The Act to Modernize Legislative Provisions respecting the Protection of Personal Information (“Bill 64“) received royal assent, within a day after its adoption by the Quebec National Assembly. The passage of this Bill so quickly was preceeded by a legislative process, which was year and a half long after the bill was first introduced by Sonial Lebel, then Minister responsible for Democratic Institutions, Electoral Reform and Access to Information.
Majority of the provision of the Act will come into force on September 22, 2023, with a few provisions coming into force one year earlier on September 22 2022, so that enterprises get sufficient time to comply with the new requirements under this Act.
What is Bill 64?
Bill 64 brings a substantial privacy regime reform focused at improving transparency, increasing the level of data confidentiality and reinforcing consent requirements.
Once enforced this Act will bring many changes to the current privacy regime in the province of Québec and will be a flagship act for Privacy regime in Canada , much like how CCPA is for the US.
What are the key points of consideration?
- Personal information now means any information which relates to a natural person and which may allow that person to be identified either directly or indirectly
- Removes the restriction on transfers of personal information outside of Quebec to jurisdictions with “equivalent protection” to Bill 64 and instead permits transfer to jurisdictions where it would receive “an adequate protection in compliance with generally accepted data protection principles”, after a privacy impact assessment
- Permits organizations to use personal information without consent when its use is necessary for the supply or delivery of a product or the provision of a service, and for the prevention and detection of fraud or the evaluation or improvement of protection and security measures or the evaluation or improvement of protection and security measures
- Requires organizations to demonstrate a serious and legitimate purpose in order to anonymize personal information rather than destroy it
- A new administrative monetary penalty and a new offence provision for failing to take appropriate security measures to ensure the protection of personal information collected, used, communicated, kept or destroyed
- organizations will now be required to designate an individual responsible for compliance with privacy legislation
What are the new obligations?
Mandatory Privacy Impact Assessments (PIA)
Québec’s new privacy law now mandates PIAs with respect to:
- any project of acquisition, development and redesign of an information system project or electronic service delivery project involving personal information,
- the transfer of personal information outside of Québec and
- the communication of personal information without consent for study, research or statistics.
Enhanced consent and transparency obligations
Consent must be specific to each use of personal information and implied consent is only accepted where some conditions are met.
De-identification and anonymization
Anonymized information, under Bill 64, means that “it is at all times reasonable to expect in the circumstances that it irreversibly no longer allows the person to be identified directly or indirectly”, the operative terms being “irreversibly’ and “directly or indirectly”.
Right to data portability
It also obligates organizations to develop and install the mechanisms necessary to transfer personal information “in a structured, commonly used technological format
Right to be informed about automatic data processing
A individual whose personal information is being processed by a public body to render a decision based exclusively on an automated processing of such information must, at the
time of or before the decision, be informed accordingly.
It must also inform the person concerned, at the latter’s request,
(1) of the personal information used to render the decision;
(2) of the reasons and the principal factors and parameters that led to the
(3) of the right of the person concerned to have the personal information
used to render the decision corrected.”
What is the maximum penalty ?
The maximum amount of the monetary administrative penalty is $50,000 in the case of a natural person and, in all other cases, $10,000,000 or, if greater, the amount corresponding to 2% of worldwide turnover for the preceding fiscal year.