On 12 June 2020, the government of Quebec introduced Bill 64, “An Act to modernize legislative provisions as regards the protection of personal information” (Bill). The Bill proposes to modernize the existing framework applicable to the protection of personal information by amending various public, and private sector Quebec laws, to align closer with the requirements under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and the European General Data Protection Regulation. The Act respecting the protection of personal information in the privacy sector, which is Quebec’s private sector privacy law, is one of the laws that will be significantly impacted by Bill 64.
In the event that Bill 64 is passed, private sector organizations in Quebec will be required to comply with increased data privacy obligations. Some of the key provisions of the proposal are outlined below:
Greater Fines and Administrative Penalties: The Bill allows the Commission d’accès à l’information (CAI) to impose on businesses, administrative penalties of up to, the greater of (i) CAD 10,000,000, and (ii) the amount corresponding to 2% of worldwide turnover in the preceding year.
While the current regime allows the attorney general to seek fines for breach of the Act, the proposal substantially increases the potential fines against businesses, to the greater of (i) CAD 25,000,000, and (ii) the amount corresponding to 4% of worldwide turnover for the preceding fiscal year.
Appointment of a Data Privacy Officer: Similar to the existing requirement under PIPEDA, Bill 64 requires that businesses appoint an individual to be responsible for overseeing the protection of personal information. The title and contact information of this person must be published on the organization’s website, or, if the organization does not have a website, be made available by any other appropriate means.
Breach Notification Requirements: Similar to the existing requirements under the federal PIPEDA, and Alberta’s Personal Information Protection Act, breach notification requirements will be triggered when a “confidentiality incident” presents a “risk of serious injury” to the impacted individual. In case of such an event, organizations will be required to notify the CAI, and the impacted individuals. Organizations will also be required to maintain a log of “confidentiality incidents”, which they are required to disclose to the CAI upon request.
Mandatory Privacy Impact Assessments: The Bill includes a mandatory obligation for organizations to conduct a privacy impact assessment of “any information system project or electronic service delivery project involving the collection, use, communication, keeping or destruction of personal information”.
Outsourcing and Cross-Border Data Transfers: Under the proposed obligations, organization are required to conduct a privacy impact assessment to ascertain whether information transferred outside of Quebec will receive a level of protection equivalent to the one granted under the Act. If the privacy impact assessment concludes that the “comparable level of protection” requirement is not met, then the organization must not communicate the personal information. Any third party outsourcing arrangements are also required to be subject to a written agreement between the organization and the outsourcing company.
Transparency and Consent Upon Collection of Information: Bill 64 provides more details around the type of disclosures that must be available to individuals upon collecting their information, namely, transparency related to the purposes of the collection, the means of collection, the rights of access and rectification and the person’s right to withdraw consent to the communication or use of the information collected. Organizations must request the consent of the person concerned separately from any other information provided to the person. The consent necessary for certain uses or releases of sensitive personal information must be given expressly. Furthermore, the consent of the person having parental authority must be obtained to collect, use and release personal information concerning a minor under 14 years of age.
Additional Rights for Individuals: The proposal grants rights to a person to whom personal information relates, including a de-indexation right, which is a right to require that such information cease to be disseminated or that any hyperlink attached to the person’s name providing access to the information by a technological means be de-indexed or re-indexed. The Bill also establishes a person’s data portability right, which is a right to access computerized personal information concerning him or her in a structured, commonly used technological format or to require such information to be released to a third person.
If passed, the Bill’s amendments to the Act would come into effect one year following the date of the bill’s assent, except for the provision on data portability rights, which would come into effect three years after the date of assent.