Canadian province may set country’s future privacy standard

The French-Canadian province of Quebec has announced plans to modernize its privacy legislation in a move that would bring it more in line with GDPR. 

Quebec currently enforces its citizens’ data privacy rights under the Act respecting the protection of personal information in the private sector, or the ‘Private Sector Act’ – a law adopted in 1994 and inspired by the data protection legislation of the European Union.

The province’s take on privacy has long been considered to be Canada’s most stringent, steering away from frameworks adopted elsewhere in the country and enshrining privacy as a human right.

This was until a recent string of data breaches highlighted the Private Sector Act’s inadequacies, including a failure to legislate for consumer consent in the digital age.

The existing law, which only applies to the business transactions, is said to be too broad in scope, gives consumers few translatable rights as data subjects, and offers organizations little opportunity to build trust with security or operate effectively in a cross-data economy.

Out with the old…

According to reports, a bill to update present privacy rules in Quebec is set to be introduced in the coming weeks. The bill is expected to propose a new privacy standard that borrows from those set in the EU’s General Data Protection Regulation (GDPR).

In an interview (in French) with the French-Canadian daily La Presse, Sonia LeBel, the province’s Justice Minister, said that an updated law will “give citizens control of their data” and put increased onus on businesses to obtain “informed consent” for processing user data.

Much like GDPR, the ability to withdrawal consent has also been proposed.

Points of difference

Shared language between the Quebecois and countries like France and Belgium makes alignment with GDPR rules a natural progression to privacy governance.

But others suggest that modernization of Quebec law should additionally look to harmonize with Canada’s other privacy regimes, which include provincial legislation in both Alberta and British Columbia and two federal statues, which are also in need of updating.

A business operating across Canada, for instance, is currently subject to these provincial laws and the federal rules under the Personal Information Protection and Electronic Documents Act (PIPEDA).

Éloïse Gratton, a partner at Borden Ladener Gervais in Montreal who specializes in privacy, risk management and data protection, thinks that a revamped law in Quebec should take on certain aspects of GDPR, particularly in terms of narrowing scope on issues like consent.

A revised law, however, should steer clear of GDPR’s enormous fines, which are doled out for noncompliance, such as failure to report a data breach.

“Data protection laws are technology neutral, so they’re often very broad,” Gratton told The Daily Swig.

“What is personal information? It’s not always clear and it’s evolving. Is it an IP address? Is it a device ID? Perhaps it is, perhaps it’s not. It depends on the context.

“There’s so much flexibility that importing automatic fines will make businesses very nervous and would potentially hinder innovation.”

There is currently no mandatory data breach notification law in Quebec – another issue that Gratton believes should be updated.

While there are financial penalties for a company that acts negligently with consumer data, they are rarely levied.

With this in mind, businesses have little incentive to take consumer rights on board. In the same stroke, they may miss out on opportunities on using that data to grow their business responsibility.

“It [the Private Sector Act] is not so problematic for businesses to comply with,” Gratton said.

“It’s going to be interesting for Quebec to make the first move and apply some kind of GDPR framework. Will this create problems with data exchange throughout Canada?”

Bring in the feds

At the start of 2020, Canada’s federal government outlined plans to ramp the country’s data privacy laws – both the Privacy Act, which regulates how the public sector handles personal information, and PIPEDA.

“If we look at our [Canada’s] privacy laws, we’re not as stringent as GDPR, but we’re more stringent then the US,” Gratton explained.

“So, whether it’s Quebec, or the federal regulator [Privacy Commissioner of Canada], they will want to address the current [data privacy] issues that consumers have.”

Gratton added: “Otherwise, how do we address these issues from a global perspective? Businesses want to be exchanging information but don’t want different practices for each country.”

Quebec’s Private Sector Act was last amended in 2006.

RELATED Canada plans revamp of its data privacy law