Reading time : 5 min
In Quebec, two specific laws govern the collection, communication and use of personal information by an enterprise in the course of its operations:
- There Act Respecting the Protection of Personal Information in the Private Sector (hereinafter referred to as the “Privacy Act”) that is a law enacted by the Quebec government in force since 1994, as well as
- The Personal Information Protection and Electronic Documents Act (hereinafter referred to as “PIPEDA”) that is a law of the Government of Canada in force since 2004.
Whenever an individual or legal entity operates an enterprise in Quebec, it must comply with these Acts. For example, if your enterprise sells goods or services online, having a terms and conditions agreement becomes essential to comply with the law.
This article studies the Privacy Act with the main objective of explaining the responsibilities of enterprises with respect to the protection of their clients’ personal information. This article does not encompass the PIPEDA rules, and although both laws share certain similarities, points of difference exist. For more information about the PIPEDA, you can contact us.
In the first segment of this article, we will review the following legal questions:
- The scope of application of the Privacy Act,
- The collection, communication and use of personal information, and
- The notion of consent.
In the second segment of this article, we will address the responsibilities of enterprises under the Privacy Act.
Note that on June 12th, 2020, Bill 64 on the Act to modernize legislative provisions as regards the protection of personal information was introduced to the Quebec National Assembly. This bill proposes significant changes to the protection of personal information as presented below. Once this law comes into effect, a new article about these changes will be posted. To remain ahead of the curve about any change to the laws applicable to your business, you can follow us on our social media platforms
The scope of the Quebec Privacy Act
To understand what the Privacy Act entails, we must first explain its legal basis, purpose, and to whom it applies in Quebec.
PURPOSE AND SCOPE OF THE PRIVACY ACT
The Privacy Act aims to enforce and protect the respect of reputation and privacy of individuals as provided for in sections 35 to 40 of the Civil Code of Quebec (hereinafter referred to as “CcQ”). To do so, the Privacy Act applies to:
- The personal information of individuals who
- Is collected, communicated or used by a third-party, either a natural person or a legal entity,
- In the course of carrying on an enterprise (Section 1 of the Privacy Act).
The notion of “personal information” includes any information that relates to a person and allows that person to be identified by third parties (Section 2 of the Privacy Act). This notion applies exclusively to natural persons and tends to be generously interpreted by courts. Therefore, any information about a legal entity (also referred to as “legal person”) does not constitute personal information within the meaning of the law; the Privacy Act only protects individuals (also referred to as “natural persons”).
The notion of “on the course of carrying on an enterprise” is defined by paragraph 3 of section 1525 of the CcQ that is in practice also generously interpreted by courts. For the purposes of this article, it must be highlighted that this notion:
- Does not distinguish between the legal structures of enterprises, and that it may exceed the popular understanding of what an enterprise may be. For example, it has been held that a trade union meets the definition of an enterprise under the Privacy Act.
- Includes any enterprise that carries on business in Quebec, regardless of its jurisdiction of incorporation and where the personal information is stored.
- Includes any corporation or association carrying on an enterprise that is subject to the provisions of the Privacy Act (section 96 of the Privacy Act).
To fulfill its objectives, the Privacy Act benefits from a special legal status. In fact, it prevails over any other law and regulation regarding the protection of personal information in the private sector in Quebec, unless expressly stated otherwise in the law. Consequently, an enterprise may not adopt an internal regulation on the protection of its employees’ personal information that provides for measures that do not meet the protection threshold set by the Privacy Act. That being said, it is acceptable for an enterprise to exceed this threshold and offer more extensive protection measures (Section 94 of the Privacy Act).
EXCEPTIONS TO THE APPLICATION OF THE PRIVACY ACT
Certain exceptions to the application of the Privacy Act exist, such as:
- Public bodies within the meaning of the Act respecting Access to documents held by public bodies and the Protection of personal information, and any third-party who holds personal information on their behalf (Section 3 of the Privacy Act).
- Personal information obtained or produced in a class action – a class action is a legal proceeding in which a group of persons sues the same person(s) for the same reasons and purposes.
- Certain aspects in the operation of a federally incorporated business that fall under the jurisdiction of the federal government. For example, the labour relations of a federally incorporated enterprise are not subject to the Privacy Act.
Under these circumstances, the Privacy Act does not apply. However, these exceptions do not represent an exhaustive list; they are the most commonly recognized exceptions by law.
Collection, communication and use of personal information in Quebec
(1) CONSENT RULE
First, any collection, communication and use of an individual’s personal information is subject to the consent of that individual. Consent is the cornerstone of the Privacy Act. Without the consent of the individual, no enterprise may collect, communicate or use his or her personal information. Given its importance, an entire section about the notion of consent is provided for below.
(2) BONA FIDE AND LEGITIMATE INTEREST RULE
Second, establishing a file about a person requires the existence of a serious and legitimate interest. In other words, any enterprise that wishes to create a file containing personal information about an individual must have a serious and legitimate interest in doing so. For example, the performance of a contract may constitute a sufficiently serious and legitimate interest to creating a file and requesting the legal name of a person with whom the enterprise wishes to conclude the contract.
This requirement must be read in conjunction with the necessity test. Set out in section 5 of the Privacy Act, the necessity test requires that only the personal information necessary for the purpose of the complied file is collected. What does “necessary” mean? The notion of “necessity” depends on the circumstances and the purposes for which the information is collected. In this regard, note that the enterprise has the onus to demonstrate that it meets this test. It must be highlighted that no enterprise can use the consent of the concerned individual to prove or override the necessity test. In other words, the mere fact that an individual consents to the collection of personal information is insufficient to meet the “necessity” test to collecting personal information.
(3) DIRECT COLLECTION RULE
Third, any collection of personal information must be processed directly from the concerned individual (section 6 of the Privacy Act). The exception to this rule is when an individual gives his or her consent for the collection to be conducted by a third-party. In such a case, the third-party maintains certain obligations in favour of the concerned person.
Concurrently, collecting personal information must not be imposed as a condition to concluding a contract for goods or services or an employment contract. Specifically, section 9 of the Privacy Act prohibits enterprises from refusing an application for goods, services or employment on the basis of the applicant’s refusal to provide personal information. There are three exceptions to this rule:
- Where the personal information is necessary for the conclusion or performance of the contract: in this case, the enterprise holds the onus to demonstrate that necessity.
- Where the personal information is authorized by law to be collected.
- Where there are reasonable grounds to believe that the collection of personal information is not permitted by law.
Thus, an enterprise may refuse to enter into a contract with an individual on the basis of that individual’s refusal to provide personal information in one of the situations described above. In the next section, we take a specific look at the notion of consent to the collection, communication and use of personal information.
Consent under the Quebec Privacy Act
From the outset, an enterprise must ensure that any collection, communication and use of personal information about an individual respects the purpose of the file, and that it possesses the consent of the concerned individual. In this section, we examine the notion of consent and its conditions as applied in Quebec.
THE CONCEPT OF CONSENT
Section 14 of the Privacy Act states that “consent to the collection, disclosure or use of personal information must be manifest, free, and enlightened, and must be given for specified purposes. Such consent is valid only for the length of time needed to achieve the purposes for which it was requested.”
A consent that does not comply with these conditions is deemed to have no effect; that it was never provided. This means that an enterprise must seek the consent of the concerned person every time it wants to use his or her personal information for a purpose other than that for which it was originally. This also means that consent cannot be inferred from the circumstances surrounding which it was provided; it cannot be implied.
However, courts recognize that consent may be intrinsic to a legal act or a specific situation. In other words, under certain circumstances, the consent of a person would be essential to the performance of a legal act or the realization of a situation. For example, an insured person who is claiming compensation for his or her disability from the insurer must consent to the disclosure of his or her relevant personal medical information to complete the claim. In the case where no manifest consent has been given by the insured to the insurer, the consent of the insured may be been deemed intrinsic and granted by the very nature of the legal act of the claim. However, it should be stressed that the interpretation of the intrinsic nature of consent depends on the circumstances, and to avoid unnecessary exposure to risk, it is common practice for an enterprise to always ask for the explicit and written consent of the concerned person.
EXCEPTIONS TO CONSENT
There are two main exceptions to the requirement of consent when disclosing personal information.
First, sections 18 to 18.2 of the Privacy Act provide for situations where an enterprise will not have to ask for the consent of the concerned individual before disclosing his or her personal information to specific third parties. Without providing a complete list, such disclosures may be made, for example, for the benefit of the Director of Criminal and Penal Prosecutions in the context of a prosecution for an offence under a law applicable in Quebec, if the disclosed information is necessary to the prosecution. Similarly, a person who has a warrant to collect a debt for another person may benefit from this exception if the communicated information is required to perform his or her duties.
Second, sections 22 to 26 of the Privacy Act allow the disclosure of personal information in the context of nominative lists that have a philanthropic or commercial prospecting purpose. These lists are information books containing the names, addresses or telephone numbers of individuals. This exception is based on the presumed consent of the individual to be part of these lists. In this case, the legislator ruled that the purpose of these lists does not contradict the objective of protecting personal information since any individual may oust this presumption by notifying an enterprise of his or her wish to be removed from the list. This exception may also apply to the disclosure of nominative lists to a third-party for the same purposes. It should be noted that any enterprise who uses and contacts a person through a nominative list has the obligation to identify himself or herself, and to inform the contacted person of his or her right to be removed from the list through which he or she was contacted from (section 24 of the Privacy Act).
This ends the segment on the notion of consent, and about the fundamental concepts related to the protection of personal information in Quebec. To learn more about the responsibilities of enterprises under the Privacy Act, you can read the second segment of this article.
To conclude, remember that:
- The Privacy Act is a fundamental law that any enterprise must respect when collecting, communicating or using the personal information of individuals in Quebec.
- You are not alone; Lex Start is here to help you implement your online terms and conditions without compromising your budget by offering affordable and personalized legal services.
We hope this article has helped you better understand the extent of your responsibilities regarding clients’ personal information, and the importance of having a terms and conditions agreement that complies with the law. For more information on this subject or about how to start your own business, you can contact us.