Interview with Karl Delwaide

October 2006

Interviewee: Karl Delwaide, of Fasken Martineau DuMoulin LLP

Interviewer: Terry McQuay, President of Nymity

Subject: Québec amendments to An Act Respecting the Protection of Personal Information in the Private Sector

Note:  PrivaWorks customers can view all changes to the Act by visiting: PrivaWorks Reference Guide for Quebec.  Old/changed text in red.  Regulations in blue.

Nymity: Karl, what was the major impetus for Québec to amend An Act Respecting the Protection of Personal Information in the Private Sector (the “Act”)?

Delwaide: The Act, as well as the Act Respecting Access of Documents to Public Bodies and the Protection of Personal Information (the Act that applies to the public sector), contain “sunset” provisions requiring the Access to Information Commission (the “Commission”) to file a report on the application of the Access to Information and Privacy statutes every five years, thereby triggering a Parliamentary Commission of the Québec National Assembly to review the report. Of course, this leads generally to amendments being proposed and discussed before the relevant Parliamentary Commission.

Bill 86, although bearing a different number in previous Parliamentary sessions, has been “in the loop” for several years. It has finally been adopted last June 2006. Most of its provisions have come into force immediately, and some other will be coming into force mostly within a year.

Nymity: Were there any changes to the Commission, which is vested with the oversight powers to the Act?

Delwaide: There were significant changes to the “structure” of the Commission. Criticisms were addressed to the previous system where all members of the Commission may be called to act as adjudicators as well as in the execution of the oversight (”inspection-inquiry”) powers of the Commission. Some were concerned that this “dual responsibility” vested to all members of the Commission may taint the institutional independence and impartiality that the Commission should be displaying in the execution of its functions.

Therefore, amendments were passed by Bill 86 to divide the Commission into two sections: firstly, the Oversight Division and secondly, the Adjudication Division.

The Oversight Division is vested with the function of overseeing the carrying out of the Act, as well as the one applying to the public sector. The functions and powers of the Commission provided for in this division are exercised by the President and the members assigned to the Oversight Division.

The Act has also been amended to allow the Commission to authorize a member of its personnel, or any other person that it appoints to do so, to act as inspector for the Commission. These inspectors are authorized to enter the establishment of a body or person subject to the oversight of the Commission at any reasonable time. The inspectors also have the powers to request from a person on the site to present any information or document required to exercise the Commission’s oversight function and to examine and make copies of any such documents.
The other division of the Commission, the Adjudication Division, is vested with the powers to decide on the examination of disagreement relating to the application of a legislative provision concerning access to or the rectification of personal information. These adjudicative powers and functions are exercised by the President and the members appointed to the Adjudication Division.

Nymity: Were there any changes that would impact cross-border transfers of personal information?

Delwaide: This is a very interesting question. In fact, Section 17 of the Act has been modified in two ways. You will remember that Section 17 of the Act is the one related to requiring from an enterprise wishing to transfer outside Québec personal information on Québec residents to take certain measures in order to determine that the receiving jurisdiction presents basically a “comparable level of protection” before transferring the information.

The first amendment to Section 17 has been to withdraw from the first paragraph the requirements that the personal information be related to Québec residents. The Parliamentary debates show that the preoccupation of the Québec National Assembly was to avoid that the province of Québec becomes a transit jurisdiction for personal information on residents of other provinces or of other countries.

The second amendment is a very important one. A paragraph has been added to Section 17:

“17. (…) If the person carrying on an enterprise considers that the information referred to in the first paragraph will not receive the protection afforded under subparagraphs 1 and 2, the person must refuse to communicate the information or refuse to entrust a person or a body outside Québec with the task of holding, using or communicating it on behalf of the person carrying on the enterprise”. (our emphasis).

As you will have noticed, this requires from the enterprise (practically speaking from its Chief Privacy Officer) to make an evaluation of the privacy situation in the receiving jurisdiction in order to determine whether or not the privacy situation in the receiving jurisdiction allows the enterprise to transfer the personal information. This brings many questions:

• Did the Québec National Assembly want to prohibit the transfer of personal information outside Québec, in the situation in which the enterprise considers that the information will not receive the protection afforded under subparagraphs 1) and 2) of Section 17, after having carefully examined the scope of the laws of the receiving jurisdiction, and having determined whether (or not) they afford the same extent of protection as Québec laws afford?
• Is outsourcing to the USA still possible with the appropriate contractual protections agreed to by the US organization even in light of the USA Patriot Act?
• Should a consent be obtained from the individuals concerned before transferring personal information outside Québec?

Nymity: What are your preliminary thoughts on these questions?

Delwaide: The effect of this paragraph is not clear. One interpretation, supported by our Firm, is that contractual protections in a receiving jurisdiction are deemed sufficient to abide with the requirements of Section 17 and to allow the transfer to take place, as long as the receiving jurisdiction undertakes to apply, or applies, similar protections to those available in Québec. This must be done through a written contract. Similar protections would then mean that exceptions provided by the local laws would be enforceable, because the Québec Private Sector Act recognizes exceptions when provided by law. The second interpretation, more restrictive, is to the effect that the foreign jurisdiction’s laws must be examined in detail in order to verify if the statutory protection is sufficient in comparison with that provided by the Québec Private Sector Act before any transfer can be made.

With respect to the USA Patriot Act, although not coming from the Commission, we should consider the ruling #313 of the Office of the Privacy Commissioner, where it was stated that even if one were to consider the issue of “comparable protection” from the perspective of US -vs- Canadian antiterrorism legislation, it was clear that there is a comparable risk that the personal information of Canadians held by any organization and its service provider – be it Canadian or American – can be obtained by government agencies, whether through the provisions of US law or Canadian law.

Finally, with respect to obtaining a consent by the individuals concerned before outsourcing their personal information, some law firms have taken the position that it is the route to be taken in order to allow the transfer of personal information outside Québec in these circumstances. Although it is certainly preferable to obtain such a consent (it is certainly better to have one than none), in light of previous decisions by the Commission, it is not clear that such a consent will allow an enterprise to go beyond and around the prohibition to transfer personal information outside Québec of Section 17 of the Act.

Nymity: Were there any changes that would impact on third parties?

Delwaide: Before the passing of Bill 86, Section 20 of the Act created an exception to consent allowing an enterprise to outsource the personal information it is managing only to a mandatory (agent), when needed for the performance or the carrying out of their mandates. This brought some difficulties because very often, outsourcing is done through a “contract for services”, where the subcontractor is not the agent of the principal. This has been modified to allow an enterprise to benefit from the exception to the consent requirements and outsource to a subcontractor, through a contract for work or services, in order for the latter to manage on behalf of the enterprise the personal information it holds and uses. Of course, the previous requirements, imposed through decision making by the Commission, that the contract between the enterprise and the subcontractor be in writing remains valid, as well as the other requirements, among others, that a contract specifies the scope of the contract, the purposes for which the subcontractor would use the information (re: the object of the file), the category of personnel of the subcontractor which would have access to the information as well as the confidentiality and security measures imposed on the subcontractor.

Nymity: What are the potential “operational” impacts that could result from these amendments?

Delwaide: With respect to the amendments to Section 17, a special amendment has been brought to the penal provisions. A contravention of Section 17 may bring a fine of $5,000 to $50,000 for the first infraction, and, for a subsequent offence, $10,000 to $100,000.

One must not forget that Section 93 of the Act states that “where an offence under this Act is committed by a legal person, the administrator, director or representative of the legal person who ordered or authorized the act or omission constituting the offence, or who consented thereto, is a party to the offence and is liable to the prescribed penalty”.
Therefore, Chief Privacy Officers of a legal person (corporation) which carries out an enterprise in the province of Québec will have to make a determination as to whether (or not) they should allow the transfer of personal information outside Québec. Considering the number of corporations that operate in Québec as well as in other provinces of Canada and in the USA, this brings a new field of interrogations to their day-to-day functions.

Nymity: Are there any requirements for breach notification?

Delwaide: Bill 86 did not incorporate into the Act such a breach notification provision. It remains to be seen whether (or not) the Commission will so rule in the future, in all circumstances.

Nymity: Are there any unique provisions for employee privacy?

Delwaide: Not as such. Unlike PIPEDA, the Act does not exclude from its scope of application the name, title, business address or telephone number of an employee or of an organization. Nor does the Act make a distinction in its scope of application between personal information in general - vs - employees’ personal information (such as in the Alberta and British-Columbia privacy statutes applicable to the private sector, where they relate to information that is reasonably needed to establish, manage or end an employment relationship).

However, some decisions by the Commission appear to exclude from the definition of “personal information” some information about an employee when acting as a representative of a corporation. Since a corporation may only act through its employees, the name of an employee acting as a representative of the company is not personal information. This must be distinguished when an employee is acting in his/her “personal capacity”, such as in the case where he/she files a complaint on another employee.

9. Question: How can an organization best understand the changes in the Act and the impact these changes will have on their policies and practices?

Delwaide: Organizations should regularly check web sites, firstly, of the Commission (www.cai.gouv.qc.ca/index-en.html), where it regularly publishes its rulings as well as some key general policies and, secondly, law firms web sites, such as Fasken Martineau’s Privacy and Information Practice Group’s specially dedicated web site (http://www.fasken.com/web/fmdwebsite.nsf/AllDoc/5F1F34D72ACB6F7287256B04006FDFA8?OpenDocument), where the members of our National Practice Group regularly publish articles and information related to privacy statutes, including the Act.