While federal attempts to modernize Canadian law, in the form of Bill C-11, is languishing in privacy purgatory, the province of Quebec has completed the first step of its journey to bring its law in close alignment with those of other jurisdictions, including, the European Union's General Data Protection Regulation ("GDPR"). Quebec's Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, received assent on September 22, 2021, with a majority of its provisions coming into force over the next two years.1
The Bill's objectives are to modernize the framework applicable to the protection of personal information in Quebec, alongside providing the regulator meaningful and significant tools to enforce the requirements of the new regime. These tools include the imposition of penalties that will not easily be ignored either by small or large organizations.
Similar to the phased approach of the GDPR, Bill 64 will provide Quebec-based organizations as well as those outside provincial borders two years to prepare for the transition to this new regime. Organizations should take note, however, that some of these changes will come into force in one year. Importantly, this includes provisions relating to mandatory breach notification and the appointment of a Privacy Officer.
Bill 64 not only applies to organizations based in Quebec; it will also apply to any collection of personal information that takes place in Quebec, whether or not the organization is established in the province. In this way, it is not much different than Alberta's Personal Information Protection Act ("PIPA") or Canadian federal privacy law, the Personal Information Protection and Electronic Documents Act ("PIPEDA"). However, Bill 64 may also encroach on federal jurisdiction and apply to businesses in the province that are federally regulated and otherwise subject to PIPEDA.
Changes to Private Sector Legislation
Bill 64 amends a number of different Quebec acts, including Quebec's private sector privacy legislation, the Act respecting the protection of personal information in the private sector (the "Act"). These changes revolve around: requirements for the collection, use, and disclosure of personal information; governance requirements surrounding privacy oversight and breach reporting; and enforcement mechanisms.
Rules for the Collection, Use and Disclosure of Information
The Bill proactively introduces new rules governing the collection, use and disclosure of personal information. It requires organizations who collect personal information in Quebec to:
- obtain meaningful consent, including express consent in some situations;
- where technological means are used to identify, locate or profile individuals, provide additional information in that respect;
- inform individuals when personal information is used to render a decision based exclusively on an automated processing of that information; and
- destroy the personal information once the purpose for its collection is achieved or anonymize it, but only for legitimate purposes
Governance Requirements Surrounding Privacy Oversight and Breach Reporting
In addition to requirements pertaining to the collection, use and disclosure of personal information, there are governance requirements for organizations collecting personal information in Quebec. Some of these requirements come into effect in the next year as opposed to within two years; in particular, the appointment of a Privacy Officer and breach notification obligations.
Within the next year, organizations collecting personal information in Quebec are required to appoint a Privacy Officer who is tasked with ensuring the organization implements and complies with the Act. The Privacy Officer will be deemed the CEO unless the role has been delegated in writing. The Privacy Officer's contact information must be published on the organization's website.
Also within the next year, organizations must report breaches to the regulator, the Commission d'accès à l'information ("CAI"), where the breach poses a risk of serious injury to an individual. Much like the "real risk of significant harm" threshold in PIPA and PIPEDA, Bill 64 provides that the "risk of serious injury" assessment includes the sensitivity of the information concerned, the anticipated consequences of its use, and the likelihood that the information will be used for injurious purposes. Like in PIPEDA, organizations must keep records of breaches.
Policies and Privacy Impact Assessments
Within the next two years, organizations must publish governance rules and, if information is collected by technological means, a confidentiality policy. Bill 64 also requires organizations to conduct privacy impact assessments ("PIAs") of systems that handle personal information and when personal information is transferred across the Quebec border. This will likely be a big task for organizations to undertake.
Organizations will also need to enter into written agreements containing specific provisions with service providers/data processors (i.e. data processing agreements with third parties processing information on behalf of the organization).
Enforcement Mechanisms and Penalties
To ensure compliance with these changes, Bill 64 contains enforcement mechanisms, including: administrative monetary penalties up to $10 million or 2% of worldwide turnover for non-compliance; creating penal offences for contravention of the Act in some circumstances; and, establishing a private right of action for individuals impacted by contravention of the Act.
What to do next?
The first step is to determine whether Bill 64 applies to your organization's data collection and data processing activities. Consider your operations as well as where your data collection activities are taking place.
If it is likely that your organization will be impacted, the next step is to assess its current level of compliance with existing applicable laws, such as PIPEDA, PIPA or the GDPR. In some respects, Bill 64's requirements will already be familiar, such as mandatory breach notification obligations.
Other changes, however, will require businesses to implement processes and documentation procedures that are, to date, not required anywhere under Canadian law. Notably, this includes changes to how consent must be obtained, what types of data are subject to the Act (de-identified data is now caught), as well as conducting PIAs. These changes will have an effect on internal processes and procedures, as well as external-facing privacy policies.
Thirdly, make a plan as to where the gaps are in your organization, how to address them, and what resources are required. Bill 64 will undoubtedly impact an organization's compliance risk assessment and should be discussed at the leadership level.
1. Some provisions will come into force within the next year and a number of other provisions on data portability will come into force in three years.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.