On September 22, 2021, Quebec’s An Act to modernize legislative provisions as regards the protection of personal information (Bill 64) received Royal Assent after adoption by the Quebec National Assembly. Quebec is the first Canadian jurisdiction to significantly reform its privacy law regime by amending various laws related to the protection of personal information, including the Act respecting the protection of personal information in the private sector (the Private Sector Act), the Act to establish a legal framework for information technology, and the Act respecting Access to documents held by public bodies and the Protection of personal information.
In a previous bulletin, we discussed the many ways Bill 64 creates obligations on private and public sector organizations in Quebec similar to those imposed by the European Union’s General Data Protection Regulations.
Most amendments to Quebec’s Private Sector Act will come into force on September 22, 2023, with only a few provisions coming into force next year. Notably, on September 22, 2022, the requirement to notify the Commission d’acces a l’information (CAI) and affected individuals of a privacy breach (a confidentiality incident) that presents a risk of serious injury will come into force.
Prior to receiving Royal Assent, Bill 64 was amended by Quebec’s Committee on Institutions (Committee). Important changes to Bill 64 made by the Committee include:
Expanding the definition of personal information to mean any information which relates to a natural person and allowing that person to be identified either directly or indirectly
Permitting organizations to use personal information without consent when its use is necessary for the supply or delivery of a product or the provision of a service, and for the prevention and detection of fraud or the evaluation or improvement of protection and security measures or the evaluation or improvement of protection and security measures
Removing the restriction on transfers of personal information outside of Quebec to jurisdictions with “equivalent protection” to Bill 64 and instead permitting transfer to jurisdictions where it would receive “an adequate protection in compliance with generally accepted data protection principles”, after conducting a privacy impact assessment
Requiring organizations to demonstrate a serious and legitimate purpose in order to anonymize personal information rather than destroy it
A new administrative monetary penalty and a new offence provision for failing to take appropriate security measures to ensure the protection of personal information collected, used, communicated, kept or destroyed