Skip Navigation

Employers Must Prepare for the Transformation of Quebec’s Privacy Regime

Employers Must Prepare for the Transformation of Quebec’s Privacy Regime
By Natalie Bussière, Catherine Gagné and Viviane Lavergne (Articling Student)
September 21, 2022

On September 21, 2022, Quebec’s Act to modernize legislative provisions as regards the protection of personal information (Act) was enacted. The Act’s provisions will become effective gradually over a two-year period, from September 22, 2022, to September 22, 2024.

In our September 2021 bulletin, we discussed several of the new obligations imposed on private sector organizations in Quebec, including obligations that echo certain rules implemented pursuant to the European Union’s General Data Protection Regulation. In our August 2022 bulletin, we also discussed new requirements to take effect in Quebec on September 22, 2022. This bulletin deals more specifically with the key changes relating to the obligations of employers and the rights of employees in Quebec.

NEW OBLIGATIONS FOR EMPLOYERS

By September 22, 2022, employers must have appointed a person in charge of the protection of personal information. This duty which, pursuant to the Act, is to be carried out by the person exercising the highest authority within the organization, may be delegated in part or in whole to one or several persons, including a third party. The choice of this or these persons depends on the type of data that the organization keeps. A human resource executive may be a good choice with respect to employee data.

Organizations must also report any confidentiality incident or privacy breach to the Commission d’accès à l’information du Québec (CAI). The Quebec Government made public a proposed regulation on June 29, 2022, that includes details on the manner with which organizations are to handle confidentiality incidents. Although this regulation has not been adopted, it provides useful information relating to these types of situations.

REMEDIES OF EMPLOYEES

As of September 22, 2022, employees may file a complaint with the CAI, including anonymously, pertaining to any matter relating to the protection of personal information or their employer’s practices regarding the use of personal data. In addition, as of the aforementioned date, employers will be forbidden from taking any reprisal against employees that file a complaint in good faith to the CAI. The Act provides that the following actions are presumed to be a reprisal: demotion, suspension, dismissal or transfer, or any other disciplinary measure or any measure that adversely affects a person’s employment or conditions of employment.

GOVERNANCE AND EMPLOYEE MANAGEMENT

As of September 22, 2023, organizations must have established and implemented governance policies and practices to ensure the protection of personal information. These policies and practices must include several components relating to personal data management which are to be publicly available. Most notably, organizations will have to establish a confidentiality policy that discloses, among other things, the tools they use to supervise the job performance of their workforce.

NEW OBLIGATIONS RELATING TO EMPLOYEE SUPERVISION TOOLS

Employers will have to assess their employee performance management tools, particularly for employees working from home, including the various computer, email, communication, video surveillance and travel monitoring systems that may collect personal information. Although employers, pursuant to their management right, retain the right to monitor the work performance of employees, the Act will impose certain additional limitations as of September 22, 2023. These obligations are in addition to those provided pursuant to the Civil Code of Québec, the Charter of Human Rights and Freedoms and, where applicable, the Canadian Charter of Rights and Freedoms, which also contain certain provisions respecting employee working conditions.

For instance, certain employee monitoring software installed without the knowledge of employees could contravene the provisions of the Act. Employee consent to personal information collection is required. However, the Act also imposes an obligation to inform employees of the reason for the monitoring and the data collection, which must be serious and legitimate, the means by which the information is collected, the rights of access and rectification provided by law and the employee’s right to withdraw consent to the communication or use of the information.

If the technology used allows employers to identify, locate or profile the employee, the employee must be informed of the use of such technology and be shown how to activate such functions. The employer may not unilaterally activate these functions; the Act will give this right exclusively to employees as of September 23, 2023. Profiling includes collection or use of personal information to assess, among other things, an employee’s work performance. Employees may also request to be informed of the personal information collected, the data retention period and the identity of the persons who have access to this information.

Despite these provisions of the Act coming into force, it will remain possible for authorized employees or representatives of the employer to access personal information of an employee without their consent if such access is needed for the performance of their duties.

Finally, the Act provides clarification on obtaining consent. Consent must be clear, free and given for specific purposes. The request for consent must be presented to the employee separately from any other employment information and the employer must provide assistance to the employee, if the latter so requests it, to help them understand the scope of the consent. Given this obligation of obtaining separate consent, it will no longer be possible to include a form of consent with the collection of personal information in the employment contracts of employees. A separate form of consent will now need to be used.

USE OF ARTIFICIAL INTELLIGENCE IN RELATION WITH HIRES OR PROMOTIONS

As of September 22, 2023, employers who use software, artificial intelligence or another method involving automated processing of personal data in order to make a decision based exclusively on the results of this assessment must inform the employees or applicants concerned of (i) the type of personal information used to make the decision, (ii) the principal factors and parameters that led to the decision and (iii) their right to have the personal information used to have the decision corrected if the information was inaccurate. The employee must also be given the opportunity to submit observations to a member of the organization’s personnel who has the authority to review the decision. As of the above date, it will therefore still be possible to use software to make decisions through “automated processing” of personal data, but transparency will be required and the employee or applicant concerned will need to be informed of the use of such a method.

PENALTIES

As of September 22, 2023, any private sector organization that fails to comply with the Act risks incurring fines of up to the greater of C$25-million or an amount corresponding to 4% of worldwide turnover for the preceding fiscal year. In addition to these fines, the CAI may impose on private sector organizations that fail to comply with the Act monetary administrative penalties of up to the greater of C$10-million or an amount corresponding to 2% of worldwide turnover for the preceding fiscal year. Organizations that fail to comply with the Act and receive such a penalty may enter into an undertaking to take the necessary measures to remedy the failure or mitigate its consequences. The CAI will have discretionary power to set conditions or compel organizations to pay a sum of money. If an organization undertakes to comply with the conditions and follows through, it will not have to pay a monetary administrative penalty regarding acts or omissions alleged against it. It is expected that the CAI will develop and make public a general framework for the application of monetary administrative penalties before the regime comes into force on September 22, 2023.
 
For more information, please contact:

Natalie Bussière                +1-514-982-4080
Catherine Gagné               +1-514-982-4085
Viviane Lavergne               +1-514-982-4082

or any other member of our Employment & Labour group.