Québec Adopts New Comprehensive Data Protection Law

On September 22, 2021, Bill 64, the Act to Modernize Legislative Provisions respecting the Protection of Personal Information[1] (the “Act”) received royal assent in Québec.  This important and comprehensive new data protection law will usher in significant changes to the protection of personal data in Québec, bringing the privacy regulatory landscape in the province more closely in line with that which has been established by the European General Data Protection Regulation.   The Act introduces a number of key amendments to Québec’s Act Respecting the Protection of Personal Information in the Private Sector,[2] as highlighted below.  Significantly, the measure enters into force over the next three years, with the majority of provisions becoming effective on September 22, 2023.  Violations of the Act may bring steep fines of up to the greater of $10,000,000 CAD or two percent of an entity’s worldwide annual turnover for the preceding year for civil offenses, and to the greater of $25,000,000 CAD or four percent of worldwide revenue, for penal offenses.  Furthermore, individuals may pursue a private right of action for violations of certain provisions of the Act.

The Act itself does not clearly specify its territorial scope, but provides that it applies to organizations “carrying on an enterprise” in Québec.  As such, it appears possible that some organizations located in other provinces or countries may still be subject to the Act if they are carrying on business in Québec.  Furthermore, the Act’s strict cross-border provisions will mean that the new measure will have far-reaching implications for companies located around the globe that seek to receive personal information from Québec.

Given the complexity of the Act, organizations should start considering now how they will comply.  Below is a summary of some of the Act’s key provisions:

  • Obligation to Appoint a Privacy Officer: Organizations subject to the Act must appoint a privacy officer (the “Privacy Office”) who must ensure that the organization complies with the Act. By default, in the absence of a designation, the CEO of the organization will be considered the Privacy Officer. The Privacy Officer’s contact information must be published on the organization’s website.
  • Data Breach Reporting Obligations: The Act also mandates data breach reporting obligations, requiring organizations to notify the Commission d’accès à l’information (CAI) and the affected individuals when a “confidentiality incident” presents a “risk of serious injury” to individuals.  The “risk of serious injury” threshold is assessed using factors such as the sensitivity of the information concerned, the anticipated consequences of its use and the likelihood that such information will be used for injurious purposes, and as such is similar to the “real risk of significant harm” test under Canada’s federal Personal Information Protection and Electronic Documents Act (PIPEDA).
  • Policies and Practices: Organizations subject to the Act must establish and implement policies and practices regarding the protection of personal information that provide a framework for the keeping and destroying of the information; define the roles and responsibilities of employees; and provide a process for dealing with complaints regarding the protection of the information. These policies and practices must be proportionate to the nature and scope of the organization’s activities.  Further, organizations must publish detailed information about these policies and practices on their website.
  • Privacy Impact Assessments (“PIA”): Pursuant to the Act, organizations must conduct PIAs with respect to the acquisition, development and redesign of any information system or electronic service delivery project involving the collection, use, communication, keeping or destroying of personal information.
  • Rules on Automated Processing: Organizations must inform an individual when his or her personal information is used to render a decision based exclusively upon automated processing of such information. Upon receipt of an individual’s request, an organization must inform the individual about the personal information used to render the decision; the reasons and the principal factors and parameters that led to the decision; and the right of the individual to have the personal information used to render the decision corrected.
  • Cross-border Transfers of Data: Organizations who are subject to the Act must conduct a PIA prior to communicating personal information outside of Québec.  In the case of cross-border data transfers, the PIA must take into account: the sensitivity of the information to the be transferred; the purposes for which it will be used and the protection measures, including contractual ones, that would apply to it; and the legal framework applicable in the State in which the information would be communicated, including the data protection principles applicable in the foreign State.  The personal information may be communicated outside of Québec if the PIA “establishes that [the information] would receive protection equivalent to that afforded under [the] Act.”  The communication of the information must be subject to a written agreement.
  • Outsourcing: Organizations that are subject to the Act and wish to share personal information to a service provider must enter into a written agreement with the service provider. This agreement must provide: a description of the measures taken by the service provider to ensure the confidentiality of the personal information (e.g. a description of the security safeguards); an obligation for the service provider to only use the information for the purposes of rendering the services and not keep such information after the termination of the contract; and an obligation for the service provider to notify the Privacy Officer without delay of any actual or attempted violation of the confidentiality of the information and to allow the Privacy Officer to conduct assessments to verify the service provider’s compliance with its confidentiality obligations.
  • Transparency: The Act mandates transparency obligations, requiring organizations to provide the following information to individuals upon collection of their personal information: the purposes of the collection; the means of collection; the rights of access and rectification; and the person’s right to withdraw consent to the communication or use of the information collected. If applicable, the following information must also be provided: the name of the third party for whom the information is being collected; and the possibility that personal information could be communicated outside Québec.  Upon request of an individual, organizations must also provide some additional information such as the categories of persons who have access to the information within the organization and the retention period for that information.
  • Profiling, Geolocation and Identification Technologies:  Organizations must inform individuals of any collection of personal information using technological means that include functions allowing the individual to be identified, located or profiled, and must also inform individuals of the means available (if any) to deactivate such functions.
  • Consent: Any individual who provides his or her personal information after receiving an adequate privacy notice is deemed to have consented to its use and its communication for the purposes indicated in the notice. The consent must be clear, free and informed, and be given for specific purposes and must be requested for each such purpose, in clear and simple language and separately from any other information provided to the individual. In addition, organizations must obtain express consent to use sensitive personal information for secondary purposes. Consent of a minor under 14 years of age must be given by a parent, guardian, or teacher.
  • Privacy by Default: Organizations that collect personal information by offering a technological product or service that has privacy settings must ensure that those settings provide the highest level of confidentiality by default.
  • Retention and Destruction: Under the Act, once the purposes for which personal information was collected or used are achieved, organizations must destroy the information.  However, organizations also have the option anonymize the information, according to generally accepted best practices, in order to use it for a serious and legitimate purpose.
  • De-indexation right: An individual may request that organizations cease disseminating his or her personal information and de-index any hyperlink attached to his or her name that provides access to the information, if the dissemination violates the law or a court order.  The Act also makes this right available to individuals even if the dissemination does not contravene the law or a court order, upon the satisfaction of a variety of balancing factors.
  • Data Portability Right: An individual may request that personal information collected by an organization from him or her be communicated to him or her (or to another organization designated by the individual) in a structured, commonly used technological format. The organization is not required to destroy the personal information solely because an individual exercised a portability request.

Next Steps:

Clearly, the Act will usher in very significant changes to the regulation of privacy and data protection in Québec, and will also impact organizations, wherever located, that collect personal information from residents of Québec.  Fortunately, companies who are subject to the new rules will find themselves with some time to prepare for the new requirements as the majority of the provisions of the Act will enter into force on September 22, 2023, with a small number of provisions becoming effective on September 22, 2024.  However, a few provisions are coming into force earlier on September 22, 2022.  Due to the magnitude of changes ushered in by the Act, and the potential for significant liability, organizations should begin working with privacy counsel now to come into compliance with the Act.

[1] http://www.assnat.qc.ca/en/travaux-parlementaires/projets-loi/projet-loi-64-42-1.html

[2] P-39.1 – Act respecting the protection of personal information in the private sector (gouv.qc.ca)