foresight Newsletter

Welcome to foresight, the monthly e-newsletter for the Canadian Research Insights Council (CRIC), offered in collaboration with CRIC’s strategic partners the Certified Analytics and Insights Professionals of Canada (CAIP-PAIM Canada) and ESOMAR. foresight features the latest news, thought leadership and events from Canada’s research, analytics and insights industry. Would you like to include your company’s news, research, job postings or blogs in an upcoming issue? Connect with Grace Woo at [email protected].

New Privacy Requirements in Québec; National Privacy Legislation To Follow Suit

CRIC members that do business in Québec or that deal with the personal information of Québec residents must comply with the province’s privacy framework that came into effect on September 22, 2023.

Twelve (12) new requirements stem from the Act respecting the protection of personal information in the private sector (“PPIPS”), adopted in September 2021.

The law is being implemented progressively in three waves over a three-year period:
September 2022
September 2023
September 2024

In addition to the first set that came into effect in September 2022, the latest changes to Québec’s private sector privacy regime include:

• The need to create “clear and simple” personal information collection policies;
• The need to conduct privacy impact analyses in certain circumstances, such as when personal information is communicated outside of the province;
• Requirements for data processing agreements; (The CRIC data privacy toolkit for members only includes a template for data processing agreement)
• New consent rules (see below);
• New rules for dealing with minors including the need for the consent of a responsible adult before collecting information on a minor under the age of 14 (CRIC requires this for research with children under the age of 16);
• New rights that allow individuals to withdraw consent or be de-indexed; and
• New financial penalties.

The Commission d’accès à l’information du Québec (CAI) has recently published a guideline on the criteria for obtaining valid consent (French Only).  The guidelines identifies the following eight criteria:

• Clear – Consent must be obvious that it reflect the true intention of the data subject.
• Free – Consent must be voluntary and without pressure. Data subject must be able to withdraw consent anytime.
• Informed – The data subject must be aware of what they are consenting to.
• Specific – The purpose for using information must be as clear as possible.
• Granular – Data subject must be able to consent separately for each purpose that their personal information will be used
• Understandable – Consent must be requested using simple and clear language.
• Temporary – Consent must be for a limited period – to accomplish the purpose for which it is collected.
• Presented separately – Requests for consent must be separated from other information such as terms of use, privacy policy, etc.

The final set of requirements that will introduce data portability rules will come into effect in September of 2024.

PPIPS – which applies to all organizations headquartered in Quebec or which hold personal information of Quebec residents – is closely aligned with the European Union’s GDPR and is considered the most rigorous privacy framework in Canada.

The federal government has since followed suit and tabled an equivalent bill (Bill C-27) which is currently in the House of Commons for review.

Additional information on PPIPS and the new requirements can be found at:
• Copy of the Act
• Guideline for Obtaining Valid Consent (French)
• Provincial Guide on the new requirements (French)
• Summary Analysis by Stikeman Elliott (publicly available)
• Commission d’accès à l’information du Quebec pour chercheurs