Publications

Quebec recently enacted Bill 96, entitled An Act respecting French, the official and common language of Québec, which aims to overhaul the Charter of the French language. Here are 10 key changes in this law that will impose significant obligations on businesses: As of June 1, 2025, businesses employing more than 25 people (currently the threshold is 50 people) for at least six months will be required to comply with various “francization”1 obligations. Businesses with between 25 and 99 employees may also be ordered by the Office québécois de la langue française (the OQLF)2 to form a francization committee. In addition, at the request of the OQLF, businesses may have to provide a francization program for review within three months. As of June 1, 2025, only trademarks registered in a language other than French (and for which no French version has been filed or registered) will be accepted as an exception to the general principle that trademarks must be translated into French. Unregistered trademarks that are not in French must be accompanied by their French equivalent. The rule is the same for products as well as their labelling and packaging; any writing must be in French. The French text may be accompanied by a translation or translations, but no text in another language may be given greater prominence than the text in French or be made available on more favourable terms. However, as of June 1, 2025, generic or descriptive terms included in a trademark registered in a language other than French (for which no French version has been registered) must be translated into French. In addition, as of June 1, 2025, on public signs and posters visible from outside the premises, (i) French must be markedly predominant (rather than being sufficiently present) and (ii) the display of trademarks that are not in French (for which no French version has been registered) will be limited to registered trademarks. As of June 1, 2022, businesses that offer goods or services to consumers must respect their right to be informed and served in French. In the event of breaches of this obligation, consumers have the right to file a complaint with the OQLF or to request an injunction unless the business has fewer than five employees. In addition, any legal person or company that provides services to the civil administration3 will be required to provide these services in French, including when the services are intended for the public. As of June 1, 2022, subject to certain criteria provided for in the bill, employers are required to draw up the following written documents in French: individual employment contracts4 and communications addressed to a worker or to an association of workers, including communications following the end of the employment relationship with an employee. In addition, other documents such as job application forms, documents relating to working conditions and training documents must be made available in French.5 As of June 1, 2022, employers who wish to require employees to have a certain level of proficiency in a language other than French in order to obtain a position must demonstrate that this requirement is necessary for the performance of the duties related to the position, that it is impossible to proceed using internal resources and that they have made efforts to limit the number of positions in their company requiring knowledge of a language other than French as much as possible. As of June 1, 2023, parties wishing to enter into a consumer contract in a language other than French, or, subject to various exceptions,6 a contract of adhesion that is not a consumer contract, must have received a French version of the contract before agreeing to it. Otherwise, a party can demand that the contract be cancelled without it being necessary to prove harm. As of June 1, 2023, the civil administration will be prohibited from entering into a contract with or granting a subsidy to a business that employs 25 or more people and that does not comply with the following obligations on the use of the French language: obtaining a certificate of registration, sending the OQLF an analysis of the language situation in the business within the time prescribed, or obtaining an attestation of implementation of a francization program or a francization certificate, depending on the case. As of June 1, 2023, all contracts and agreements entered into by the civil administration, as well as all written documents sent to an agency of the civil administration by a legal person or by a business to obtain a permit, an authorization or a subsidy or other form of financial assistance must be drawn up exclusively in French. As of September 1, 2022, a certified French translation must be attached to motions and other pleadings drawn up in English that emanate from a business or legal person that is a party to a pleading in Quebec. The legal person will bear the translation costs. The application of the provisions imposing this obligation has, however, been suspended for the time being by the Superior Court.7 As of September 1, 2022, registrations in the Register of Personal and Movable Real Rights and in the Land Registry Office, in particular registrations of securities, deeds of sale, leases and various other rights, must be made in French. Note that declarations of co-ownership must be filed at the Land Registry Office in French as of June 1, 2022. The lawyers at Lavery know Quebec’s language laws and can help you understand the impact of Bill 96 on your business, as well as inform you of the steps to take to meet these new obligations. Please do not hesitate to contact one of the Lavery team members named in this article for assistance. We invite you to consult the other articles concerning the modifications made to Quebec’s Charter of the French language: Trademarks and Charter of the French language: What can you expect from Bill 96? Amendments to the Charter of the French Language: Impacts on the Insurance Sector “Francization” refers to a process established by the Charter of the French language to ensure the generalized use of French in businesses. The OQLF is the regulatory body responsible for enforcing the Charter of the French language. The civil administration in this law includes any public body in the broad sense of the term. An employee who signed an individual employment contract before June 1, 2022, will have until June 1, 2023, to ask their employer to provide them with a French translation if the employee so wishes. If the individual employment contract is a fixed-term employment contract that ends before June 1, 2024, the employer is not obliged to have it translated into French at the request of the employee. Employers have until June 1, 2023, to have job application forms, documents related to work conditions and training documents translated into French if these are not already available to employees in French. Among these exceptions are employment contracts, loan contracts and contracts used in “relations with persons outside Quebec.” There seems to be a contradiction in the law with regard to individual employment contracts which are contracts of adhesion and for which the obligation to provide a French translation nevertheless seems to apply. Mitchell c. Procureur général du Québec, 2022 QCCS 2983.

Bill 64, also known as the Act to modernize legislative provisions as regards the protection of personal information, was adopted on September 21, 2021, by the National Assembly of Québec. This new bill amends some 20 laws relating to the protection of personal information, including the Act respecting Access to documents held by public bodies and the Protection of personal information ("Access Act"), the Act respecting the protection of personal information in the private sector (“ARPIPS”) and the Act to establish a legal framework for information technology (“AELFIT”). While these changes will affect both public bodies and private businesses, this article focuses exclusively on the new requirements for public bodies covered by the Access Act.  We have prepared an amended version of the Access Act in order to reflect the exact changes brought about by Bill 64. 1. Strengthening consent mechanisms and increasing individual control over personal information By way of Bill 64, some important changes were made to the notion of consent when disclosing personal information to public bodies. From now on, any time an individual’s consent is required by the Access Act, public bodies must ensure that the concerned individual’s consent is given separately from any other disclosed information (s. 53.1). Furthermore, any consent to the collection of sensitive personal information (e.g., health or financial information that gives rise to a reasonable expectation of privacy) will have to be expressly obtained from the data subject (s. 59). The amended Access Act now also provides that minors under the age of 14 must have a parent or a guardian consent to the collection of their personal information. For minors over the age of 14, consent can be given either directly by the minor or by their parent or guardian (s. 53.1). The right to data portability is one of the new rights enforced by Bill 64. These added provisions to the Access Act allow data subjects to obtain data that a public body holds on them in a structured and commonly used technological format and to demand that this data be released to a third party (s. 84). Whenever a public body renders a decision based exclusively on automated processing of personal information, the affected individual must be informed of this process. If the decision produces legal effects or otherwise affects the individual concerned, upon request, the public body must also disclose to the individual (i) the personal information used in reaching the decision, (ii) the reasons and main factors leading to the decision, and (iii) the individual’s right to have this personal information rectified (s. 65.2).  Furthermore, public bodies that use technology to identify, locate or profile an individual must now inform the affected individual of the use of such technology and the means that are available to them in order to disable such functions (s. 65.0.1). 2. New personal data protection mechanisms Public bodies will now be required to conduct a privacy impact assessment whenever they seek to implement or update any information system that involves the collection, use, disclosure, retention or destruction of personal data (s. 63.5). This obligation will effectively compel public bodies to consider the privacy and personal information protection risks involved in a certain project at its outset. In fact, the Access Act now states that every public body must create an access to information committee, whose responsibilities will include offering their observations in such circumstances. 3. Promoting transparency and accountability for public bodies The changes brought about by Bill 64 also aim to increase the transparency of processes employed by public bodies in collecting and using personal data, as well as placing an emphasis on accountability. As such, public bodies will now have to publish on their websites the rules that govern their handling of personal data in clear and simple language (s. 63.3). These rules may take the form of a policy, directive or guide and must set out the various responsibilities of staff members with respect to personal information. Training and awareness programs for staff should also be listed. Any public body that collects personal information through technological means will likewise be required to publish a privacy policy on their website. The policy will have to be drafted in clear and simple language (s. 63.4). The government may eventually adopt regulations to specify the required content of such privacy policies. Moving forward, public bodies will also have to inform data subjects of any personal data transfer outside of the province of Quebec (s. 65). Any such transfer will also need to undergo a privacy impact assessment, which will include an analysis of the legal framework applicable in the State where the personal information will be transferred (s. 70.1). Furthermore, any transfer of personal data outside of Quebec must be subject to a written agreement that takes into account, in particular, the results of the privacy impact assessment and, if applicable, the agreed-upon terms to mitigate the risks identified in the assessment (s. 70.1). A public body that wishes to entrust a person or body outside of Quebec with the task of collecting, using, communicating or retaining personal information on its behalf will have to undertake a similar exercise (s. 70.1 (3)). 4. Managing confidentiality incidents Where a public body has reason to believe that a confidentiality incident (which is defined in Bill 64 as the access, use, disclosure or loss of personal information) has occurred, public bodies will be required to take reasonable steps to mitigate the injury caused to the affected individuals and to reduce the risk of further confidentiality incidents occurring in the future (s. 63.7). In addition, where the confidentiality incident poses a risk of serious harm to the affected individuals, these individuals and the Commission d’accès à l’information (“CAI”) must be notified (unless doing so would interfere with an investigation to prevent, detect or suppress crime or violations of law) (s. 63.7). Public bodies must now also keep a register of confidentiality incidents (s. 63.10), a copy of which must be sent to the CAI upon request. 5. Increased powers for the CAI Bill 64 also grants the CAI an arsenal of new powers aiming to ensure that public bodies, as well as private companies, comply with privacy laws. For example, in the event of a confidentiality incident, the CAI may order any public body to take appropriate action to protect the rights of affected individuals, after allowing the public body to make representations (s. 127.2). Furthermore, the CAI now has the power to impose substantial administrative monetary penalties, the value of which may reach up to $150,000 for public bodies (s. 159). In the event of repeat offences, fines will be doubled (s. 164.1). 6. Coming into force The amendments made by Bill 64 will come into force in several stages. Most of the new provisions of the Access Act [DM1] will come into force two years after the date of assent, which was granted on September 22, 2021. However, some specific provisions will take effect one year after that date, including: The requirements regarding actions to be taken in response to confidentiality incidents (s. 63.7) and the powers of the CAI upon disclosure by an organization of a confidentiality incident (s. 137.2); and The exception to disclosure without consent for research purposes (s. 67.2.1). Conclusion The clock is now ticking for public bodies to implement the necessary changes in order to comply with the new privacy requirements outlined in Bill 64, which received official assent on September 22, 2021. We invite you to consult our privacy specialists to help ensure proper compliance with the new requirements of the updated Access Act. The Lavery team would be more than pleased to answer any questions you may have regarding the upcoming changes and the potential impacts on your org

Bill 64, also known as the Act to modernize legislative provisions respecting the protection of personal information, was adopted on September 21, 2021, by the National Assembly of Québec. It amends some 20 laws relating to the protection of personal information, including the Act respecting access to documents held by public bodies ("Access Act"), the Act respecting the protection of personal information in the private sector ("Private Sector Act") and the Act respecting the legal framework for information technology. While the changes will affect both public bodies and private businesses, this publication will focus on providing an overview of the new requirements for private businesses covered by the Private Sector Act. We have prepared an amended version of the Private Sector Act in order to reflect the exact changes brought about by Bill 64. Essentially, the amended Private Sector Act aims to give individuals greater control over their personal information and promote the protection of personal information by making businesses more accountable and introducing new mechanisms to ensure compliance with Québec’s privacy rules. The following is a summary of the main amendments adopted by the legislator and the new requirements imposed on businesses in this area. It is important to note that, for the most part, the new privacy regime will come into effect in two years. 1. Increasing transparency and individual control over personal information The new Private Sector Act establishes the right of individuals to access information about themselves collected by businesses in a structured and commonly used technological format. Data subjects will now also be able to require a business to disclose such information to a third party, as long as the information was not “created or inferred” by the business (s. 27). This right is commonly referred to as the “right to data portability.” Businesses now have an obligation to destroy personal information once the purposes for which it was collected or used have been fulfilled. Alternatively, businesses may anonymize personal information in accordance with generally accepted best practices in order to use it for meaningful and legitimate purposes (s. 23). However, it is important that the identity of concerned individuals can never again be inferred from the retained information. This is a significant change for private businesses which, under the current law, can still retain personal information that has lapsed. In addition, Bill 64 provides individuals with a right to “de-indexation.” In other words, businesses will now have to de-index any hyperlink that leads to an individual’s personal information where dissemination of such personal information goes against the law or a court order (s. 28.1). Additionally, whenever a business uses personal information to render a decision based exclusively on an automated processing of such information, it must inform the concerned individual of the process at the latest when the decision is made (s. 12.1). The individual must likewise be made aware of their right to have the information rectified (s. 12.1). Bill 64 provides that the release and use of nominative lists by a private company for commercial or philanthropic prospecting purposes are now subject to the consent of concerned data subjects. Furthermore, in an effort to increase transparency, businesses will now be required to publish their rules of governance with respect to personal information in simple and clear terms on their website (s. 3.2). These rules may take the form of a policy, directive or guide and must, among other things, set out the various responsibilities of staff members with respect to personal information. In addition, businesses that collect personal information through technology will also be required to adopt and publish a privacy policy in plain language on their website when they collect personal information (s. 8.2). The amended Private Sector Act further provides that businesses that refuse access to information requests, in addition to giving reasons for their refusal and indicating the relevant sections of the Act, must now assist applicants in understanding why their request was denied when asked to (s. 34). 2. Promoting privacy and corporate accountability Bill 64 aims to make businesses more accountable for the protection of personal information, as exemplified by the new requirement for businesses to appoint a Chief Privacy Officer within their organization. By default, the role will fall upon the most senior person in the organization (s. 3.1). In addition, businesses will be required to conduct privacy impact assessments (“PIA”) for any information system acquisition, development or redesign project involving the collection, use, disclosure, retention or destruction of personal information (s. 3.3). This obligation forces businesses to consider the privacy and personal information protection risks involved in a project at its outset. The PIA must be proportionate to the sensitivity of the information involved, the purpose for which it is to be used, its quantity, distribution and medium (s. 3.3). Businesses will likewise be required to conduct a PIA when they intend to disclose personal information outside Québec. In these cases, the purpose of the PIA will be to determine whether the information will be adequately protected in accordance with generally accepted privacy principles (s. 17). The extra-provincial release of personal information must also be subject to a written agreement that takes into account, among other things, the results of the PIA and, if applicable, the terms and conditions agreed to in order to mitigate identified risks (s. 17(2)). The disclosure of personal information by businesses for study, research or statistical purposes is also subject to a PIA (s. 21). The law is substantially modified in this regard, in that a third party wishing to use personal information for such purposes must submit a written request to the Commission d'accès à l'information (“CAI”), attach a detailed description of their research activities and disclose a list of all persons and organizations to which it has made similar requests (s. 21.01.1 and 21.01.02). Businesses may also disclose personal information to a third party, without the consent of the individual, in the course of performing a service or for the purposes of a business contract. The mandate must be set out in a written contract, which must include the privacy safeguards to be followed by the agent or service provider (s. 18.3). The release of personal information without the consent of concerned individuals as part of a commercial transaction between private companies is subject to certain specific requirements (s. 18.4). The amended Private Sector Act now defines a business transaction as “the sale or lease of all or part of an enterprise or its assets, a change in its legal structure by merger or otherwise, the obtaining of a loan or other form of financing by it, or the taking of a security interest to secure an obligation of the enterprise” (s. 18.4). Bill 64 enshrines the concept of “privacy by default,” which means that businesses that collect personal information by offering a technological product or service to the public with various privacy settings must ensure that these settings provide the highest level of privacy by default, without any intervention on behalf of their users (s. 9.1). This does not apply to cookies. Where a business has reason to believe that a privacy incident has occurred, it must take reasonable steps to reduce the risk of harm and the reoccurrence of similar incidents (s. 3.5). A privacy incident is defined as “the access, use, disclosure or loss of personal information” (s. 3.6). In addition, businesses are required to notify concerned individuals and the CAI for each incident that presents a serious risk of harm, which is assessed in light of the sensitivity of the concerned information, the apprehended consequences of its use and the likelihood that it will be used for a harmful purpose (s. 3.7). Companies will furthermore be required to keep a confidentiality incident log that must be made available to the CAI upon request (s. 3.8). 3. Strengthening the consent regime Bill 64 modifies the Private Sector Act to ensure that any consent provided for in the Act is clear, free and informed and given for specific purposes. This means that consent must be requested for each of the purposes of the collection, in simple and clear terms and in a clearly distinct manner, to avoid consent being obtained through complex terms of use that are difficult for individuals to understand (art. 14). The amended Private Sector Act now provides that minors under the age of 14 must have a parent or a guardian consent to the collection of their personal information. For minors over the age of 14, consent can be given either directly by the minor or by their parent or guardian (s. 14). Within an organization, consent to the disclosure of sensitive personal information (e.g., health or other intimate information) must be expressly given by individuals (s. 12). 4. Ensuring better compliance The Private Sector Act has likewise been amended by adding new mechanisms to ensure that businesses subject to the Private Sector Act comply with its requirements. Firstly, the CAI is given the power to impose hefty dissuasive administrative monetary penalties on offenders, which can be as high as $10,000,000 or 2% of the company's worldwide turnover (s. 90.12). In the event of a repeat offence, the fine will be doubled (s. 92.1). In addition, when a confidentiality incident occurs within a company, the CAI may order it to take measures to protect the rights of affected individuals, after allowing the company to make observations (s. 81.3). Secondly, new criminal offences are added to the Private Sector Act, which may also lead to the imposition of severe fines. For offending companies, such fines can reach up to $25,000,000 or 4% of their worldwide turnover (s. 91). Finally, Bill 64 creates a new private right of action. Essentially, it provides that when an unlawful infringement of a right conferred by the Private Sector Act or by articles 35 to 40 of the Civil Code of Québec results in prejudice and the infringement is intentional or the result of gross negligence, the courts may award punitive damages of at least $1,000 (s. 93.1). 5. Coming into force The amendments made by Bill 64 will come into force in several stages. Most of the new provisions of the Private Sector Act will come into force two years after the date of assent, which was granted on September 22, 2021. However, some specific provisions will take effect one year after that date, including: The requirement for businesses to designate a Chief Privacy Officer (s. 3.1); The obligation to report privacy incidents (s. 3.5 to 3.8); The exception for disclosure of personal information in the course of a commercial transaction (s. 18.4); and The exception to disclosure of personal information for study or research purposes (s. 21 to 21.0.2). Finally, the provision enshrining the right to portability of personal information (s. 27) will come into force three years after the date of official assent. The Lavery team would be more than pleased to answer any questions you may have regarding the upcoming changes and the potential impact of Bill 64 on your business. The information and comments contained in this document do not constitute legal advice. They are intended solely for the use of the reader, who assumes full responsibility for its content, for their own purposes.

The United States and the European Union recently concluded a new agreement aimed at allowing U.S. companies to continue to collect, use and disclose personal information concerning European citizens, while still preserving their fundamental rights. To properly understand the importance of this new agreement, one must be aware that the Court of Justice of the European Union, in a decision rendered on October 6, 2015, had declared invalid the previous data sharing framework, known as "Safe Harbour", which governed the holding of personal information regarding European nationals by numerous American companies, including Web giants such as Facebook and Google. This transnational agreement provided for a self-certification mechanism for U.S. companies by which they undertook to abide by a certain number of guiding principles applicable in the European Economic Area (EEA), pursuant to which these companies could obtain the authorization to collect and store personal information originating from the European Union. Such an agreement was necessary to allow U.S. companies to hold personal information about European citizens because the legislative framework applicable in the United States does not offer "an adequate level of protection" for personal information as compared with that required by European authorities. However, in the wake of the revelations by Edward Snowden regarding the mass surveillance by U.S. authorities of the computer data of several large corporations, an Austrian citizen, Maximillian Schrems, sought and obtained the invalidation by the Court of Justice of the European Union of the Safe Harbour Agreement.1 The Court held that the “legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life”. While this decision was, in principle, supposed to apply immediately, the Data Protection Working Party (known as the “WP29”) — an independent European advisory board on data protection and privacy — urged the European institutions and the U.S. government to act by January 31, 2016 to agree to an alternative solution. It was in this context that the European Commission made the highly anticipated announcement, on February 2, 2016, of a new agreement in principle with the United States, dubbed the "Privacy Shield". The details of this agreement have not yet been disclosed, but we already know that this new mechanism will entail stricter obligations and tighter control of U.S. companies that deal with information of a personal nature originating from the European Union. Furthermore, access by U.S. authorities to this information is expected to be more closely regulated and more transparent. While, in theory, this agreement does not directly affect Canadian companies that collect, use or disclose personal information regarding European citizens, any such companies having an American subsidiary or a place of business in the United States and which collect personal information from Europe, as well as Canadian companies mandating third parties located in the United States with tasks that require the communication of personal information on European nationals, e.g. for hosting purposes, would be well advised to ensure they comply with the conditions of this new agreement when it takes effect. Stay tuned for more updates.   Schrems v. Data Protection Commissioner, 2000/520/CE, Court of Justice of the European Union, 6 Octobre 2015.

In December 2010, the federal Parliament passed the Act to Promote the Efficiency and Adaptability of the Canadian Economy by Regulating Certain Activities1 that Discourage Reliance on Electronic Means of Carrying out Commercial Activities, better known as the “Canada’s Anti Spam Legislation” (CASL or the “Act”). The purpose of the Act is mainly to protect Canadian consumers and businesses against unsolicited spam messages, false or misleading commercial representations, malicious software and other electronic threats. It is scheduled to come into force on July 1, 2014. The new regime is based on a opt-in mechanism rather than through exclusion. As such, after July 1st, sending a commercial electronic message will be prohibited unless the recipient has consented to receiving it. Canadian businesses using electronic mail or social networks to inform and solicit customers will therefore have to review their practices in order to comply with the law, failing which they will be liable to administrative penalties and civil suits. However, transition measures are provided to give businesses time to adjust their practices.The definition of “commercial electronic message” within the meaning of the Act is wide and covers all electronic messages, including text messages (commonly called SMS), sound, vocal or visual messages in respect of which it is reasonable to conclude that their purpose is to encourage participation in a commercial activity. For instance, an electronic message which promotes an offer to purchase, sell or rent a product or a service constitutes a commercial electronic message covered under the Act. Such is also the case for an electronic message promoting a person as a purchaser, seller or renter of a product or service or involved in the areas of business, investment or gaming.Since non commercial activities are not covered under the Act, it must be noted that political parties, charitable organizations and corporations conducting market studies or surveys are generally not covered under the Act, unless their electronic messages are related to the sale or promotion of a product.Furthermore, the Act provides for many exceptions, such as messages sent between persons having a personal or family relationship or commercial electronic messages responding to a recipient who requested information on prices or estimates for the provision or delivery of goods, products or services.For the time being, the prohibition does not cover verbal communications by phone, which are currently governed by the Telecommunications Act2, particularly through the National Do Not Call List. However, this exception may be revoked by order-in-council if the government deems it appropriate.EXPRESS OR IMPLIED CONSENT OF THE RECIPIENTThe required consent for sending a commercial electronic message may be express or implied. The situations where the sender of such a message may rely on the implied consent of the recipient are set out in the Act. For instance, the Act provides that there is implied consent where the sender and the recipient have or had an ongoing business relationship within the two years preceding the date the message is sent. The same applies where the recipient asked the sender about products, goods or services during a 6-month period preceding the date of the message.The consent of the recipient is also implied if he or she has conspicuously published his or her electronic address without adding a statement whereby the recipient does not wish to receive unsolicited commercial electronic messages, to the extent that the message is relevant to the recipient’s employment or business or functions in such business.The consent is also implied where the recipient communicated his or her electronic address to the sender without indicating that he or she does not wish to receive unsolicited commercial electronic messages, again to the extent that the message is relevant to the recipient’s employment or business or functions in such business.Lastly, the existence of private relationships between the sender and the recipient within the two-year period immediately before the day on which the message is sent also allows for inferring the implied consent of the recipient to a commercial electronic message being sent in the cases provided in the Act.In all other cases where the Act does allow for inferring an implied consent, the express consent of the recipient is required for sending a commercial electronic message. Such consent is not presumed and the burden of proof lies with the sender.To obtain this consent, the sender must set out clearly and simply the purposes for which the consent is being sought and also the information that identifies the person seeking consent (or if the person is seeking consent on behalf of another person, information that identifies that other person). The scope of information which is required to be provided to identify the person seeking consent is set out in the regulations.It is important to note that after July 1st, a request for consent will in itself constitute a commercial electronic message. It will therefore not be possible to request such consent using an electronic mean, subject to certain exceptions.MECHANISM FOR WITHDRAWING CONSENT AND FORM OF COMMERCIAL ELECTRONIC MESSAGESThe Act provides that any person sending a commercial electronic message to another person must implement an unsubscribe mechanism allowing the recipient to withdraw his or her consent to receive commercial electronic messages from that sender. The sender must allow the recipient to express his or her will by electronic means, either by electronic mail or through a website, without cost and at any time. The sender must give effect to any withdrawal within a 10-day period.The description of this withdrawal mechanism must appear in the commercial electronic message which must, in addition, include information that identifies the person who sends the message or, if the message is sent on behalf of another person, the information that identifies the person who sends the message and the person on whose behalf it is sent. The commercial electronic message must also indicate the postal address and either the phone number to reach a service agent or a voicemail service, or the electronic mail address or the address of the website of the person who sends the message or, if applicable, the address of the website of the person on whose behalf it is sent.If it is practically impossible to include this information and the withdrawal mechanism in the commercial electronic message, they may be posted on an easily accessible web page without charge to the recipient through a link indicated clearly and prominently in the message.ADMINISTRATIVE PENALTIES AND PRIVATE RIGHT OF ACTIONThe Act provides for severe penalties for persons who fail to comply with its provisions. Contraveners are liable to administrative monetary penalties of up to $1,000,000 in the case of an individual, and $10,000,000 in the case of any other person.Furthermore, the existence of a private right of action against the sender of an unsolicited commercial electronic message constitutes a crucial point of this new regime. The Act allows any person suffering a loss or harm as a result of non-compliance with the provisions of the Act by the sender of a commercial electronic message to apply to a court of competent jurisdiction for a judgment ordering the sender to pay him or her the amount of such damages, plus liquidated damages of up to $1,000,000. For instance, the recipients of a spam message who suffer damages after relying on misleading information found therein may institute a class action to pursue their common claims on the basis of this new Act.CONCLUSIONUnsolicited electronic messages are a nuisance which warrant action. Canada is the only G8 jurisdiction which had not yet taken specific measures to regulate or prohibit spam messages. However, the obligation to obtain the consent of the recipients of commercial electronic messages, who in most cases have nothing to do with the spam messages, will constitute a difficult and costly burden for many businesses.It is therefore important that businesses review their electronic mailing lists to ensure that they comply with the provisions of the Act, namely, that the persons whose names are included have given their express consent to receive commercial electronic messages from the businesses or that the businesses can rely on the implied consent of such persons, failing which the businesses will have to obtain adequate consents. Again, contravening businesses will be liable to substantial penalties and claims which may exponentially increase through class actions involving hundreds if not thousands of recipients who allege that they suffered damages._________________________________________1 S.C. 2010, c. 23.2 S.C. 1993, c. 38.

The New Federal Law on the Protection of Personal Information: To Whom does it Apply and as of When?

The confidentiality of expert medical reports challenged by the Commission d'accès à l'information