the law,

  (3) informs a person of the existence of information he does not have the right to be informed of under the law,

  (4) hinders the person in charge of access to documents or the protection of personal information in the performance of his functions,

  (5) collects or uses personal information in contravention of the law,

  (6) fails to report, where required to do so, a confidentiality incident to the Commission or to the persons concerned, or

  (7) fails to comply with the conditions set out in an agreement entered into under section 67.2.3

  commits an offence and is liable to a fine of $1,000 to $10,000 in the case of a natural person and of $3,000 to $30,000 in all other cases.

  159. Anyone who

  (1) releases personal information in contravention of the law,

  (2) identifies or attempts to identify a natural person using de-identified information without the authorization of the public body holding the information or using anonymized information,

  (3) impedes the progress of an inquiry or inspection of the Commission or the hearing of an application by the Commission by providing it with false or inaccurate information, by omitting to provide information it requires or otherwise,

  (4) refuses or neglects to comply, within the prescribed time, with a demand sent under section 127.1, or

  (5) fails to comply with an order of the Commission

  commits an offence and is liable to a fine of $5,000 to $50,000 in the case of a natural person and of $15,000 to $150,000 in all other cases.

Private Right of Action^{Footnote 37}

• It is important for individuals to have a right to seek relief from the courts for violations of the law.
• Bill 64 creates a private right of action (PRA) for individuals (under QC’s private sector act) to be compensated for the unlawful infringement of a right conferred by the statute or the privacy articles of the Civil Code of Québec, unless the damage results from “superior force”.^{Footnote 38}
• Also provides^{Footnote 39} for the award of punitive damages of at least $1,000 where the infringement is intentional or results from a gross fault.
• PIPEDA currently provides for a right for individuals to bring an organization to the Federal Court for damages but only following an OPC investigation and report of findings or notice of discontinuance.
• The OPC has recommended that PIPEDA be amended to include a PRA.

Breach Reporting

Bill 64

• It contains breach notification requirements^{Footnote 40} similar to PIPEDA, under both acts.
• It contains a requirement to notify the CAI and the affected individuals when a “confidentiality incident” presents a “risk of serious injury” to the individuals.
• The “risk of serious injury” is assessed using factors similar to the real risk of significant harm (RROSH), namely: the sensitivity of the information concerned, the anticipated consequences of its use and the likelihood that such information will be used for injurious purposes.^{Footnote 41}
• Similar to PIPEDA, businesses have to keep a register of confidentiality incidents they would be required to provide to the CAI upon request.
• Notification covers the unauthorized use of personal information, whereas the common approach for breach notification requirements in Canada and globally (including under the GDPR and US state breach notification laws) is to focus on unauthorized access to, disclosure or loss of personal information.^{Footnote 42}

PIPEDA

• Breach notification has been mandatory since 2018.
• 2019-2020 statistics:
  • Received 678 breach reports affecting an estimated 30 million records about Canadians (more than double the number received the previous year).
  • Three industry sectors accounted for 50% of all breach reports: 19% from the financial sector, 17% from telecommunications, and 14% from sales and retail.
  • Half of reports involved unauthorized access by malicious actors or insider threats, often as a result of employee snooping or social engineering hacks.
• Organizations must report to OPC breaches of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that a breach creates a RROSH to an individual.
  • The organization must also notify individuals of such breaches involving their personal information.^{Footnote 43}
• A breach of security safeguards is defined as follows: The loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards that are referred to in Principle 4.7 of Schedule 1 of PIPEDA, or from a failure to establish those safeguards.
• RROSH factors: 1) sensitivity of the personal information involved in the breach, and 2) the probability that the personal information has been, is being, or will be misused.
• Organizations must keep and maintain a register of every breach of security safeguards involving personal information under their control.

Privacy Act

• Not a law, but an administrative policy. Public sector organizations must notify the OPC and TBS of breaches of security measures that could reasonably be expected to cause damage or serious harm.
• In 2019-2020:
  • 341 breach reports were made to the OPC (up from 155 the year before).
• We believe there is underreporting of privacy breaches:
  • Several large institutions, some of which hold significant volumes of personal information, sometimes of a highly sensitive nature, rarely or never report.
• In the context of Privacy Act reform, we have requested that the public sector be subject to a regime similar to the private sector regime.

Specified Time Frame for Reporting Breaches

• Bill 64 states that a public or private body must take reasonable measures to reduce the risk of injury and to prevent new incidents of the same nature. The Bill also mentions that if the incident presents a risk of serious injury, the body must promptly notify the CAI.
• However, we believe that the new legislation should stipulate that the CAI should be notified, “as soon as possible after an incident occurs”. The reason is simple: speed is crucial for setting up, on an individual level, the appropriate protection measures following a breach of confidentiality.
• PIPEDA states that these actions must be taken “as soon as feasible after the organization determines that the breach has occurred”. Notification is often a two-step process. First, a preliminary notice is received (we would expect within a few days), followed by a formal breach report (generally expected within two weeks).
• The initial notification allows us the opportunity to share expectations with the agency to inform the breach report.
• We currently receive reports later than what would be desirable. 42% (148) of breaches reported under PIPEDA were received three months or more after the breach was detected. For the public sector side, 48% (50) of breaches were reported three months after their detection.

  PIPEDA: Year-to-date we have received 355 reports. Of those:

  • 31% (109) were submitted in one month or less;
  • 27% (98) were submitted in one to three months;
  • 42% (148) took three months or more to submit.

  Privacy Act: Year-to-date we have received 106 reports. Of those:

  • 9% (10) were submitted in one month or less;
  • 43% (46) were submitted in one to three months;
  • 48% (50) took three months or longer to submit.

Automated Decision-Making

• This is one of the topics that our consultation on artificial intelligence covered, and we continue to examine what specific rights would provide adequate privacy protection for individuals.
• Automated decision-making can present significant privacy and human rights risks. Humans have unique characteristics that can be left out of computer-driven decisions, such as reason and empathy. Automated decisions based on personal data may leave individuals unsure about how decisions were arrived at, and could make mistakes that humans otherwise would not—some of which could result in real and significant impacts on individuals.
• Bill 64^{Footnote 44} provides that organizations and public bodies using personal information to render a decision based exclusively on automated processing must inform the individual at the time of or before the decision. The person concerned also has the right to be informed of the following on request:
  • the personal information used to render the decision;
  • the reasons for the decision; and
  • their right to have the personal information used corrected.
• In Quebec's private sector act, individuals must also have the opportunity to submit their observations to a member of the enterprise’s staff who is in a position to review the decision.^{Footnote 45}
• Bill 64 is unlike the GDPR, of which Article 22 prohibits “a decision based solely on automated processing” unless it is based on one of three exceptions, including based on the individual’s explicit consent. Bill 64 does not contain a prohibition, but rather a notification requirement.^{Footnote 46}
• Bill 64 is similar to the GDPR in that it limits rights to where a decision is exclusively based on automated means, which ignores any lesser degree to which such systems may have played a role in the decision, and opens the risk that organizations may appoint a non-meaningful “human in the loop” to subvert this provision. This is an important gap that should be closed by removing the qualifier “exclusively” in defining rights for automated decision-making.
• It is also unclear what an “opportunity to submit observations” means for individuals, as the language seems more ambiguous than the GDPR, where individuals have the right to express their point of view and to contest the decision to a human intervener. Defining this right with greater precision is recommended to allow individuals to contest decisions made about them through automation.
• The Bill seems more similar to what the federal government proposes in the PIPEDA white paper: inform individuals about the use of automated decision-making, the factors involved, and, where the decision is impactful, information about the logic upon which the decision is based.

Profiling and Geolocation

• Bill 64 requires enhanced transparency from anyone who collects personal information using technology that includes functions allowing the person concerned to be identified, located or profiled. In such cases the person must be informed of 1) the use of the technology; and 2) the means available, if any, to deactivate the functions that allow a person to be identified, located or profiled.^{Footnote 47}
• Profiling is defined as “the collection and use of personal information to assess certain characteristics of a natural person, in particular for the purpose of analyzing that person’s work performance, economic situation, health, personal preferences, interests or behaviour”.^{Footnote 48}
• Profiling individuals and inferring their interests and behaviours, whether to make a decision about them or to predict what they will do, is an invasive form of processing personal information—given that the individual did not provide this information themselves. Additionally, precise location data can reveal a great deal about individuals and groups, and may be more sensitive and have a disproportionate impact on vulnerable populations and certain groups of individuals.
• The definition of profiling should also include the creation of secondary information such as inferences and predictions, as these are key elements of profiling, particularly in the age of AI.
• While the Bill provides an important step forward, it is limited to a duty of transparency. At the federal level, we have recommended that the use of racial profiles be prohibited if it violates human rights, including the right to equality. The Quebec Commission on Human Rights recommendation that the Commissioner supported in his statement to the National Assembly committee studying Bill 64 would achieve a similar result.

Biometrics

• Specific requirements pertaining to biometrics are currently in Quebec’s Act to establish a legal framework for information technology. It requires express consent to verify identity using biometric measurements, using only the minimum characteristics needed, and restricts decision-making about an individual using any other information revealed using the biometric characteristics.^{Footnote 49}
• It also requires that the creation of a database containing biometric characteristics be disclosed to the CAI beforehand.^{Footnote 50} Bill 64 seeks to amend this by requiring such notification be made at least 60 days before such databases are brought into service.^{Footnote 51}
• Under PIPEDA, biometrics are generally considered to be sensitive information, and express consent is required. While the OPC supports a contextual approach to sensitivity, some specific types of information are sensitive in the vast majority of contexts, and the Act to establish a legal framework for information technology makes this explicit, which provides increased clarity.

OPC Review of “COVID Alert” Application

• In the May 2020 Joint Statement by Federal, Provincial and Territorial Privacy Commissioners on COVID-19 contact tracing applications, we clearly stated that we felt it important to issue a common statement to Canadians because these applications raise important privacy risks.
• While applicable privacy laws must be observed, some of them do not provide an effective level of protection suited to the digital environment. This includes federal privacy legislation.
• The Government of Canada asked for our advice on how to develop its COVID-19 exposure notification application (COVID Alert) to make it privacy-sensitive.
• When we reviewed the application, the government accepted many of our recommendations, and we concluded that the application complied with all our recommended principles.
• That being said, although the application is well designed and the government has agreed to submit its implementation to an independent review, the government was under no obligation to make these commitments.
• The government has chosen to comply with the principles set out in our guidance documents, as public confidence is key to the application’s success. However, without robust legislation, other similar applications or programs that are not as sensitive to confidentiality issues could be introduced in the future.