Loi 25 (formerly Bill 64) applies not only to businesses in Quebec, but anyone doing business with Quebecers so the scope and impact of this new bill is wide. Quebec was actually the first province to establish privacy legislation back in the early 1990s but the law didn’t have much teeth - until now. This new law helps to:
The bill officially becomes Law once it receives assent from the Lieutenant-Governor. Bill 64 completed its passage into legislation when it received formal assent on September 22, 2021. At this point, it became The Privacy Legislation Modernization Act - otherwise known as Bill 64.
Bill 64 is similar to the EU General Data Protection Legislation (GDPR) which came out in 2018, but it differs from its European counterpart in one crucial aspect - accountability.
Both the GDPR and Quebec Bill 64 requires organizations to appoint a Privacy Officer (DPO) who is responsible for implementation and compliance with the Act. Their contact info must be published publicly on your website or made available by other means. Bill 64 goes one step further to the GDPR in that it places accountability directly with the CEO or Board of decision makers:
“The person exercising the highest authority within the public body (CEO) shall see to ensuring that this Act is implemented and complied with. those functions may be delegated in writing to a member of the public body or of its board of directors, as the case may be, or to a member of the management personnel.”
What does this mean exactly?
Bill 64 introduces some new enforcement tools and similar to the Canadian Anti-Spam Legislation (CASL) which came out in 2014, comes with some hefty fines for any violations.
New monetary administrative penalties:
- fine of $5,000 to $100,000 for individuals
- in all other cases $15,000 to $25,000,000 (or if greater, the amount corresponding to 4% of worldwide turnover for the preceding fiscal year)
As of September 22, 2022, there will be mandatory breach reporting for any “confidentiality incidents''. Bill 64 introduces the requirement that both public and private entities report incidents to both the Commission d'accès à l'information (CAI) and to the persons whose data is affected where the incident "presents a risk of serious injury". Both public and private sector entities will be required to notify the Commission d'accès à l’information (CAI) and any persons whose data is affected by a data security incident that "presents a risk of serious injury" as well as keep a register of these confidentiality incidents for five years after the date or time period when the company became aware of the incident.
The CAI is expected to continue publishing guidance and insight into compliance over the next 3 years as provisions gradually come into effect.
Consent is also built into this new law and is considered the keystone of the Private Sector Act. This part will come into effect September 2023 and will require consent before personal information is collected, used or released. Public bodies and enterprises must request the consent of the person concerned separately from any other information provided to the person and must be given expressly for certain uses or releases of sensitive personal information.
There is also a new rule on processing Children’s data: consent of the person having parental authority must be obtained to collect, use and release personal information concerning a minor under 14 years of age.
Do you currently have personal information of minors under 14 yrs on your servers? Now is the time to find out and acquire the proper consent before it’s too late. This is informative content and you need to get appropriate information and support how it is applied to your business.
Quebec Bill 64 also requires mandatory Privacy Impact Assessments (PIA) to be completed as of September 22nd, 2023.
“Organizations must conduct a privacy impact assessment for any project to acquire, develop or overhaul an information system or electronic service delivery system involving the collection, use, release, keeping or destruction of personal information.
For the purposes of such an assessment, the public body must consult its committee on access to information and the protection of personal information from the outset of the project.
The public body must also ensure that the project allows computerized personal information collected from the person concerned to be released to him in a structured, commonly used technological format.
The conduct of a privacy impact assessment under this Act must be proportionate to the sensitivity of the information concerned, the purposes for which it is to be used, the quantity and distribution of the information and the medium on which it is stored.”
Outsourcing / Data transfers outside Quebec
There are increased requirements on enterprises wishing to transfer personal information outside the province of Quebec. Transfers will be permitted only to jurisdictions offering "adequate protection," to be assessed who "generally recognize principles regarding the protection of personal information."
Before releasing personal information outside Québec, the “public body must conduct an assessment of privacy-related factors. It must, in particular, take into account:
(1) the sensitivity of the information;
(2) the purposes for which it is to be used;
(3) the protection measures that would apply to it; and
(4) the legal framework applicable in the State in which the information would be released
Similar to the so-called “right to be forgotten” requirement that exists under Article 17 of the GDPR, Bill 64 includes a “right of erasure” (or right to de-indexing) which comes into effect in September 2023 and requires individuals who ask organizations to stop distributing their private personal information to be erased.
Bill 64 will be rolled out over 3 years with the next set of provisions to be added next Sept 2023, such as:
- The requirement for organizations to establish and implement Data Governance Policies
- Requirements to perform privacy impact assessments (PIAs) for processing activities that involve the collection, use, disclosure, retention, or disposal of personal information; or when disclosing personal information outside of Quebec
- The requirement to inform data subjects about the use of automated decision-making and profiling technologies
- Enhanced consent requirements including clear, free, and informed consent for a specified purpose and timeframe
September 22, 2022
- Appoint a Privacy Officer (if you have not already done so for GDPR).
- Build a comprehensive Data Breach Response Plan
- Familiarize yourself with obligations when disclosing personal information as part of a commercial transaction.
September 22, 2023
- Develop a Privacy Impact Assessment System.
- Review/implement contracts with third party service providers. ◻ Assess your physical, organizational, and technological safeguards.
- Review your insurance coverage.
- Familiarize yourself with new consent requirements and exceptions.
- Update your consent forms / implement a consent management system.
- Know your transparency obligations (including for tracking and profiling).
- Implement privacy-by-default.
- Review and update your retention schedules.
- Review your data anonymization process (if applicable).
- Prepare notices and explanatory language for automated decision-making.
September 22, 2024
- Ensure your data management systems allow data to be extracted and transferred.
Whether it’s the Canadian Anti-Spam Legislation (CASL), the EU General Data Protection Regulation (GDPR), or Quebec’s Bill 64, they have all had a direct impact on Data Privacy world-wide. There is no doubt in my mind we are moving towards people having more control over their Personal Identifiable Information (PII) which is a good thing.
Want to read more?
Here is an overview of the main obligations which came into force on September 22nd 2022. Will you be ready? The countdown has begun! Complete information from the CAI can be found at the New Privacy Obligations for Businesses.
- Commission d'Accès à lnformation (CAI)
- Bill 64, An Act to modernize legislative provisions as regards the protection of personal information Raw PDF version.
- 2016 Survey of Canadians on Privacy Public opinion survey (Prepared for: Office of the Privacy Commissioner of Canada by Phoenix Strategic Perspectives Inc. December 2016)
- Canadian Consumer Privacy Protection Act (CPPA) impact and readiness survey