On September 22, 2021, Bill 64, An Act to modernize legislative provisions as regards the protection of personal information (the "Privacy Modernization Act" or the "Amended Act") received royal assent.1 The Privacy Modernization Act updates Québec's Act respecting the protection of personal information in the private sector (the "Act")2 to fit the modern era of data protection and keep pace with international privacy developments (the "amendments").
Notably, the amendments provide for enhanced enforcement mechanisms, including administrative monetary penalties, a private right of action for individuals, and fines of up to $25 million for organizations that fail to comply with the Act.
While we have already provided a substantive bulletin on how the Privacy Modernization Act will transform the Act, this bulletin provides a checklist of key action items as the legislation comes into force over the next three years.
Does the Act Apply to My Organization?
Québec's privacy regulator, the Commission d'accès à l'information (the "CAI"), has taken an expansive view of how the Act applies. If an organization collects, uses or discloses personal information ("PI") of individuals located within Québec, the Act likely applies to the organization's handling of PI, even if the organization does not have an office, facilities or installations in Québec.3 The Act will also apply concurrently with the Personal Information Protection and Electronic Documents Act ("PIPEDA")4 for federally-regulated organizations, such as banks, railways or airlines, that would normally be subject to PIPEDA.5
Accordingly, any organization that handles PI about individuals in Québec should assess how these amendments will impact its operations and start implementing necessary changes as soon as possible.
By September 22, 2022
Appoint a Privacy Officer (if you do not already have one).
- Appoint an individual that will be responsible for ensuring that the organization complies with the obligations imposed by the Amended Act. By default, this responsibility falls on the person with the highest authority in the company (likely the Chief Executive Officer), but can be delegated, in whole or in part, to any other person (internal or external).
- If applicable, have the person with the highest authority in the company delegate their role in writing to the appointed Privacy Officer.
- Post the title and contact information of the appointed Privacy Officer on your website.
Review and update your data breach response plan.
- As soon as you have reason to believe that a Confidentiality
Incident (e.g. data breach) involving PI in your custody has
occurred, take reasonable measures to reduce any risk of harm and
to prevent similar incidents.
- Under the Amended Act, a Confidentiality Incident is defined as access to, use, or communication of PI not authorized by law, as well as the loss or any infringement of the protection of such information.
- Notify the CAI and any affected individuals if there is risk of serious injury to those individuals.6
- The assessment of risk must take into account certain factors.7 The forthcoming regulations will likely provide details regarding the form of the notice. The CAI may also publish helpful guidance in this regard.8
Familiarize yourself with obligations when disclosing PI as part of a commercial transaction.
- Where the disclosure of PI is necessary in order to carry out a commercial transaction (e.g. merger, asset sale or financing), you may disclose such PI to another party involved in the transaction without the concerned person's consent.
- If your company transfers PI to facilitate such a transaction, enter into an agreement that meets certain requirements designed to protect the PI transferred. These requirements are in line with privacy legislation throughout Canada.
By September 22, 2023
- Develop and implement a privacy framework outlining your policies and practices with respect to the organization's use and protection of PI.9 This framework should include a data breach response plan, retention schedules, the roles and responsibilities of the members of the organization's personnel throughout the life cycle of PI and procedures for access requests and handling complaints.
- Publish clear, simple, and detailed information about these policies and practices on your website.10
- If you collect PI through technological means, provide a confidentiality policy that is written in clear and simple language on your website.11
Develop a Privacy Impact Assessment system.
- Carry out Privacy Impact Assessments
("PIAs") for each project involving the
acquisition, development, or redesign of an information system or
electronic service delivery involving PI.12
- Consult your Privacy Officer at the outset of the PIA. Your Privacy Officer may suggest adding protection measures for PI that are relevant in the context of the project.13
- Ensure that the project allows for any computerized PI to be transferred to the individual concerned in a structured, commonly used format (this will also be necessary to comply with the data portability requirement coming into force in 2024).14
- Conduct a PIA before communicating PI outside of Québec.
The PIA must take into account certain factors, including the
sensitivity of the information, the purposes for which the PI will
be used and the legal framework applicable in the foreign
jurisdiction to which the information will be communicated.15
- If you communicate PI outside Québec, develop and implement a written agreement that considers the results of the PIA and, if applicable, terms agreed on to mitigate risks identified in the PIA.
- Review the CAI's published guidance on PIAs16 to make sure your PIA system is consistent with the regulator's expectations.
- Consider hiring additional privacy compliance professionals to assist you in conducting PIAs and meeting your obligations under the Amended Act, especially if you are a large organization. Depending on the number of service providers or technological projects you use in the ordinary course of business, this requirement may be quite onerous.
Review/implement contracts with third party service providers.
- The Amended Act does not require consent where information is communicated to a third party (i.e. service provider), to the extent the information is necessary to carry out a mandate or perform a contract of enterprise or for services.17
- If you communicate PI to service providers, you must have a written contract that includes: (i) a list of the measures the service provider must take to protect the PI communicated, (ii) a requirement for the service provider to only use PI for the purposes of performing the contract, (iii) an obligation for the service provider not to keep the information after the expiry of the contract, (iv) a requirement for the service provider to immediately notify the Privacy Officer of any actual or attempted violation of the confidentiality of the PI, and the Privacy Officer's right to audit compliance with protective measures.18
- If the third party/service provider is handling PI outside Québec, a PIA must be conducted (see section above regarding PIAs).19
To view the full article please click here.
1 An Act to modernize legislative provisions as regards the protection of personal information, SQ 2021, c 25.
2 Act respecting the protection of personal information in the private sector, CQLR c P-39.1. [Act]
4 D'Allaire c. Transport Robert (Québec) 1973 ltée, 2020 QCCAI 152.
5 Personal Information Protection and Electronic Documents Act, SC 2000, c 5.
8 Act (as amended), section 3.5; the CAI has also developed a dedicated page for guidance on the Privacy Modernization Act: see online.
16 Commission d'accès à l'information du Québec, Guide d'accompagnement Réaliser une évaluation des facteurs relatifs à la vie privée, March 2021, available online.
The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.
© McMillan LLP 2021