A majority of the updates to Québec's private sector privacy law in Law 25, also known as Bill 64, An Act to modernize legislative provisions as regards the protection of personal information (Bill 64), will come into force on September 22, 2023. Some provisions will come into effect on September 22, 2022. We have outlined a few of the significant upcoming changes below.
Québec joins the growing jurisdictions requiring organizations ("persons carrying on an enterprise") to report breaches. Bill 64 references "confidentiality incidents," which are unauthorized access, use or communication of personal information, the loss of personal information or any other breach of the protection of such information. This is similar in concept to a breach of "security safeguards" articulated in the Personal Information Protection and Electronic Documents Act, (PIPEDA).
Regardless of the significance of the incident, an organization must take reasonable steps to reduce the risk of injury and to prevent similar incidents. There are also record keeping requirements for all confidentiality incidents.
Notification and reporting requirements will arise if the incident presents a "risk of serious injury," which is determined by considering the sensitivity of the information, the anticipated consequences of its use, and the likelihood that the information will be used for injurious purposes. This test may be similar to the "real risk of significant harm" standard in other laws; however, it may be interpreted more narrowly based on a greater focus on the likelihood of harm.
Presently, draft regulations set out the requirements for individual notices and reports to the Commission, as well as the organization's incident register retention requirements.
Default and Designation of a Privacy Officer
In the absence of the written delegation of authority to a privacy officer, the individual with the highest authority in the organization will be responsible for ensuring implementation of and compliance with the Act Respecting the Protection of Personal Information.
Organizations are required to publish the privacy officer's title and contact information on the organization's website, or make it available by any other appropriate means in the absence of a website.
Reporting Biometric Uses and Databases
Québec's privacy laws already address biometrics more specifically than other Canadian legislation. Biometrics can include physical traits, like eyes, face shape and fingerprints, and behaviours, like voice and keystrokes, as well as biological characteristics, like blood and saliva.
Now, organizations will be required to provide information to the Commission about the creation of a database of biometric characteristics and measurements at least sixty (60) days before the database is used. Organizations must also notify the Commission before beginning to verify or confirm a person's identity using biometric means.
Formal Agreements required to Share Personal Information in a Commercial Transaction
Québec will be aligned with other private sector laws in Canada permitting disclosure of personal information for the purposes of a "business transaction" such as a merger, acquisition or sale of a substantial aspect of the business. Consent of the individuals involved will not be required as long as the organizations meet certain requirements, including having an agreement to limit use and safeguard the information. If the transaction is completed, the individuals must be notified of the transfer of their personal information.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.