2021-01-11 Articles
Bill 64: How Should You Prepare For It? (Part 3)
In this third installment dealing with Bill 64 (hereinafter the “Bill”)[1] we will discuss the rights to withdraw consent, to destruction, to anonymization, to access by the persons concerned, to rectification, and to request the cessation of dissemination or the de-indexation of personal information, again in relation to the principal amendments that would be made to the Act respecting the protection of personal information in the private sector.[2]
The Right to Withdraw Consent
Any person carrying on an enterprise who uses personal information for commercial or philanthropic prospection purposes must identify himself to the person whom he is addressing and inform that person of his right to withdraw his consent to the personal information concerning him being used for such purposes. If consent is withdrawn, the personal information must no longer be used.[3]
The Right to Destruction or Anonymization
Once the purposes for which personal information was collected or used are achieved, the person carrying on an enterprise must destroy or anonymize the information, subject to any preservation period provided for by statute.[4]
Anonymization refers to the fact that the information irreversibly no longer allows the person concerned to be identified directly or indirectly. Information must be anonymized according to generally accepted best practices.[5] The Bill does not propose any specific anonymization techniques. That having been said, in 2014, the Article 29 Data Protection Working Party, which included the European personal data protection authorities, published Opinion 05/2014 on Anonymisation Techniques. Data will be anonymized if they address the following three risks:
- Singling out: Is it possible to isolate some or all attributes which identify an individual in the dataset?
- Linkability: Is it possible to link, at least, two pieces of data concerning the same data subject or a group of data subjects?
- Inference: This refers to the possibility to deduce, with significant probability, the value of an attribute from the values of a set of other attributes;[6]
An example of an anonymization technique is randomization, which consists in altering the veracity of the data in order to remove the strong link between the data and the individual.[7]
Anonymization is distinct from the de-identification of personal information. We addressed the notion of de-identification in our article dealing with consent, among other things.[8] De-identification is when information no longer allows the person to be directly identified.[9] Thus, the adverb indirectly is central to the distinction between the two notions.
For example, a secret key cryptographic system is a de-identification technique. The person in possession of the key could re-identify each person concerned by decrypting the data set.
The Right of Access by the Persons Concerned
The Bill stipulates that every person carrying on an enterprise who holds personal information on another person must, at the request of the person concerned, confirm the existence of the personal information and communicate it to the person by providing him with a copy of it.[10]
Similarly, if the personal information is computerized, the person may request that the information be communicated to him in the form of a written and intelligible transcript.[11]
Unless there are serious practical difficulties, a person may also obtain the communication of computerized personal information in a structured, commonly used technological format. At the person’s request, personal information about him may also be communicated to any person or body authorized by law to collect such information.[12]
The Right to Rectification
According to section 113 of the Bill, a person may require the rectification of personal information about him if the information is inaccurate, incomplete or equivocal, or if collecting, communicating or keeping it are not authorized by law.[13]
The Right to Request the Cessation of Dissemination or the De-indexation
The Bill proposes the addition of a new right respecting the protection of personal information, namely the right to request the cessation of dissemination or the de-indexation of the information. Thus, the person to whom personal information relates may require any person carrying on an enterprise to cease disseminating that information or to de-index any hyperlink attached to his name that provides access to the information by a technological means, if the dissemination of the information contravenes the law or a court order.[14]
Moreover, the person may do likewise, or may require that the hyperlink providing access to the information be re-indexed, where the following conditions are met:[15]
- The dissemination of the information causes the person concerned serious injury in relation to his right to the respect of his reputation or privacy;
- The injury is clearly greater than the interest of the public in knowing the information or the interest of any person in expressing himself freely;
- The cessation of dissemination, re-indexation or de-indexation requested does not exceed what is necessary for preventing the perpetuation of the injury.
Furthermore, in assessing the criteria for a person’s right to exercise his right to request the cessation of dissemination or the de-indexation of the information or to require that the hyperlink providing access to the information be re-indexed, where the aforementioned conditions are met, the following, in particular, must be taken into account:
- The fact that the person is a public figure;
- The fact that the person is a minor;
- The fact that the information is up to date and accurate;
- The sensitivity of the information;
- The context in which the information is disseminated;
- The time elapsed between the dissemination of the information and the request made pursuant to that right;
- Where the information concerns a criminal or penal procedure, the obtaining of a pardon or the application of a restriction on the accessibility of records of the courts of justice.
Time Limits
In this article, which was written by the claims prevention team, and given that lawyers will be called upon to advise their clients on this Bill, it was impossible for us not to address compliance with the following time limit.
The person in charge of the protection of personal information must reply in writing to the request for access or rectification, promptly and not later than 30 days after the date the request is received.[16]
Lastly, the person in charge of the protection of personal information must give the reasons for any refusal to grant a request and indicate the provision of law on which the refusal is based, the remedies available to the applicant under the Act respecting the protection of personal information in the private sector and the time limit for exercising them. The person in charge of the protection of personal information has a duty to help the applicant understand the refusal.[17]
In our final article, we will discuss the communication of personal information following a death, certain time limits for appeals and contestations, penalties for offences, and the right to private prosecutions.
[1] Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, 42nd Leg. (QC), 1st Sess., 2020.
[2] Act respecting the protection of personal information in the private sector, CQLR, c. P-39.1.
[3] Id., s. 111.
[4] Id., s. 111.
[5] Id.
[6] Article 29 Data Protection Working Party, Opinion 05/2014 on Anonymisation Techniques, April 10, 2014, pp. 11-12.
[7] Id.
[8] This text can be consulted at: Bill 64: How Should You Prepare For It? (Part 2)
[9] Id., s. 102.
[10] Id., s. 112.
[11] Id.
[12] Id.
[13] Id., s. 113.
[14] Id.
[15] Id.
[16] Id., s. 116.
[17] Id., s. 118.