On Tuesday, September 21, 2021, the Act to modernize legislative provisions as regards the protection of personal information or Bill 64 was adopted by the National Assembly of Québec.
This Act governs protection of personal information, and introduces significant updates to Québec’s privacy governance, as a “law with teeth” (Canadian Press, 2021, para. 2), in line with European-style privacy requirements such as the General Data Protection Regulation (GDPR) in both private and public jurisdictions.
Changes introduced by the bill mark some significant variances from current Canadian federal privacy legislation. However, in spite of that, a survey conducted by the Fédération des chambres de commerce du Québec (FCCQ) as recently as June indicated that almost 40 percent of businesses are unsure how Bill 64 will impact their activities and processes.
Is your business prepared? Read on below to understand some of changes introduced by Bill 64.
Some high-level changes which will most impact organizations include:
Bill 64 also introduces some unique requirements regarding biometric data (voiceprints, fingerprints, DNA, etc.). Businesses will be expected to provide notice to the Commission d’accès à l’information (CAI) du Québec at least 60 days in advance of creating a biometric database.
More details related to these changes and their projected timelines are explained below.
Organizations that fail to comply with Bill 64 and its related regulations will face more severe penalties than under the current regime. These will vary based on the size of the business, but generally include:
Importantly, organizations that can demonstrate data was managed and collected in alignment with Bill 64 will not be subject to penalties in the event of a successful privacy attack.
Under Bill 64, citizens also maintain the right to take private action (including collective action) where their privacy is breached or infringed upon intentionally, or from gross fault — with damages of at least $1,000 per individual in place (this penalty does not exist under PIPEDA). Organizations may also face liability from the Civil code of Quebec.
Bill 64 is enforced by the Commission d’accès à l’information (CAI) du Québec, the provincial organization responsible for access to information in Québec.
Although Bill 64 has officially been adopted, it is projected to gradually roll-out over the next three years. Currently, requirements are thought to be aligned in this roll-out as follows.
Over the next three years, CAI is expected to recruit technological experts to help support Bill 64, and to create and issue standards and guidelines for businesses regarding Bill 64. For example, it is expected that a list of states with equivalent legal framework to Bill 64 will be published in the Gazette officielle du Québec, to aid organizations in assessing disclosure of information outside of Québec.
Organizations must appoint a Privacy Officer or equivalent position. The title and contact information for this role must be published on organizations’ websites or via other appropriate methods so it is easily accessible by the public.
Mandatory privacy incident reporting
Any privacy incidents or breaches to personal information within an organization’s possession — including unauthorized access to, use, or communication of personal information, or the loss of personal information resulting in risk of serious harm — must be reported to both CAI and the affected individuals.
Organizations must also maintain a log of confidentiality incidents and demonstrate measures taken to prevent new incidents of a similar nature. Directors of organizations are now at risk of substantially increased financial penalties if an incident or breach is not reported.
Privacy governance and program development
Organizations must develop and implement internal privacy policies to manage and appropriately protect personal information throughout organizational activities. Moreover, organizations should be seeking to develop comprehensive programs to apply these policies in business practice. Implementation of a program roadmap and maturity assessment could be extremely beneficial for organizations seeking to implement their policies.
Privacy Program development may include, but is not limited to:
Privacy impact assessments
Privacy Impact Assessments (PIA) must be conducted in the following scenarios to ensure that personal information will be protected to the standards set out in Bill 64:
In addition, written agreements with third parties must capture the accountabilities and responsibilities of each party to protect personal information.
Purpose, collection, and consent
Purposes for collecting personal information must be clearly defined and understood — both to enhance transparency at time of collection, and when individuals request information around the organization’s purpose and collection practices.
When personal information is collected:
As with PIPEDA, Bill 64 requires consent be re-obtained if personal information is to be used for another purpose. However, Bill 64 diverges from PIPEDA by requiring consent to be express, and not implicit, for collection of sensitive personal information (i.e., information that is sensitive due to nature or context of its use, requiring high levels of protection under reasonable expectations).
Children under the age of 14 need parental or guardian authority to provide valid consent under Bill 64.
Exceptions to consent
Bill 64 outlines the following rights to disclose personal information without consent in the following situations, many of which are not covered under PIPEDA:
Another exception is instances where personal information is necessary to carry out a mandate or perform a contract for services conducted by a third party. Caveats to this exception include:
Privacy by design
Any technology or technology solution employed by an organization must have privacy settings defaulted to the highest level of privacy for personal information.
Additionally, if technology has the ability to identify, locate, or profile an individual whose personal information is used by the technology, the organization must inform the individual and provide means for deactivating these functions if possible.
Destruction of personal information
Personal information must be destroyed once purposes for its collection are met. If a legitimate reason to keep the personal information exists, it should be anonymized.
Right to be forgotten
Organizations must make accommodations to fulfill requests from individuals who wish to stop their personal information from being disseminated — including de-indexing hyperlinks attached to the individual’s name that provides access to personal information, or re-indexing personal information.
Organizations will be required to provide personal information about an individual in a structured, commonly used technological format to that individual upon request. Organizations will also be required to disclose the information to another organization authorized to collect personal information at the individual’s request (for example, if an individual seeks to change service providers).
Automated processing of personal information
Organizations must inform individuals if their personal information will be used to make a decision based solely on automated processing of that information. Individuals must be informed at time of collection, or before automated processing of their personal information occurs. In addition, organizations should tell individuals what personal information will be used to come to a decision, the reasons for the decision, and any other major factor that led to the decision.
Individuals should continue to be made aware of their right to correct any personal information.
Individuals must also be allowed to provide observations in reviews of any automated decision made off their personal information.
Source of personal information
Should an individual request it, organizations must disclose the source used to obtain their personal information and if it was collected from another person or organization.
Even if your organization is not based in Quebec, the implementation of Bill 64 may still affect you. Businesses who deal with personal information disclosed by Quebec organizations must ensure their practices align with Bill 64 and pass any Privacy Impact Assessments carried out by Quebec organizations.
Bill 64 and similar emerging legislation may also increase the need for data and privacy experts in Quebec organizations and those with interprovincial and national operations. Certain elements of Bill 64 may also possibly surface in federal legislation in the future.
Is your organization ready for these new changes?
MNP’s Cyber Security and Privacy Services can help you conduct an internal analysis of current processes and technological solutions to see if you meet these requirements. Our team can also help you proactively refine your privacy and data practices in anticipation of future privacy practices. We’re here to keep you onside with regulators and your stakeholders now — and in the face of ever-changing expectations.
Request a free consultation to explore your cyber security and privacy options.
Canadian Press. (2021, September 27). Heavy Penalties Coming for Companies that are Careless with Quebecers’ Data. iHeart Radio. Retrieved from: https://montreal.ctvnews.ca/heavy-penalties-coming-for-companies-that-are-careless-with-quebecers-data-1.5601774
Langlois Avocats. (2021, September 21). Protection of personal information: Three-year phased implementation after Bill 64 receives asset. Retrieved from: https://langlois.ca/protection-of-personal-information-three-year-phased-implementation-after-bill-64-receives-assent/
Potechin, M. (2021, January 28). Quebec’s Bill 64 proposes amendments to modernize privacy laws. DLA Piper. Retrieved from: https://www.dlapiper.com/en/canada/insights/publications/2021/01/quebec-bill-64-proposes-amendments-to-modernize-privacy-laws/
Office of the Privacy Commissioner of Canada. (2020, September 24). Questions and answers – Bill 64. Retrieved from: https://www.priv.gc.ca/en/opc-news/news-and-announcements/2020/qa_20200924/
Reynolds, M., Shah, R., & Reguly, T.A. (2020, June 19). Quebec’s Bill 64 proposes sweeping changes to its privacy regime. Torys LLP. Retrieved from https://www.torys.com/insights/publications/2020/06/quebecs-bill-64-proposes-sweeping-changes-to-its-privacy-regime