Skip to main content
This website uses cookies. By continuing to use this website you are agreeing to our use of cookies as described in our privacy policy.
Bulletin

The Québec Private Sector Privacy Act: When does it Apply to Organizations Outside of Québec?

Fasken
Reading Time 10 minute read
Subscribe

Privacy & Cybersecurity

The territorial application of Québec’s Act respecting the protection of personal information in the private sector[1] (the “Act”) remains to be settled by legislation or jurisprudence. While Courts have identified the criteria used to ascertain the existence of an enterprise, they have yet to develop a clear approach to the application of the Act to foreign enterprises with activities in the province of Québec.

As discussed below, Canada’s Personal Information Protection and Electronic Documents Act[2] (“PIPEDA”) and the EU General Data Protection Regulation (the “GDPR”) may provide models that could be considered in Québec. However, until the territorial scope of the Act is clarified, organizations may find that the Act applies to their activities in unexpected ways, as has occurred in a number of cases discussed below, where there have been minimal connections to Québec.

1. Application of the Act

Article 1 of the Act provides for its application.[3] According to this article, the Act establishes rules with respect to personal information “which a person collects, holds, uses or communicates to third persons in the course of carrying on an enterprise within the meaning of article 1525 of the Civil Code of Québec” (the “CCQ”).[4]

Other articles in the CCQ mention the concept of “enterprise,” but Courts have explicitly refused to use them to determine the application of the Act. The only criteria to ascertain the existence of an enterprise for this purpose is article 1525 of the CCQ.[5] Under paragraph 3 of article 1525 of the CCQ,

The carrying on by one or more persons of an organized economic activity, whether or not it is commercial in nature, consisting of producing, administering or alienating property, or providing a service, constitutes the operation of an enterprise.[6]

The definition of “enterprise” as articulated by article 1525 of the CCQ has been the subject of much debate.[7] However, Pierre Dalphond, prior his appointment to the Québec Court of Appeal, described five factors to determine the existence of an enterprise.[8] Courts have used these factors to determine the presence an enterprise within the meaning of article 1525 of the CCQ for the purposes of the application of the Act.[9]

In the October 2018 case Firquet c. Acti-Com, Québec’s Commission d’accès à l’information (the “Québec Privacy Commissioner”) lists the five factors, which are cumulative, to find the existence of an enterprise in Québec’s civil law:

a) A plan specifying the enterprise’s economic objectives, according to which the activity is organized. It need not be complex or in writing.

b) Assets related to the pursuit of the objectives, which can vary from a large company’s machinery or buildings to a single craftsman’s modest toolbox.

c) A series of habitual juridical acts involving the entrepreneur, carried out in pursuit of the objectives.

d) Other economic players or stakeholders receptive to the goods and services offered by the enterprise, generally defined as customers, goodwill, or the market.

e) Economic value or profit directly attributable to the efforts of the entrepreneur.[10]

The Québec Privacy Commissioner used these factors to assess whether the Act applies to the activities of Gérard Camisa, who acted on behalf of his mandator, the French company Pouey International. According to the Québec Privacy Commissioner, Camisa proceeded under a simple but well defined plan, consisting of approximately two missions per year. Pouey informed Camisa of Canadian buyers who buy from French suppliers. Camisa then contacted their representatives to bring business to Pouey. Camisa carried out his mandates from his home using computer equipment, which counted as assets used in pursuit of the economic objectives. The objectives, although sporadic, were repayment agreements, and thus also juridical acts. Camisa received a sum of money from his client, Pouey, in return for his services. Thus, the Québec Privacy Commissioner concluded that Camisa carried on an enterprise within the meaning of 1525, and that the Act applied[11].

2. Foreign Enterprises

For the Act to apply, the enterprise must be carried out in Québec. As a preliminary matter, the Québec Privacy Commissioner has noted: “la loi vise uniquement les personnes qui ‘exploitent une entreprise au Québec.’”[12]

Nonetheless, Courts apply broad factors to determine this geographical criteria. In Institut d’assurance du Canada c. Guay, the Québec Privacy Commissioner ruled that the Act applied to an entity based in Ontario that sold goods and services in Québec, even though the entity had only one office in Québec with minimal staff who were neither agents or mandataries. The entity also kept no documents containing personal information in Québec, but the Québec Privacy Commissioner emphasized that the entity could not escape the Act’s application by moving personal information from Québec to Ontario.[13]

Courts have also held that foreign companies that do business in Québec, or who produce goods or services that find their way to Québec’s market, can be “enterprises” within the meaning of article 1525 of the CCQ. In Serres Floraplus inc. c. Norséco inc, American company Jackson & Perkins Wholesale (“JPW”) developed and implemented marketing for horticultural products in North America. The Superior Court of Québec ruled that JPW was an enterprise under article 1525 of the CCQ, without using the five factors described above nor giving substantial explanations.[14] In Jabre c. Middle East Airlines-AirLiban, the Middle Eastern airline had a head office in Beyrouth and a branch in Québec containing eight non-unionized employees, hired locally but supervised by the head office. In this case, the Québec Privacy Commissioner ruled that the airline was an “enterprise,” and applied the Act.[15]

3. Potential Lessons from PIPEDA

Section 4 of PIPEDA provides that the statute applies to organizations that collect, use, and disclose personal information in the course of commercial activities and to federal undertakings who do the same with regard to their employees.[16]

Section 4 is silent with respect to the statute’s territorial reach. However, Courts use the “real and substantial connection” test to ascertain whether PIPEDA applies to foreign organizations.[17] This test was first adopted in the 1993 case of Morguard Investments, and has been applied and developed over many cases since.[18] With regard to PIPEDA, Courts have identified the operative question determining whether to apply PIPEDA to a foreign organization as follows:  “whether there is sufficient connection between this country and the [activity] in question for Canada to apply its law consistent with the ‘principles of order and fairness.’”[19]

In A.T. v. Globe24h.com, the Federal Court applied PIPEDA to a Romanian operating a website that collected and published Canadian jurisprudence containing personal information. Although the website was operated and hosted in Romania, the website contained Canadian decisions, targeted Canadians, and impacted Canadians. The Federal Court used these factors to find a real and substantial connection to Canada.[20]

Likewise, in the recent case summarized in PIPEDA Report 2018-002, the Office of the Privacy Commissioner of Canada applied PIPEDA to a New Zealand company operating a website that published Canadian social media profiles. As factors, the Office noted that the website claimed to contain information about searchable Canadian profiles, required Canadians’ personal information to offer further services, delivered Canadian-based advertising, sought to attract Canadian users, and impacted Canadians.[21]

In both cases, the fact that foreign authorities were also investigating privacy complaints was no impediment to PIPEDA’s application.[22]

4. Potential Lessons from the GDPR

The GDPR provides for its own territorial application in a legislated provision. Furthermore, the European Data Protection Board also published detailed guidelines on GDPR’s territorial scope in November 2018, which are available online.[23]

In brief, the GDPR applies to personal data processing[24] that occurs in the context of a data controller or processor’s establishment in the EU, whether the processing takes place in the EU or not.[25] “Establishment” implies effective and real exercise of an activity through stable arrangements. It is interpreted broadly and flexibly, and can mean any human or technical resource available in the EU.[26]

Additionally, the GDPR applies to personal data processing of data subjects in the EU, even if conducted by a controller or processor not established in the EU. In this situation, the GDPR applies if the processing activities relate to either the offering of goods or services to data subjects in the EU or the monitoring of data subjects’ behaviour in the EU.[27]

5. Conclusions and Questions

While Québec Courts have delineated the scope of province’s Private Sector Privacy Act through the notion of “enterprise,” they have yet to delineate the scope of the Act’s territorial application. Determining the territorial application of Québec privacy legislation thus remains unsettled and unclear.

In contrast, to determine the application of PIPEDA, practitioners benefit from jurisprudence that applies an established method to ascertain its territorial application, i.e. the “real and substantial connection” test. To do the same for EU privacy legislation, practitioners can consult legislative provisions and detailed guidance documents.

Several questions arise with regard to Québec Private Sector Privacy Act.

a) Does the Act nonetheless apply to a foreign company that only minimally or nominally satisfies the criteria used to ascertain the existence of an enterprise?

The small amount of business was no barrier in Firquet, which involved merely two mandates per year. However, in this case, the Act applied to a French company’s mandatory in Québec. The plaintiff did not attempt to apply it to the company itself.

b) Is case law concerning the Act’s interprovincial territorial scope relevant for the determination of the Act’s international scope, or the definition of “enterprise?”

As noted above, the Court in Guay identified factors pertinent to the question of the Act’s application to an enterprise from Ontario. Jabre and in Serres concern international enterprises, and make no mention of Guay.

c) If a foreign government is in the midst of an investigation of the foreign enterprise’s activities as they pertain to personal information and privacy, can Québec’s Act still apply to the enterprise?

The fact that a foreign enterprise is or might be under investigation by authorities in its own country was no obstacle to PIPEDA’s application in Globe24h.com and PIPEDA Report 2018-002. Whether the same is true for Québec’s Act is unclear.

In the future, such questions and others regarding the Act’s territorial scope might be answered in case law, or even perhaps in a guidance document published by Québec Privacy Commissioner. The answers might draw inspiration from the approaches adopted under PIPEDA or the GDPR. Until then, foreign enterprises should be mindful of the potential application of the Act with regard to personal information in Québec.



[1] CQLR c P-39.1.

[2] SC 2000, c 5.

[3] Whitehouse c. Ordre des pharmaciens du Québec, AZ-95151055, A.I.E. 95AC-79, [1995] C.A.I. 252, at page 12 [Whitehouse].

[4] Act respecting the protection of personal information in the private sector, CQLR c P-39.1, art. 1.

[5] Whitehouse, supra note 1, at pages 27-29. Mentions of “enterprise” are found in arts. 2186, 2830 and 286 in Book Seven of the CCQ. “Toutefois, la Loi sur le secteur privé s'applique spécifiquement aux entreprises tel que visé par l'article 1525 C.c.Q. et pas aux entreprises au sens du Livre Septième CcQ.”

[6] Civil Code of Québec, CQLR c CCQ-1991, art. 1525.

[7] Grenier c. Collège des médecins du Québec, AZ-96151040, A.I.E. 96AC-40, [1996] C.A.I. 199, at pages 7-11.

[8] Pierre J. Dalphond, « Entreprise et vente d’entreprise en droit civil québécois » (1994) 54 Revue du Barreau 45, p. 39.

[9] Whitehouse, supra note 1, at page 16.

[10] Firquet c. Acti-Com, 2018 QCCAI 245, AZ-51543145, 2018EXP-3257, at para 14 [Firquet].

[11] Ibid., at para 15-18.

[12] Institut d’assurance du Canada c. Guay, AZ-98031022, J.E. 98-141, A.I.E. 98AC-2, [1998] C.A.I. 431 [Guay].

[13] Ibid. 

[14] Serres Floraplus inc. c. Norséco inc., 2008 QCCS 1455, AZ-50485894, J.E. 2008-931, [2008] R.J.Q. 1075, at paras 3 and 21 [Serres].

[15] Despite certain constitutional questions beyond the scope of this bulletin. See Jabre c. Middle East Airlines-AirLiban S.A.L., AZ-98151346, A.I.E. 98AC-64, [1998] C.A.I. 404, at pages 2 and 12 [Jabre].

[16] Ibid., article 4.

[17] Lawson v. Accusearch Inc., 2007 FC 125, at paras 3 and 34.

[18] See, for example, the many cases cited in A.T. v. Globe24h.com, 2017 FC 114, at para 51 [Globe24h].

[19] Ibid., at para 52.

[20] Ibid., at paras 53-56.

[21] PIPEDA Report of Findings #2018-002, Office of the Privacy Commissioner of Canada, June 12, 2018, available online: <https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2018/pipeda-2018-002>, at paras 77-78 [PIPEDA Report 2018-002].

[22] Ibid., at para 79. Globe24h, supra note 19, at para 56.

[23] European Data Protection Board, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) - Version for public consultation, November 16, 2018, available online: <https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_3_2018_territorial_scope_en.pdf>.

[24] “Processing” means “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.” See Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L 119/1 [GDPR], article 4.

[25] Ibid., article 3(1).

[26] Google Spain SL and Google Inc. v Agencia Española de Protección de Datos and Mario Costeja González, CJEU, May 13, 2014, C 131/12, EU, at para 48.

[27] GDPR, supra note 22, article 3(2).

    Subscribe

    Receive email updates from our team

    Subscribe