Bill 64 Passed in Quebec - What Should You Be Aware Of?

Quebec has a new privacy law passed last month. On 21 September 2021, the Quebec National Assembly passed Bill 64, An Act to modernize legislative provisions regarding the protection of personal information. This act serves as an amendment to the Act Respecting the Personal Information in the Private Sector, where significant changes have been made.

If you operate in Quebec, Canada, or globally, you need to know the upcoming requirements. This article will answer your Bill 64 questions and set you on the road to compliance.

Does the Quebec Privacy Law - Bill 64 apply to your business?

Bill 64 applies to you if:

• Your business is headquartered in the Province of Quebec or
• You have website visitors from Quebec.

Like other data protection laws worldwide, Bill 64 applies to a relationship between a business and a user where at least one comes from Quebec.

Learn about the Bristish Columbia Personal Information Privacy Act

What changes do the Quebec Privacy Law - Bill 64 bring?

Bill 64 brings Quebec privacy legislation on the level with the comprehensive personal data protection of the EU GDPR and its stringent requirements. Its provisions will come into effect gradually, starting from September 2022. The rest of the provisions will come into effect in September 2023 and September 2024, respectively. However, most of the provisions come into effect on 22 September 2023.

Bill 64 Provisions coming into effect in September 2022

Appoint a privacy officer. The CEO is in charge of protecting personal information by default, but they may delegate these tasks in writing to someone else in the organization. The Privacy Officer’s job is to ensure that the organization implements the legal requirements. Their contact information needs to be published on the company website.

Breach reporting. Businesses will have to inform the Commission d’accès à l’information (CAI) and affected individuals about any data breach that poses a serious risk to the individuals. Businesses currently have this obligation under PIPEDA, but the Quebec Privacy Law imposes a similar requirement.

In addition, businesses have to keep a register of all breaches.

Bill 64 Provisions coming into effect in September 2023

Policies and practices about data processing. Businesses will have to establish and implement policies and practices regarding collecting and processing personal data. These policies will provide a framework for the processing, determine the roles of the personnel involved in the processing, and establish a process of dealing with complaints. 

It also needs to establish a confidentiality policy to share personal data with third parties.

Increased transparency. Businesses have to be transparent to users about how they use their data. This includes providing information about the categories of data processed, the processing purposes, the third parties involved in the processing, the data subject rights, etc. In general, this information needs to be included in a privacy policy.

In addition to this information, businesses will have to meet increased requirements about the use of profiling, geolocation, and identification technologies.

Privacy impact assessments (PIA). Businesses will have to do a privacy impact assessment for any information system project or electronic service delivery project involving the collection, use, communication, keeping, or destruction of personal information and communicating personal information outside Quebec. The PIA should be proportionate with the sensitivity of the data, the purpose of processing, the amount of data, etc.

Automated processing notice. Businesses will have to inform users if their personal data is processed automatically. The processing results affect their rights (for example, an insurance company processes personal data automatically to determine the premium).

Cross-border transfers. In general, cross-border transfers are allowed, but they must be subject to a privacy impact assessment. This assessment should determine whether the transfer is safe. If it is safe, businesses can transfer data across Quebec borders.

Written agreements with service providers. Service providers are the data processors. According to Bill 64, service providers can process data only based on a written agreement, similar to the GDPR requirement. The written agreement must contain information about the purpose of processing, data security measures, etc.

Consent. Businesses will have to obtain explicit, free, informed, and specific consent for each processing purpose, which stretches out the standards set by PIPEDA. In addition, businesses have to obtain express consent for the secondary use of sensitive personal data.

Privacy by default. The widely-known privacy concept will become part of Quebec law in 2023. It requires businesses to embed privacy on their products and services. This won’t apply to cookies, in any case.

De-indexation rights. In addition to other data subject rights, including the right to be forgotten, Quebec Privacy Law will enable data subjects to request de-indexation of their personal information, which in practice would mean that the business has to cease disseminating the personal information or to de-index any link attached to their name.

Retention and destruction. Organizations will have to destroy the personal data they do not need anymore or anonymize it and use it for a legitimate purpose.

Provisions coming into effect in 2024

Data portability right. Users will have the right to obtain their personal information from your records and move it to another data controller.

What are the penalties for non-compliance?

Bill 64 sets out different categories of monetary penalties. The law describes administrative and criminal penalties, calculated based on certain factors and enforced by the CAI. It provides for a right to take private action by data subjects. Accordingly, the amounts of fines are set out as follows:

• Administrative penalties of up to CAD 50,000 in the case of a natural person and, for businesses, up to CAD 10,000,000 or 2% of worldwide turnover for the preceding fiscal year, whichever is greater.
• Criminal fines of up to CAD 100,000 in case of a natural person, and for businesses, up to CAD 25,000,000, or 4% of worldwide turnover for the preceding fiscal year, whichever is greater. Fines will be doubled in the event of a subsequent offense.
• Right of private action for individuals who suffered an injury due to violations of the law is set out within Bill 64. The competent court can award punitive damages of at least CAD 1,000 if the infringement is intentional or results from a gross fault. 
  

How does Bill 64 compare to PIPEDA?

Bill 64 aligns Quebec privacy legislation better with the Federal PIPEDA and brings the Quebec provincial law closer to the GDPR standards.

Before the amendments, simply complying with the PIPEDA meant compliance with the Quebec privacy laws as well. However, now that Bill 64 has taken the legal requirements further, businesses need additional effort to comply with this law.

However, businesses that already operate under the GDPR and the 10 PIPEDA principles will find it easy to comply with the Quebec privacy law.

Read about Canada's newly proposed Consumer Privacy Protection Act - CPPA.

How to prepare for the New Quebec Privacy Law?

We are less than 12 months away from the coming into effect of the first Bill 64 provisions. The sooner you start preparing, the better.

To start, consider who will be your privacy officer and establish procedures for handling and reporting data breaches.

At the same time, you should prepare the necessary policies agreements with service providers and plan the privacy impact assessments.
As mentioned above, PIPEDA compliance will make things simpler for you when the times for Quebec privacy compliance come. 

We provide a compliance solution for PIPEDA. Sign up for a free trial here and make things easier starting from today.