A. When Quebec s data protection law is considered inadequate for Europe.

Transcription

1 P a g e 1 Privacy Interviews with Experts July 2014 Eloïse Gratton Co-Chair, Privacy Practice Group McMillan LLP Montreal, Quebec, Canada Q. When is adequacy never adequate? A. When Quebec s data protection law is considered inadequate for Europe. On June 4, 2014, the Article 29 Working Party (the Article 29WP ) released its Opinion 7/2014 in which it provides its recommendations to the European Commission ( EC ) on whether the relevant provisions of the Civil Code of Québec and the Quebec Act on the Protection of Personal Information in the Private Sector (the Quebec DPL ) ensure an adequate level of protection for international data transfers in accordance with the EU Data Protection Directive 95/46/EC (the Directive ). Under the Directive, strict conditions apply to personal data transfers to countries outside the European Economic Area that are not considered to provide an adequate level of data protection. In its Opinion, the Article 29WP recommends that the EC not adopt a decision on the adequacy of the Quebec DPL until certain improvements are made to the Quebec DPL. In light of this decision Nymity speaks with Eloïse Gratton, a partner and National Co-chair of the Privacy Practice Group at McMillan LLP based in Montreal. Eloïse advises clients from various industries on legal and privacy requirements of new projects, products, practices, programs and technologies, providing strategic national and international privacy and antispam compliance advice and assisting them in crisis management situations (privacy class action lawsuits, security breaches and privacy commissioners' investigations). Nymity: Are you surprised by this decision? Gratton: I am extremely surprised with this Opinion. The European Commission declared Canada s Personal Information Protection and Electronic Documents Act ( PIPEDA ) adequate in PIPEDA applies to federal works and to commercial activities in every Canadian province, unless the province has enacted legislation that is substantially similar 1 European Commission Decision of 20 December 2001 pursuant to Directive 95/46/EC of the European Parliament and of the Council (notified under document number C(2001) 4539).

2 P a g e 2 to PIPEDA. The test as to whether or not a provincial statute is substantially similar resides with the Governor in Council, who takes recommendations from the Federal Privacy Commissioner via Industry Canada. Interestingly, Quebec was the first province to be deemed to have substantially similar legislation to PIPEDA. 2 Because the EC declared PIPEDA adequate and the Governor in Council declared the Quebec DPL substantially similar to PIPEDA, the operating assumption in advance of the Opinion was that the Quebec DPL was also adequate especially given that the Quebec DPL is probably the most stringent data protection law in Canada and provides stronger incentives for compliance. Nymity: How does the Quebec DPL provide for a stronger incentive for organizations to comply with the law? Gratton: PIPEDA works on an ombudsman model; this means that any complaints regarding compliance with PIPEDA must be filed with the Federal Commissioner of Canada, which may investigate, report and try to reach a satisfactory solution. However, it cannot issue binding orders. A party that is dissatisfied with the report of the Federal Commissioner may apply to the Federal Court, which has the power to issue binding orders and is not bound by the findings of the Federal Commissioner. Have the federal courts awarded any real damages since PIPEDA came into force? Since 2004, only a few decisions have been issued by the Federal Court, in which except for one case in 2013 in which the federal court awarded 20,000$ (Chitrakar v. Bell, which even included punitive damages) there have been either no damages or small amounts awarded in damages. Even Jennifer Stoddard, former Privacy Commissioner of Canada, recently stated: The days of soft recommendations with few consequences for non-compliance are no longer effective in a rapidly changing environment where privacy risks are on the rise. 3 She requested reforms that could include: instituting statutory damages (administered by the Federal Court); giving the Commissioner the power to issue orders; affording the Commissioner with the power to impose administrative monetary penalties; or a combination of the above. In Quebec, two specific types of penalties may apply for non-compliance with the Quebec DPL: an organization acting in contravention of the Quebec DPL is liable to a fine ranging from $1,000 to $50,000, and for subsequent offences, a fine ranging from $10,000 to $100, In addition, administrators, directors or representatives of an organization may be held personally liable for the payment of the fine if they ordered, authorized or consented to the illegal activity. 5 While there has been no trend to issue substantive fines following a breach of the Quebec DPL, the threat of significant fines and D&O liability may be enough to provide the incentive for businesses to comply with the Quebec DPL. Moreover, the risk of reputational damage in cases of breach is much more prominent in Quebec: while findings rendered under PIPEDA will very rarely name the organizations, the Quebec Data Protection Authority, the Commission d Accès à l Information du Québec (the CAI ) will not hesitate to name the defaulting organizations in its decisions. The presence of this risk further strengthens the incentive to comply with the Quebec DPL relative to PIPEDA. 2 Quebec s An Act Respecting the Protection of Personal Information in the Private Sector, CQLR c. P-39.1 [Quebec DPL], has been deemed substantially similar to PIPEDA as of December 11, Jennifer Stoddart, The case for reforming the Personal Information Protection and Electronic Documents Act, May Quebec DPL at s See Quebec DPL at s. 93.

3 P a g e 3 Nymity: How is Quebec DPL more stringent than PIPEDA? Gratton: The Quebec DPL is unquestionably more stringent. To give just a few examples, unlike PIPEDA, the Quebec DPL applies to an organization even if it does not carry on activities that are commercial in nature. The Quebec DPL may, for instance, apply to non-profit organizations, professionals, artisans or agricultural activities, since the definition of enterprise is interpreted very broadly. In addition, the Quebec DPL applies to and regulates the personal information of all employees, whereas PIPEDA only regulates the personal information of employees of federal works, such as banks, telcos, and so on. Unlike PIPEDA, the Quebec DPL does not recognize an implied form of consent (such as an opt-out mechanism) as valid consent. More specifically, s. 14 of the Quebec DPL provides that consent has to be manifest. While the definition of personal information found in the Quebec DPL ( information which relates to a natural person and allows that person to be identified ) is very similar to the definition given for the same term under PIPEDA ( information about an identifiable individual ), the effective scope of the definition of personal information under the Quebec DPL is broader than PIPEDA. For example, unlike PIPEDA, the definition given in the Quebec DPL does not expressly exclude business contact information from its ambit. 6 Also, in contrast with the IMS ruling under PIPEDA, 7 the Quebec CAI has determined that the work product of a professional (such as a pharmacist or a physician) should be considered personal information relating to that professional. 8 Furthermore, the Quebec DPL, unlike other Canadian private sector data protection statutes, does not include a specific exemption for personal information that may be otherwise publicly available. 9 Nymity: Is the Quebec DPL also more stringent than PIPEDA for cross-border transfers? Gratton: I believe so. The Article 29WP articulated the view that onward transfers should require the use of contractual or other binding provisions to ensure a comparable level of data protection. I don t believe that this is a Quebec issue. Cross-border information transfers are governed by PIPEDA through principle of Schedule 1, which recognizes that personal information may be transferred to third parties for processing. In such cases, PIPEDA requires organizations to use contractual or other means to "provide a comparable level of protection while the information is being processed by the third party. The Quebec DPL treats cross-border transfers directly at s. 17, which requires that if an organization communicates personal information outside Quebec, it must first take all reasonable steps to ensure that the personal information will not be used for purposes other than the purposes for which the information was collected or communicated to third parties without the consent of the person concerned and that if this requirement can t be met, then the transfer is prohibited. 10 While some have raised the possibility that this could mean an organization would need 6 See section 2 of PIPEDA. 7 See PIPEDA Case Summary # See the Superior Court s judgment in I.M.S. du Canada Ltée. v. CAI, J.E PIPEDA has Regulations Specifying Publicly Available Information, SOR/2001-7, which have been in force since 2001 and which exclude certain type of publicly available information. The Alberta and B.C. PIPAs have similar exclusions. 10 Quebec DPL, at s. 17.

4 P a g e 4 to evaluate foreign law in order to ensure that it provides the proper protections, 11 there is a consensus that this requirement usually translates at the very minimum into an obligation for the organization to execute a contract that includes the appropriate provisions necessary for the protection of such information prior to transferring personal information outside of Quebec. In addition, it should be noted that the potential fines are higher in case of non-compliance with s. 17 of the Quebec DPL (which regulates cross-border transfers) than those arising from breaches of other sections. While an organization is subject in case of a breach of the Quebec DPL to a fine ranging from $1,000 to $10,000, or for subsequent offences a fine ranging from $10,000 to $20,000, the fines in case of a breach of the cross-border restrictions of the Quebec DPL instead range from $5,000 to $50,000 and, for a subsequent offence, $10,000 to $100,000. This clearly illustrates how seriously the Quebec DPL takes the protection of personal information in cross-border transfers. Nymity: Are there any other requirements when transferring personal information outside of Quebec? Gratton: Yes, the Quebec DPL requires notification upon foreign transfer. While recent decisions of the federal Privacy Commissioner (under PIPEDA) indicate that individuals should be notified if their personal information will be transferred to and/or stored in a foreign country, although their consent is not required, 12 the Quebec DPL is the only Canadian data protection law which specifically requires that individuals be notified of the place where their personal information will be kept. 13 While this provision can be challenging for businesses that wish to go into the cloud, 14 it is yet another clear indication that Quebec has taken the protection of personal information in case of cross-border transfers seriously. Nymity: What is the issue when dealing with sensitive data? Gratton: The Article 29WP articulated the view that the security requirement under the Quebec DPL should be strengthened by defining the notion of sensitive information (because the level of security required under the Quebec DPL depends on the sensitivity of the information to be protected). 11 Karl DELWAIDE, A Review of Some of the Recent Amendments Brought To the Québec Act Respecting the protection of Personal Information in the Private Sector, November 2, 2006, at p. 2: More specifically, in connection with the recent amendment of s. 17, Delwaide states: The effect of this paragraph is not clear. [ ] The second interpretation, more restrictive, is to the effect that the foreign jurisdiction s laws must be examined in detail in order to verify if the statutory protection is sufficient in comparison with that provided by the Québec Private Sector Act before any transfer can be made. The author goes on to suggest that perhaps, the individual s consent would not even be sufficient to justify and legitimize a cross-border transfer of personal information to a foreign jurisdiction: Although it is certainly preferable to obtain such a consent (it is certainly better to have one than none), in light of previous decisions by the CAI, it is not clear that such a consent will allow an enterprise to go beyond and around the prohibition to transfer personal information outside Québec of Section 17 of the Quebec DPL. 12 Under PIPEDA, they need to be notified. See Outsourcing of canada.com services to U.S.-based firm raises questions for subscribers (19 Sept. 2008), PIPEDA case summary # ; Canadian-based company shares customer personal information with U.S. parent (19 July 2006), PIPEDA case summary # ; and Bank's notification to customers triggers PATRIOT Act concerns (19 October 2005), PIPEDA case summary # Quebec DPL, at s. 8 (3). 14 Eloïse Gratton, Dealing with Canadian and Quebec Legal Requirements in the Context of Trans-border Transfers of Personal Information and Cloud Computing Services, Développements récents en droit de l accès à l information et de la protection des renseignements personnels, Les 30 ans de la Commission d Accès à l Information, Volume 358, Éditions Yvon Blais, November 2012.

5 P a g e 5 First, security provisions in PIPEDA and the Quebec DPL are both extremely similar. 15 This being said, the Quebec DPL also has to be read in conjunction with section 26 of An Act to establish a Legal framework for information technology, 16 which provides for a specific obligation for an organization to actually inform a service provider as to the privacy protection required for a technology-based document. This translates into a stringent obligation for any Quebec organization to actually inform its service provider or partner as to the kinds of security measures the service provider should adopt when handling the organization s technology-based document containing personal information. It bears mentioning in addition that under the Act to establish a Legal framework for information technology, location tracking is prohibited without the consent of the individual, and the collection of biometric information must be immediately reported to the CAI. Second, on the sensitivity issue, PIPEDA provides at s that [a]lthough some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context. I do not see how this provides better guidance than the Quebec DPL for identifying those types of information that should be considered sensitive. The Directive lists types of information which should be considered as sensitive because of their nature. I have already criticized this approach elsewhere, 17 and the fact remains that I am not convinced that the EU approach to determining which type of information is sensitive is either workable or realistic, especially in light of the ongoing emergence of new technologies and the amount of information readily available on the web. Nymity: What are the issues with regards to the Territorial scope? Gratton: The Article 29WP argues in its Opinion that the territorial scope of application of the Quebec DPL in relation to the PIPEDA should be clarified, as the Canadian Privacy Commissioner and the CAI seem to maintain different positions on this issue. The truth is that there has not been any real debate between the application of the Quebec DPL and PIPEDA. For the Quebec DPL to apply, the enterprise must be carried on in the province of Quebec, and local courts have applied broad criteria in determining this fact. For example, in Institut d assurance du Canada v. Guay, 18 the Court of Quebec ruled that the CAI had rightfully considered that the Insurance Institute of Canada, a nonprofit and educational organization, carried on an enterprise in Quebec since it sold course materials and offered examination and correction services in Quebec (although the Institute had its head office in Ontario, had no place of business in Quebec, and did not hold documents containing personal information in Quebec). All this to say that given the fact that the Quebec DPL is far reaching, organizations don t fall through the cracks because of our different Canadian laws. Instead, when in doubt as 15 Under PIPEDA schedule 1, principle , the nature of the security safeguards which an organization must use to protect personal information will vary depending on the sensitivity of the information and more sensitive information should be safeguarded by a higher level of protection. Similarly, under s. 10 the Quebec DPL, there is a similar security requirement under which the security measures necessary to ensure the protection of the personal information collected, used, communicated, kept or destroyed have to be reasonable given the sensitivity of the information. 16 CQLR c. C Eloïse GRATTON, Understanding Personal Information : Managing Privacy Risks, LexisNexis, 2013, 515 pages, at p. 141 and following S Pre-determined Categories of Sensitive Data Challenged. 18 REJB (C.Q.).

6 P a g e 6 to the existence or extent of a potential overlap in applicable laws, organizations will ensure that they comply with the most stringent data protection requirements which may apply to them. I also think that this territorial issue should have probably been addressed at the time that the European Commission evaluated PIPEDA and declared it adequate back in 2001, especially given that the Quebec DPL has already been in effect for eight years. Nymity: Why would Quebec want to seek adequacy? Gratton: Quebec definitely wants to seek adequacy because jurisdictions that don t qualify as being adequate under the Directive may have a more difficult time dealing with the EU, if and when managing personal information from EU citizens. In the context of free trade discussions between Europe and Canada, where Quebec is one of the major economic actors, it is definitely critical that Quebec organizations be able to transfer personal information without any problems. Nymity: What are the anticipated next steps? Gratton: Following the Article 29WP Opinion, the Article 31 Committee will need to provide an approval which must be adopted by the Commission before Quebec can be recognized as adequate. To date, the Commission has recognized the adequacy of Canada s PIPEDA which, in my view, is not as stringent as the Quebec DPL. This makes me wonder about the accuracy of their methodology for assessing the adequacy of a foreign data protection law. I also believe that the critical analysis of other jurisdictions laws, when undertaken in isolation, can be counterproductive; the Article 29WP Opinion would be more evidently solutions-oriented if it offered substantial recommendations or guidance in parallel with its criticisms. We should all be working together to ensure that our current data protection regime will survive and remain relevant in the near future because let s face it there are already many challenges with our current notice and choice model. Nymity: Do you believe that the Quebec DPL needs to be updated at all? Gratton: Definitely. If the Quebec legislator will be going back to the drawing board, he/she might as well also address the real challenges that we have with the Quebec DPL. To begin with, the Quebec DPL does not provide for a business transaction exception needed to facilitate business transactions at the due diligence and closing stages as the Alberta and B.C. PIPA (Personal Information Protection Acts) have enacted. 19 Moreover, the CAI recommended the inclusion of mandatory security breach reporting in both its public sector and private sector data protection laws in its Since in the 2002 Gérald Desjardins c. Groupe Lyras Godard PV AZ , the CAI has confirmed its position that the consent of customers should be obtained prior to disclosing their personal information in the context of a business transaction. To be compliant with this ruling, one may argue that Quebec customers and employees should be asked for their consent through an opt-in (i.e. manifest consent) process prior to disclosing their personal information to a potential buyer.

7 P a g e 7 Quinquennial Report entitled Technology and Privacy, in a Time of Societal Choices. We still haven t seen any amendments on this issue. In addition, the Quebec DPL provides for specific exemptions for the communication of nominative lists at s. 22 to 26 of the Quebec DPL. A nominative list is defined as a list of names, telephone numbers, geographical addresses of natural persons or technological addresses where a natural person may receive communication of technological documents or information. 20 This portion of the Quebec DPL (s. 22 to s. 26) may contradict, to a certain extent, the new Canadian Anti- Spam Law which came into force on July 1 st. I believe it is something that the legislator should examine further. These interviews are provided by Nymity as a resource to benefit the broader privacy community. The interviews represent the points of view of the interview subjects and Nymity makes no guarantee as to the accuracy of the information. Errors or inconsistencies may exist or may be introduced over time as material becomes dated. None of the foregoing is legal advice. If you suspect a serious error, please contact research@nymity.com. Copyright 2014 by Nymity Inc. All rights reserved. All text, images, logos, trademarks and information contained in this document are the intellectual property of Nymity Inc. unless otherwise indicated. Reproduction, modification, transmission, use, or quotation of any content, including text, images, photographs etc., requires the prior written permission of Nymity Inc. Requests may be sent to research@nymity.com. 20 See s. 22 of the Quebec DPL.