Quebec’s Bill 64 Receives Royal Assent – Paving the way for major privacy reform in Quebec and across Canada
October 18, 2021
On September 22, 2021, the Act to Modernize Legislative Provisions respecting the Protection of Personal Information (“Bill 64“) received royal assent, just one day after it was adopted by Quebec’s National Assembly.
Bill 64 updates the existing framework applicable to the protection of personal information by amending various Quebec laws, including the Act respecting the protection of personal information in the private sector and the Act respecting Access to documents held by public bodies and the Protection of personal information (the “Acts“).
Bill 64 increases data protection obligations on private and public sector organizations in Quebec and creates a privacy regime similar to that of the European Union’s General Data Protection Regulations (“GDPR“), which is considered the most stringent privacy and security law in the world.
Some noteworthy changes Bill 64 include:
- Organizations are required to designate a Privacy Officer, who would be responsible for overseeing the protection of the personal information in their custody;
- Organization must complete mandatory privacy impact assessments (“PIAs“);
- Organization must establish and implement governance policies and practices regarding personal information that ensure the protection of such information;
- Organizations are limited to the use of de-identified and anonymized information;
- Organizations are expected to update their privacy policies and create new individual rights mechanisms to address new, individual privacy rights (including the right to be forgotten, and to access information on how automatic decision-making affected a decision made pertaining to them)
- Heftier fines and new monetary administrative penalties, including:
- fines of up to C$25-million or, if greater, an amount corresponding to four percent of the enterprise’s worldwide turnover for the preceding fiscal year for private sector organizations; and
- fines between C$15,000 and $150,000 for public sector organizations
- Increased powers to the Commission d’accès à l’information du Québec (Quebec Regulator), which would be able to impose monetary administrative penalties of up to C$10-million on non-compliant private enterprises and up to C$50,000 on individuals or two percent of global revenues.
The provisions are being phased in with some requirements coming into force in one year, the majority at the two year mark, and full compliance being required by September 22, 2024.
Organizations will need to make a number of changes in order to ensure that they comply with Quebec’s legislation if they do business or operate in Quebec.
It is likely that we will see Bill 64 as the precedent for other Canadian jurisdictions, which are now expected to adopt similar changes in the not too distant future.
Privacy and Compliance