For several decades now, privacy impact assessments ("PIAs") have been an increasingly familiar part of the data protection landscape. Originally inspired by environmental impact assessments, their use has become an integral part of best practices in planning new uses of personal information. Governments and regulators have increasingly demanded a PIA for novel treatments of personal information, as they are struggling to keep up with the continuous and accelerating emergence of new technologies.
With the advent of the European Union's recent General Data Protection Regulation ("GDPR"), PIAs, labelled as "data protection impact assessments" ("DPIAs") under the GDPR, graduated from best practice to the necessary to do in many situations. DPIAs are now compulsory for processing operations which involves new technologies and are "likely to result in a high risk to the rights and freedoms" of the concerned individuals. As a result, the responsibility for ensuring respect for privacy no longer rests solely on the shoulders of institutions or citizens; it is now the responsibility of all organizations.
This approach is mirrored in the proposed Quebec Bill 64.
What is new?
Essentially, Bill 64 proposes that private and public organizations in Quebec be required to conduct "assessments of privacy-related factors" ("APFs"):
- of "any information system project or electronic service delivery project" involving the collection, use, release, keeping or destruction of personal information;
- before communicating personal information without the consent of the persons concerned to a person or body wishing to use the information for study or research purposes or for the production of statistics;
- before communicating personal information outside Quebec;
- for public bodies only, before communicating personal information to a public body or an agency of another government if it is necessary for the exercise of the rights and powers of the receiving body or the implementation of a program under its management, if it is clearly for the benefit of the person to whom it relates, where exceptional circumstances justify to do so or if it is necessary for the purposes of a service to be provided to the person concerned by a public body;
- for public bodies designated as personal information manager, before collecting, using or releasing personal information in the exercise of its function.
Private sector organizations and information system projects
Quebec will now require an APF of "any information system project or electronic system service delivery project". Bill 64 goes beyond what is required by the GDPR (which links DPIAs to risks to individuals), as it suggests an analysis of any and all new projects, not just those which seem to be high risk.
The person in charge of the protection of personal information within the company must be consulted about the purpose of the planned assessment. Bill 64 describes what this person may suggest, at any stage of the project :
- appointing a person responsible for the implementation of the personal information protection measures;
- protection measures for any document relating to the project;
- a description of the project participants' responsibilities concerning the protection of personal information; and
- training for project participants.
Crucially, when the APF of an information system is carried out, it must ensure data portability for the future by the creation of an easy to use format.
But what exactly is an "assessment of privacy-related factors"?
Bill 64 manages to be very prescriptive as to mere suggestions while avoiding discussion of what the criteria for a satisfactory APF would be. There is no mention of the role of risk in the assessment to be carried out. Implementation of the assessment in the project is not mentioned, nor are the consequences, if any, of incomplete assessments or indeed, none at all.
At least, Bill 64 gives us some clues as to the nature of the factors that need to be assessed in an AFP made prior to communicating personal information outside Québec, while it disposes that the ARP must, among other things take into account (a) the sensitivity of the information, (b) the purpose for which it is to be used, (ii) the protection measures that would apply to it, and (4) the legal framework applicable in the "State" in which the information would be communicated. 
Fortunately, the Commission d'accès à l'information ("Commission") has developed a working document on how to carry out an assessment of privacy-related factors(in French only), which has been published before Bill 64 being tabled. Consequently, this guide presents APFs as an optional tool and could be completely completely revised following the adoption of Bill 64.
The guide outlines the steps to follow when conducting an APF:
1. Preparation of the APF: which consists in defining the project, the organization context, the organization's obligations with regards to privacy and the protection of personal information, making an inventory of personal information that will be involved in the project (including the assessment of such personal information's sensitivity) and identifying the interactions between the organization and the personal information that will be involved in the project.
2. Conducting the APF: according to this guide, the so-called "privacy-related" factors to be assessed are:
- The compliance of the project with applicable personal information protection legislation and adherence to the principles that support it, such as identifying purposes, consent, limiting collection, use, disclosure and retention, security measures, accuracy of the personal information collected, etc.
- The identification of privacy risks generated by the project, such as the retention of information when its utility is no longer demonstrated, theft of information, excessive collection of information, unauthorized disclosure of information, excessive or unjustified creation of information, etc.
- The evaluation of the impact of the identified privacy risks generated by the project, which can be done using a scoring system. In any event, it is important to make sure that the risks are quantified and addressed, and that acceptable risks are defined beforehand.
- The implementation of strategies to avoid or effectively reduce these risks, which can consist of a document management system that allows the automated application of retention calendar; reviewing the processes for allocating and managing computer access; hiring IT security firms to periodically review the security parameters of the product or service; reviewing confidentiality clauses in contracts, etc.
3. Preparation of an APF report: this last step of the process is meant to consolidate the results of the assessment made, and allow to attest to the actions and thinking in the case of an audit, inspection or investigation by a regulatory authority.
A great tool for APFs: Fasken Edge
Fasken has become increasingly aware of the ever-growing regulatory burden on its clients and already has an extensive expertise in conducting all sorts of privacy impact assessments for them, by having GDPR-qualified lawyers who conduct DPIAs, by certifying some of our experts as Lead Implementer for ISO/IEC 27701:2019, and by extending our ISO/IEC 27001:2013 certification to deploy a Privacy Information Management System for our own offices Canada-wide.
Fasken is putting client collaboration and matter management front and centre with its client portal Fasken Edge, which supports their compliance curve in a dynamic manner, while reducing legal fees.
This platform includes many useful functionalities for compliance purposes, such as creating and managing data processing inventories. Most of all, Fasken Edge gives access to a control-based risk assessment tool that allows our clients to personalize their methodologies for both maturity and risk. The control-based risk assessment tool included in Fasken Edge can be used to generate reports, perform privacy risk assessments, data protection impact assessments, security risk assessment and any other control-based assessment required under the GDPR, ISO standards and eventually, privacy laws in Quebec. The reports can be linked to evidences stored within a data room, and clients can create as many control-based risk assessments as they want.
Our clients have been successful in using FaskenEdge to manage governance, compliance and risk through this innovative tool at a pricing far more competitive than most GRC or Privacy Management Software on the market. Do not hesitate to contact us if you would like to get more information about Fasken Edge or any other Fasken innovative legal tools.
BILL 64 RESOURCE CENTER - Visit our Bill 64 Resource Center for all the information you need to help you to cope with the changes that might be made to the legislation.
FASKEN INSTITUTE - Register now to our training that will shed light on the main changes and impacts to be expected in the management of your businesses.
DISTRIBUTION LIST - If you do not want to miss our next bulletins and any other relevant information on this subject, sign up now on our distribution list to receive all communications related to this new Bill.
 General Data Protection Regulation, 2016/679, recitals 89-95 and art. 35.
 Bill 64, An Act to modernize legislative provisions as regards the protection of personal information.
 Bill 64, s.14 and 95.
 Bill 64, s. 23 and 110.
 Bill 64, s. 70.1 and 103.
 Bill 64, s. 25.
 Bill 64, s. 27.
 Bill 64, s. 95.
 GDPR, art. 35.
 Bill 64, s. 95.
 Bill, s. 27 and 103.
 Commission d'accès à l'information, Guide d'accompagnement - Réaliser une évaluation des facteurs relatifs à la vie privé, updated on May 5, 2020, 20 pp. (in French only).