Québec Adopts Modernized Privacy Law for the Province’s Public and Private Sectors
By Greg Jodouin
On September 21, 2021, Québec’s Legislative Assembly adopted Bill 64, An Act to modernize legislative provisions as regards the protection of personal information.
The Bill brings significant changes to both the province’s public and private sector privacy laws.
Following on the steps of the EU’s General Data Protection Regulation (GDPR), Bill 64 sets new standards with respect to individual rights. It is considered one of the most stringent privacy laws in the world, introducing stricter requirements, significant fines, and increased powers for the provincial privacy commissioner.
What this Means for the Private Sector
Some of the new requirements are fairly rudimentary and aligns the Québec law with other privacy laws. For example, starting in September 2022, organizations will be required to designate a privacy lead, an obligation that already exists in PIPEDA.
Other provisions are more onerous. The most controversial of these is a new requirement for organizations to conduct mandatory Privacy Impact Assessments (PIA). PIAs will be triggered in certain circumstances, for example, when data is to be transferred outside of Québec.
Starting in September 2023, organizations will have to establish in a PIA that the jurisdiction in which the data is to be transferred (including other provinces) has a legal framework that provides “adequate” protection in keeping with “generally accepted data protection principles.”
Other provisions in Bill 64 include:
- Enhanced consent and transparency obligations
- Regulation for de-identified and anonymized information
- A right to data portability
- A person’s “right to be forgotten”
- A private right of action
- Administrative fines up to $10 M or 2% of global sales (the higher of the two), and up to $25 M or 4% of sales for criminal proceedings.
What this Means for the Rest of Canada
The new law will have significant consequences across Canada. On the one hand, Québec takes the view that its privacy legislation applies to any private-sector organization doing business in the province, even if an organization is not headquartered there.
On the other hand, Québec is the first Canadian jurisdiction to significantly reform its privacy law, setting a very high standard when it comes to privacy rights. Other Canadian jurisdictions are paying attention. Already, the Province of Ontario, which is contemplating introducing its own privacy legislation, has referenced Bill 64 as a possible template to follow.
Remains to be seen how Bill 64 will influence new federal privacy legislation. The re-elected Liberal government promised they would table an updated version of Bill C-11, which was introduced with great fanfare in 2020 as legislation to replace PIPEDA. The Bill, however, was widely criticized for failing to meet the mark and the Liberals let it die on the Order Paper when the federal elections were called in August.
Québec’s Bill 64 was introduced in June 2020 and received royal assent on September 22, 2021. Although the coming into force of Bill 64 will be spread over three years, most new provisions for the private sector will come into effect on September 22, 2023. A few provisions come into effect next September, such as a new privacy breach notification requirement.
About Greg Jodouin:
Greg Jodouin is CRIC’s Government Relations Consultant and President of PACE Public Affairs & Community Engagement.
To read the CRIC-ICC-ESOMAR Code of Conduct for marketing research, insights and data analytics professionals, visit this document.
To learn why your organization should join CRIC visit this document and / or write to [email protected].