Canada Reforms Its Data Privacy Laws Through Enactment of Quebec Bill 64

By: Lewis Brisbois' Data Privacy & Cybersecurity Team 

In September 2021, Quebec Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, was unanimously adopted by lawmakers in the province. With a three-year phased implementation beginning on September 22, 2022, the new Quebec law aims to reform privacy laws in Canada by amending existing privacy laws and adding other requirements concerning public bodies and private enterprises handling personal information focusing on accountability in the use of personal information. Similar to existing data privacy laws like the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and the General Data Protection Regulation (GDPR), Quebec Bill 64 adds numerous additional requirements, such as data privacy impact assessments, clarifications on the collection of consent, and individual data privacy rights in the public and private sector.

While several Canadian provinces are considering reforming their privacy laws, there have been no discussions of reformation to privacy laws at the federal level. As more provinces begin to reform their privacy laws, however, federal reformation may soon follow.

Quebec Bill 64 amends and clarifies the following, among others:

Effective as of September 22, 2022:

• Breach Reporting. Organizations must notify the Commission d’accès à l’information (CAI) and individuals regarding “confidentiality incidents” or unauthorized access to personal information that present a “risk of serious injury” to the individual, which is evaluated under the “real risk of significant harm” factors in PIPEDA. Organizations must also keep a register of all breaches, which must be sent to the CAI upon request. A government regulation may determine the content of the register.
   
• Data Protection Officer. Organizations must designate an employee responsible for complying with data privacy laws and publish the name, title, and contact information of the individual on their website.

Effective on September 22, 2023:

• Individual Rights. Individuals will have a right to demand de-indexing and data portability from organizations. Similar to the “right to be forgotten” under the GDPR, individuals now have a right to de-indexing where they are able to ask organizations to stop distributing their personal information or to remove hyperlinks providing access to information by technological means attached to an individual’s name. Individuals also have the right to rectify any information that is incorrect, incomplete, or equivocal. Requests for access or rectification must be responded to in writing no later than 30 days.
   
• Automated Decision Making. When firms rely on automated decision-making, individuals have a right to access their personal information in a structured, commonly used technological format or to require it to be released to a third party.
   
• Public Disclosures and Notices. Organizations must now publish governance rules on their website regarding personal information. Policies and practices must provide the framework for how the organization keeps and destroys information, define the roles and responsibilities of the members of its personnel throughout the life cycle of the information, and provide website visitors with a process for dealing with complaints regarding protection of information. Further, those that collect personal information using technological means must also publish and disseminate a confidentiality policy.
   
• Privacy Impact Assessments (PIAs). Firms must conduct an assessment of privacy-related factors for “any information system or electronic service delivery project involving the collection, use, communication, keeping or destruction of personal information.” This applies to third-party subcontractors who collect, use, or keep information on their behalf.
   
• Consent and Disclosures. To be effective, consent must be clear, free, and informed and for a specified purpose. Before personal information is collected, used, or released, organizations must request consent separately from any other information provided to the individual. At the time of collection, organizations must provide information about the purpose for collection, the categories of persons who have access to the information, the means used for collection, the duration of time that the information will be kept, and the individuals’ rights related to the information. Assistance must be given to help individuals understand the scope of the requested consent.
   
• Enforcement. The CAI now has the power to issue administrative monetary penalties. For individuals, the penalty may be no more than CAD $50,000. In all other cases, the maximum amount is CAD $10 million or, if greater, 2% of global revenue for the preceding fiscal year. For penal offenses, the CAI may issue a maximum fine of CAD $100,000 for individuals and CAD $25 million or 4% of global revenue for organizations.
   
• Senior Management Responsibility. Management is responsible for ensuring implementation and compliance but may delegate all or part of that responsibility in writing to other personnel. The title and contact information of the person in charge of the protection of personal information must be available on the organization’s website.
   
• Anonymization. Information is anonymized when it irreversibly no longer allows the identification of a person.
   
• Cross-border flows of data. Provides for restrictive and onerous provisions for the flow of data outside of Quebec and the transfer to third-party processors. PIAs must be conducted prior to the release of personal information outside of Quebec.
   
• Subcontractors. The provisions apply to an organization’s third-party contractors.
   
• Privacy by default. Organizations must configure individuals’ privacy settings for products or services to offer the highest level of confidentiality and privacy.

Effective on September 22, 2024:

• Portability. Organizations will be required to provide individuals with personal information collected about them in a structured and commonly used technological format.

Quebec Bill 64 provides insightful foreshadowing to the reformation of data privacy legislation across the globe as jurisdictions reconsider previously enacted data privacy laws to ensure that protections and obligations are in line with current processing and the associated risks. Following the example and frameworks established by the GDPR, Quebec’s new law reforms its privacy framework to meet the growing demands of the field of data privacy and protection.

For more information on this new law, contact the authors of this post. You can also subscribe to this blog to receive email alerts when new posts go up.