The Quebec National Assembly adopted a new privacy law, formally titled An Act to modernize legislative provisions regards the protection of personal information, on September 22, 2021. Known as Bill 64, the legislation updates and modernizes the previous An Act respecting the protection of personal information in the private sector, colloquially referred to as the “Private Sector Act”.
The new law replaces the aging Private Sector Act, and is applicable to all businesses in the private sector in Quebec. Even if an entity is not headquartered in the province, any private-sector organization doing business in Quebec must comply with the law’s requirements for the collection, use, disclosure, and storage of personal information. This means that if you have customers in that province, the way your company processes their personal information must conform with that provincial law.
Although passed in Quebec, this legislation sets a new paradigm in Canadian data privacy legislation. Because it applies to any entity doing business in Quebec, it is a game-changer with respect to other domestic privacy laws. One can expect the passing of Bill 64 to have far-reaching consequences in how Canadian privacy laws develop in the coming year.
What are the new requirements?
The new requirements include the following:
- A data privacy officer must be appointed in all organizations. This could be either an existing employee or an external consultant.
- Privacy breaches must be reported, either to the regulator or to the affected stakeholder(s), or both (depending upon the severity). An entity must have a formal privacy breach handling procedure in place.
- An entity must complete a privacy impact assessment that evaluates the processing of personal data every time they buy or build a software solution where processing of personal information takes place. This is particularly crucial if a company deals with highly sensitive personal information (such as personal health data, financial data, or criminal records).
- All agreements with vendors must have sufficient privacy protection contractual clauses before any information is disclosed to them.
- A customer has the right to “de-index” their personal information, which generally means that they can direct a company to stop the processing of their personal data until that customer again provides their consent or if legal or other compelling circumstances require it.
- Upon request, an entity must be able to provide a copy of a customer’s personal information and direct the company to transfer it to a competitor, in a machine-readable format. This is known as the right to data portability.
Will there be legislative fines?
Additionally, unlike other Canadian laws, there are a number of fines for violations of the legislation. These are sizable and unlike any other ever introduced in Canada:
- Administrative Monetary Penalties (AMPs) of up to 2% of a company’s annual global turnover (revenue) or up to $10 million, whichever is greater;
- Penal Fines of up to 4% a company’s annual global turnover (revenue) or up to $20 million, whichever is greater; and
- Private Right of Action, which allows complainants to pursue the matter through the courts. In the event of a larger breach, this could result in class action lawsuits.
These fines may be levied by the regulator, the Crown, or both. Even a seemingly benign privacy breach, without safeguards and due diligence measures in place, could wipe out a single entity if its effects reach the level where a AMP or penal fine is imposed. It is not clear at this time if a penalty and a private right of action lawsuit may proceed at the same time, but nothing thus far indicates that the matter cannot be pursued both with the regulator and with the courts.
Does complying with Bill 64 help me comply with other privacy laws?
Not necessarily, because other laws in Canada have lower legislative requirements, and some provincial laws are silent on new rights such as the right to de-index and to data portability.
However, it should be noted that Bill 64 has requirements which are strikingly similar to those in Europe’s General Data Protection Regulation (GDPR), which is considered by the privacy and legal communities as the gold standard and acceptable de facto global privacy protection standard.
In Canada, a number of changes to privacy laws are imminent. Ontario is considering implementing a similar upgrade to their private-sector privacy law and has published a white paper examining the proposed modernizations. In 2020, BC considered a modernization of the provincial private-sector Personal Information Protection Act which, although it is currently paused, may resume at any time. Additionally, the federal Personal Information Protection & Electronic Document Act (PIPEDA) was initially tabled for update under Parliamentary Bill C-11, until the 2021 Federal Election caused the bill to expire. Nevertheless, PIPEDA needs to be modernized and a re-introduction of Bill C-11 or a similar legislation is possible and, if it were, it would bear striking resemblances to Quebec’s Bill 64.
Given the legislative landscape and the continual evolution of privacy laws, achieving compliance with Bill 64 will greatly help towards establishing and upholding a strong privacy practice and program. Bill 64 is forward-looking by virtue of its alignment with GDPR, even while other legislative updates have temporarily stagnated.
When do I have to be compliant?
The legislation’s new requirements will be rolled out in phases over the next three years. All businesses must therefore comply with Bill 64’s requirements on or before September 22, 2024. This means that businesses must establish a plan or road map to achieve compliance and to ensure that their privacy program reaches maturity.
However, the timeline does not mean that a company can afford to wait until the last moment to do so, as steps to achieve compliance may involve operational upgrades (such as creation of SOPs, policy drafting, and / or tabletop exercises) that could take several months to fully test and operationalize. Therefore, a company must ensure that they understand what needs to be compliant with the new requirements, and when those deadlines to comply are.
How can Kobalt.io help me?
We have a number of privacy consulting services that help you achieve compliance with Bill 64, which would go a long way towards helping your privacy program reach maturity. These include the following:
- Privacy Gap Assessment: a 360 report on how your company or organization collects, uses, discloses, and stores personal information, with recommendations for best practice and gap remediation produced in a report
- Privacy Impact Assessment: a single questionnaire examining the processing of personal data, using directed queries and requirements set out by the regulator
- Data Protection Officer for hire: a long-term engagement where a road map to compliance is set out, using predetermined metrics to set out goals and deliverables
Our privacy subject matter expert is a member of the British Columbia bar, and holds both CIPP/C and CIPP/E designations from the International Association of Privacy Professionals.