Quebec’s Bill 64: Are you ready for it?

What is Bill 64?

On Tuesday, September 21, 2021, the Act to modernize legislative provisions as regards the protection of personal information or Bill 64 was adopted by the National Assembly of Québec. This Act governs protection of personal information, and introduces significant updates to Québec’s privacy governance, as a “law with teeth” (Canadian Press, 2021, para. 2), in line with European-style privacy requirements such as the General Data Protection Regulation (GDPR) in both private and public jurisdictions.

Changes introduced by the bill mark some significant variances from current Canadian federal privacy legislation. However, in spite of that, a survey conducted by the Fédération des chambres de commerce du Québec (FCCQ) as recently as June indicated that almost 40 percent of businesses are unsure how Bill 64 will impact their activities and processes.

Is your business prepared? Read on below to understand some of changes introduced by Bill 64. 

What do you need to know?

Legislative Requirements

Some high-level changes which will most impact organizations include:

• All organizations must have a Privacy Officer or equivalent position
• Specific measures around the use of Privacy Impact Assessments
• Publicly available privacy policies and requirements for internal privacy practices
• Mandatory privacy breach notifications, in line with existing federal requirements
• Increased transparency in consent and collection of personal information
• Implementation of privacy by design principles in technology and systems
• New data rights for individuals whose personal information is collected, such as
  • data portability rights
  • rights related to automated decision making
  • data profiling rights
  • the right to be forgotten (with exception of information of public interest)

Bill 64 also introduces some unique requirements regarding biometric data (voiceprints, fingerprints, DNA, etc.). Businesses will be expected to provide notice to the Commission d’accès à l’information (CAI) du Québec at least 60 days in advance of creating a biometric database.

More details related to these changes and their projected timelines are explained below.

Penalties

Organizations that fail to comply with Bill 64 and its related regulations will face more severe penalties than under the current regime. These will vary based on the size of the business, but generally include:

• $20 million, or two percent of the organization’s worldwide turnover for the preceding fiscal year for private organizations which fail to administer regulations
• Four percent of the organization’s sales— or between $15,000 and $25,000,000 — for private organizations facing criminal penalties
• Two tiers for public institutions for failure to meet regulations:
  • $3,000 and $30,000
  • $15,000 and $150,000
• Between $5,000 and $50,000 for violations made by a natural person

Importantly, organizations that can demonstrate data was managed and collected in alignment with Bill 64 will not be subject to penalties in the event of a successful privacy attack.

Under Bill 64, citizens also maintain the right to take private action (including collective action) where their privacy is breached or infringed upon intentionally, or from gross fault — with damages of at least $1,000 per individual in place (this penalty does not exist under PIPEDA). Organizations may also face liability from the Civil code of Quebec.

Who enforces Bill 64?

Bill 64 is enforced by the Commission d’accès à l’information (CAI) du Québec, the provincial organization responsible for access to information in Québec.

When does it take effect?

Although Bill 64 has officially been adopted, it is projected to roll out gradually over the next three years. Currently, requirements are thought to be aligned in this roll-out as follows.

Over the next three years, CAI is expected to recruit technological experts to help support Bill 64, and to create and issue standards and guidelines for businesses regarding Bill 64. It is expected that a list of states with equivalent legal framework to Bill 64 will be published in the Gazette officielle du Québec, to aid organizations in assessing disclosure of information outside of Québec.

Year 1 (2022)

• Privacy Officer
  Organizations must appoint a Privacy Officer or equivalent position. The title and contact information for this role must be published on organizations’ websites or via other appropriate methods so it is easily accessible by the public.
• Mandatory privacy incident reporting
  Any privacy incidents or breaches to personal information within an organization’s possession — including unauthorized access to, use, or communication of personal information, or the loss of personal information resulting in risk of serious harm — must be reported to both CAI and the affected individuals.
  
  Organizations must also maintain a log of confidentiality incidents and demonstrate measures taken to prevent new incidents of a similar nature. Directors of organizations are now at risk of substantially increased financial penalties if an incident or breach is not reported. 

Year 2 (2023)

• Privacy Policy
  Organizations must have an easily accessible privacy policy written in plain language available on the company website or via other appropriate methods. 
• Privacy Governance and Program Development
  Organizations must develop and implement internal privacy policies to manage and appropriately protect personal information throughout organizational activities.
  
  Moreover, organizations should be seeking to develop comprehensive programs to apply these policies in business practice. Implementation of a program roadmap and maturity assessment could be extremely beneficial for organizations seeking to implement their policies.
  
  Privacy Program development may include, but is not limited to:
  
  
  • Clear and defined employee roles and responsibilities throughout the private information lifecycle
  • Processes for managing data protection complaints
  • Review and compliance assessment of third parties with access to personal information
  • Appropriate safeguards on personal information
  • Retention and disposition practices for personal information
  • Development of a privacy framework and compliance monitoring

• Privacy Impact Assessments
  Privacy impact assessments (PIA) must be conducted in the following scenarios to ensure personal information will be protected to the standards set out in Bill 64:
  
  
  • When an information system is acquired, developed, or redesigned
  • Before the execution of an electronic service that will involve personal information
  • Before information can be disclosed outside of Quebec
  
  In addition, written agreements with third parties must capture the accountabilities and responsibilities of each party to protect personal information.

• Purpose, Collection, and Consent
  Purposes for collecting personal information must be clearly defined and understood — both to enhance transparency at time of collection, and when individuals request information around the organization’s purpose and collection practices.
  
  When personal information is collected:
  
  
• Consent for each purpose must be obtained in clear and simple language
• Written consent must be collected separately from other information provided to the individual — a significant departure from current PIPEDA regulations
• The means by which personal information will be collected must be clearly outlined
• Individuals must be made aware of their right to access their personal information and how they can correct personal information
• The right to withdraw consent must be clearly outlined
• The names of any third person or parties whom information is being collected for must be clearly stated
• Possibilities of information leaving Quebec must be clearly indicated

As with PIPEDA, Bill 64 requires consent be re-obtained if personal information is to be used for another purpose. However, Bill 64 diverges from PIPEDA by requiring consent to be express, and not implicit, for collection of sensitive personal information (i.e., information that is sensitive due to nature or context of its use, requiring high levels of protection under reasonable expectations).

Children under the age of 14 need parental or guardian authority to provide valid consent under Bill 64.

• Exceptions to Consent
  Bill 64 outlines the following rights to disclose personal information without consent in the following situations, many of which are not covered under PIPEDA:
  
  
  • Where personal information will be used for a secondary purpose consistent with its collection, and which benefits the individual in question
  • Where personal information is necessary for concluding a commercial transaction
  • Where personal information is to be used for research or statistical purposes
  • Where the personal information in question is business contact information, including name, title, duties, business address, business email, and business telephone number

  
  Another exception is instances where personal information is necessary to carry out a mandate or perform a contract for services conducted by a third party. Caveats to this exception include:

  • The third party must have a written mandate that outlines accountabilities and safeguards towards personal information\
  • There must be a written agreement for third parties to provide notification of actual or attempted confidentiality violations to the collecting organization’s Privacy Officer

• Privacy by Design
  Any technology or technology solution employed by an organization must have privacy settings defaulted to the highest level of privacy for personal information.
  
  Additionally, if technology has the ability to identify, locate, or profile an individual whose personal information is used by the technology, the organization must inform the individual and provide means for deactivating these functions if possible.

• Destruction of Personal Information
  Personal information must be destroyed once purposes for its collection are met. If a legitimate reason to keep the personal information exists, it should be anonymized.

• Right to be Forgotten
  Organizations must make accommodations to fulfill requests from individuals who wish to stop their personal information from being disseminated — including de-indexing hyperlinks attached to the individual’s name that provides access to personal information, or re-indexing personal information.

Year 3 (2024)

• Data Portability
  Organizations will be required to provide personal information about an individual in a structured, commonly used technological format to that individual upon request. Organizations will also be required to disclose the information to another organization authorized to collect personal information at the individual’s request (for example, if an individual seeks to change service providers).

• Automated Processing of Personal Information
  Organizations must inform individuals if their personal information will be used to make a decision based solely on automated processing of that information. Individuals must be informed at time of collection, or before automated processing of their personal information occurs. In addition, organizations should tell individuals what personal information will be used to come to a decision, the reasons for the decision, and any other major factor that led to the decision.
  
  Individuals should continue to be made aware of their right to correct any personal information.
  
  Individuals must also be allowed to provide observations in reviews of any automated decision made off their personal information.

• Source of Personal Information
  Should an individual request it, organizations must disclose the source used to obtain their personal information and if it was collected from another person or organization.

What does it mean for other provinces interacting with Quebec?

Even if your organization is not based in Quebec, the implementation of Bill 64 may still affect you. Businesses who deal with personal information disclosed by Quebec organizations must ensure their practices align with Bill 64 and pass any Privacy Impact Assessments carried out by Quebec organizations.

Bill 64 and similar emerging legislation may also increase the need for data and privacy experts in Quebec organizations and those with interprovincial and national operations. Certain elements of Bill 64 may also possibly surface in federal legislation in the future.

Is your organization ready for these new changes?

MNP’s Cyber Security and Privacy Services can help you conduct an internal analysis of current processes and technological solutions to see if you meet these requirements. Our team can also help you proactively refine your privacy and data practices in anticipation of future privacy practices. We’re here to keep you onside with regulators and your stakeholders now — and in the face of ever-changing expectations.

References

Canadian Press. (2021, September 27). Heavy Penalties Coming for Companies that are Careless with Quebecers’ Data. iHeart Radio. Retrieved from:

https://montreal.ctvnews.ca/heavy-penalties-coming-for-companies-that-are-careless-with-quebecers-data-1.5601774

Langlois Avocats. (2021, September 21). Protection of personal information: Three-year phased implementation after Bill 64 receives asset. Retrieved from:

https://langlois.ca/protection-of-personal-information-three-year-phased-implementation-after-bill-64-receives-assent/

Potechin, M. (2021, January 28). Quebec’s Bill 64 proposes amendments to modernize privacy laws. DLA Piper. Retrieved from:

https://www.dlapiper.com/en/canada/insights/publications/2021/01/quebec-bill-64-proposes-amendments-to-modernize-privacy-laws/

Office of the Privacy Commissioner of Canada. (2020, September 24). Questions and answers – Bill 64. Retrieved from:

https://www.priv.gc.ca/en/opc-news/news-and-announcements/2020/qa_20200924/

Reynolds, M., Shah, R., & Reguly, T.A. (2020, June 19). Quebec’s Bill 64 proposes sweeping changes to its privacy regime. Torys LLP. Retrieved from

https://www.torys.com/insights/publications/2020/06/quebecs-bill-64-proposes-sweeping-changes-to-its-privacy-regime