We answer your questions – Modernizing privacy legislation 1/3 | Awareness


In response to our numerous publications, our podcast and the training we provided through the Fasken Institute on December 8, “Changes to the Privacy Act: How to prepare for 2022, 2023 and 2024?”, many of you have asked us questions. We have collected the questions and prepared our answers in the form of three weekly bulletins:

  1. The first bulletin will focus on issues related to the definition, retention of personal information (PI) and penalties imposed by Bill 25 (“Modernization Act”) in the event of breach of obligations.
  2. The second bulletin will focus on more specific transparency, consent and communication obligations.
  3. The third and final newsletter will focus on governance within organizations with respect to the protection of personal information.

    Our Resource Center is still active and contains a series of bulletins and documents dedicated to Bill 25. In order not to miss our next upcoming bulletins and any other information relating to this subject, subscribe to our mailing list in order to receive all the communications under the new law.

BULLETIN 1 (Definition, Retention, Sanctions):

Definition of PI and Sensitive PI

1. In practice, what information is considered sensitive personal information (PI)?

Information is sensitive under the new definition if, due to its nature, in particular its medical, biometric or otherwise intimate nature, or the context in which it is used or disseminated, it involves a high level of reasonable expectation of privacy (Private Sector Law, s. 12).

It is questionable whether financial information, particularly because of the context in which it is used or communicated, will be sensitive information, although it is not specifically covered.

To learn more:

The beginning of a new era for the private sector: Bill 64 on the protection of personal information has been passed

Sensitive personal information: another concept borrowed from the GDPR

2. Can we trust the definition of sensitive data in the GDPR?

Article 9 of the GDPR provides:

Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a person data, data relating to health or data concerning a natural person a person’s sex life or sexual orientation is prohibited.

While we can draw inspiration from the GDPR definition, it reflects a European rather than a North American mindset. We therefore do not believe that this definition can be used as a guide, even if certain elements will be considered sensitive in the two pieces of legislation.

To learn more:

Sensitive personal information: another concept borrowed from the GDPR

Work contact details

3. Can an individual’s personal telephone number be considered personal information concerning the exercise of his functions within a company? If so, under what circumstances?

The Commission d’accès à l’information has ruled on several occasions that the expression “work telephone number” within the meaning of the Act respecting access to documents held by public bodies does not include an individual’s home phone, since it would no longer be the work phone. The same approach could be followed for Act respecting the protection of personal information in the private sector.

4. Do these obligations apply to de-identified personal information collected for statistical purposes by a company providing software, with or without the consent of the entity using the software?

The Act applies to personal information. If the information has not been anonymized and simply de-identified, it is still personal information. The exception to consent for statistical purposes applies to the use and disclosure of information, but not to its collection.

To learn more:

Technological and legal overview of the notions of “de-identified” and “anonymized” information in the context of Bill 64

De-identify, Anonymize and De-index: new verbs and new obligations!

Rights of persons

5. What rights do data subjects have over their personal information? Can we say that it is similar to a property right?

Individuals have the following rights: right to information (including when new technology is used); rights of access and rectification; right to withdraw consent to the disclosure of the information collected; and a right to ask the company to stop disseminating his personal information or to de-index any hyperlink attached to his name.

In Quebec, there is no recognized ownership right over personal information, but individuals have a right of control.

To learn more:

The beginning of a new era for the private sector: Bill 64 on the protection of personal information has been passed

Data retention

6. When does an obligation to destroy personal information arise after an individual uses the services?

According to article 23 of the Private Sector Lawwhen the purposes for which personal information was collected or used are achieved, the person operating a business must destroy or anonymize it in order to use it for serious and legitimate purposes, subject to any retention period provided for by law.

Businesses must adopt a retention schedule by September 22, 2023, to address these considerations in a practical way in their organization.

To learn more:

De-identify, Anonymize and De-index: new verbs and new obligations!

7. What measures must be taken with regard to the storage of the written consents obtained (place and duration of storage, etc.)?

It is recommended that consents be stored on a server with limited access that is separate from the server where personal information is stored. Consents must be kept according to a retention schedule taking into account the purpose for which they were collected and the legal limitation period.

To learn more:

Bill 64 – C for consent – An oversimplification?

8. In the case of an NPO, how long can donor files be kept?

Bill 25 does not provide specific rules governing the retention of personal information collected and held by an NPO, which should follow the requirements set out in the previous response.

Bill 25 effectively eliminated the possibility of using personal information for philanthropic prospecting purposes without obtaining the consent of the person concerned for these purposes. This change will also come into effect on September 22, 2023.


9. How is the process leading to a sanction initiated?

Prior to the imposition of any sanction, the Commission d’accès à l’information (“CAI”) will conduct an investigation, which may be following a complaint from an individual or at the initiative of the CAI.

To learn more:

The beginning of a new era for the private sector: Bill 64 on the protection of personal information has been passed

The Commission d’accès à l’information could impose penalties of up to $10 million based on administrative decisions

10. When a company faces a sanction, does it have to prove that it has a policy in place?

Before a sanction is imposed, there will be an investigation. The company will then have to demonstrate that it has complied with its obligations regarding the protection of personal information. These obligations are not limited to the adoption of a policy; they go much further and may include limited access to personal information, security measures appropriate to the sensitivity of the personal information, limited retention periods, etc.

11. Given that directors are not involved in the day-to-day management of personal information held by the company, is the provision that makes a director complicit in an offense committed by a legal person legally valid?

Although they can delegate their powers, directors are, in principle, responsible for the management of the company. There are many laws that assign personal liability to directors and penalties if these laws are broken (for example, the Environment Quality Act, CQLR, c. Q-2, the Labor Standards Act, CQLR, c. N-1.1 or the Business Corporations Act, CQLR, c. S-31.1). Note also that section 93 is not new. Directors are already liable when a corporation commits an offense under current law. However, the obligations of the directors are different from the obligations of the company. A breach by the company does not necessarily make directors liable, if they could not avoid the breach, for example.

12. Are public bodies subject to the penal rules provided for in the Act 25 (eg: school boards, universities, municipal organizations, etc.)?

The penal rules applicable to public bodies are different (new article 158 of the Access Act).

However, public sector employees may incur criminal liability (new Article 159 of the Access Act).


Comments are closed.