For several months now, issues relating to the protection of personal information are an ever-rising concern in all industrialized countries, especially due to serious questions raised by the practices of major social media platforms and scandals following the loss or theft of vast quantities of personal information.
In this context, many European and North American governments have adopted new laws that are more far-reaching and much stricter than before in order to better protect personal information.
In Quebec, this led to the filing, on June 12 of last year, of Bill 64 entitled “An Act to modernize legislative provisions as regards the protection of personal information” (“Bill 64”).
Bill 64 amends the personal data protection obligations incumbent on public bodies and businesses in the private sector. It imposes new and much stricter obligations, in particular on Quebec businesses, such as franchisors and franchisees, while also significantly increasing the powers of the Commission d'accès à l'information (“CAI”).
These new provisions will therefore have a significant impact on all franchise networks operating in Quebec.
All franchisors have personal information on their franchisees, on the directors, officers, partners, shareholders and employees of their franchisees, on their own employees and, often, on the customers of their franchise networks.
Moreover, all franchisees also have personal information on their employees and, often, on their customers.
Lastly, personal information is often disclosed and exchanged in various ways (frequently by electronic means) between each franchisee and its franchisor as well as between franchisees. It is therefore important to recall that, from a legal perspective, each franchisee is a business that is separate from the franchisor or any other franchisee.
As such, the franchisor and each of its franchisees are each required to comply with the provisions of the Act respecting the protection of personal information in the private sector, including, upon their coming into force, the provisions of Bill 64.
In addition to the increased penalties for violations, which upon the coming into force of Bill 64 could be as high as $25,000,000, here is a summary of some of the important changes proposed under Bill 64 that will impact both franchisors and franchisees:
- Duty to adopt governance rules regarding the protection of personal information;
- Obligation, for both franchisors as well as each of their franchisees, to appoint a person in charge of the protection of personal information;
- Consent required to collect, use or disclose personal information must be requested separately from any other information provided to the individual;
- Obligation to provide more detailed information to individuals when collecting their personal information;
- Framework for communicating personal information in connection with a contract for services or work;
- Amendments to requirements enabling personal information to be transmitted outside of Quebec;
- Obligation to destroy or anonymize personal information when the purpose for which it was collected is fulfilled;
- Requirement to assess privacy-related factors with regard to any information system or electronic service delivery project (e.g., the sale or delivery of goods or provision of services) involving the collection, use, disclosure, storage or destruction of personal information;
- Duty to ensure that the parameters of the technological goods and services offered provide the highest level of protection of confidentiality, by default, without any intervention by the individual it concerns;
- Procedures that apply when personal information is used to render decisions based on automated processes, such as by identifying the information to be transmitted to the individual affected by the decision;
- Eliminating the possibility to disclose nominative lists without the consent of the persons it concerns, and the addition of a right to contest the use of their personal information for commercial or philanthropic solicitation purposes;
- Duty to inform with regard to functions that allow an individual to be identified, located or profiled;
- Possibility to use depersonalized information for study, research or statistical purposes;
- The addition of the right to have personal information deleted;
- A person’s right to data portability; meaning an individual’s right to receive the personal information that individual provided to an entity in a structured and commonly used technological format. When requested by that individual, this information must be transmitted to any other person or entity;
- Duty to handle “confidentiality incidents” from which a duty to report arises in a transparent manner;
- Duty to protect employees who report a violation of any personal data protection laws;
- Allocation of powers to the CAI so that it may, among other things, impose monetary administrative penalties on businesses subject to the Act respecting the protection of personal information in the private sector, which may be as high as $10,000,000 or 2% of the global revenue, if this amount is higher.
Bill 64 also includes many other provisions affecting all public bodies, private businesses and political parties.
Although we’re still be several months away from the coming into force of Bill 64, it would be wise to start preparing now.
For a franchisor this means, among others:
- Having a lawyer who specializes in personal information protection revise the franchise agreement and other contracts to ensure that they are compliant with this new legislation and that they include the necessary undertakings by the franchisees to ensure their compliance thereto;
- Revising, both for itself as well as its franchisees and the entire franchise network: (i) the practices and processes for obtaining, holding, safeguarding, managing, communicating, storing and destroying personal information, (ii) the operations manual, (iii) computer and technological tools, (iv) websites, and (v) agreements with its suppliers (such as IT and financial service providers), in order to make the necessary changes to ensure its own timely compliance with this new legislation as well as that of its franchisees;
- Preparing and implementing standards, rules (such as governance rules) and guidelines as well as the necessary information and training tools to inform, train and guide its franchisees in order so that they are able to properly comply with this new legislation as soon as it comes into force.
This is especially important since, in addition to exposing both you and your franchisees to the very strict penalties proposed under Bill 64, any violation of the laws and regulations governing the protection of personal information can also expose your network to damaging news coverage and have serious consequences for your customers.
A franchise network’s brand is often its most valuable asset and these changes create a real risk that the brand could be harmed in the event of a failure to comply with the new legal framework. Where the franchisor provides the digital platforms used to process personal information or if it processes the data itself, it would be especially important to adopt a proactive approach since its intervention may be at the root of such issues. It would be in the franchisor’s interest to contact its IT providers now to determine if their service is compliant and, if not, to obtain clear undertakings to ensure timely compliance.
To stay informed about Bill 64 and the significant changes to Quebec personal information protection laws, the Privacy Protection practice group at Fasken has created and regularly updates an online Resource Centre | Bill 64 and changes to Quebec personal information protection laws. The Firm’s Privacy group also publishes periodic updates on developments regarding Bill 64 as well as its in-depth analysis of the different proposals.
We therefore invite you to regularly visit and read the posts in order to keep up to date on all the issues regarding the protection of personal information.
Fasken is always available to help you with all the steps required to ensure that both you and your franchisees are compliant with all laws and regulations governing the protection of personal information.