Written by

William Blesch

Legal and data protection research writer at TermsFeed.

LinkedIn youtube Website

William Blesch

On this page

The Quebec National Assembly passed Bill 64 On September 21, 2021. An Act respecting the protection of personal information in the private sector.

This privacy law shows that Québec has not only brought its legislation up to date, but it has also aligned its private and public sector privacy regimes. This demonstrates a clear commitment to ensuring that the province's residents have access to robust data protection safeguards.

The coming years will be crucial for covered organizations and the individuals who work within them as they adapt to the requirements of Bill 64. By understanding and preparing for the changes, companies can help ensure a smooth transition into full compliance.

That's crucial because the law begins to go into effect in September 2022 and imposes significant new obligations on organizations concerning the management and protection of personal information.

This article will cover who Bill 64 applies to, what it requires, how to comply, and what penalties are on the table for non-compliance.

In order to comply with Bill 64, businesses must:

  • Establish data governance processes
  • Create company-wide data management policies
  • Implement technological solutions to de-index or transfer personal data upon request
  • Publish internal guidelines to support staff and service providers in the implementation of the new privacy regime

Failure to do any of the things listed above could result in significant financial penalties.

With all that in mind, we will provide an overview of the Quebec Privacy Law and discuss whom it applies to, what it requires, and what the penalties are for non-compliance.

You should note that the law is incredibly complex and comprehensive. Going into depth on all aspects is beyond the scope of this article.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



Bill 64 Background

Bill 64 Background

Quebec's privacy law brings the province's privacy laws up to date with the latest global trends and best practices. For example, the law is similar to Europe's General Data Protection Regulation (GDPR).

It is designed to give individuals more control over their personal data while establishing new requirements for organizations handling that data.

Bill 64 will probably have a domino effect in seeing other jurisdictions move to update their laws. Businesses will feel the reverberation of this bill not only in Canada but around the world as companies scramble to update their policies and procedures accordingly.

Indeed, while it is too early to tell how other Canadian provinces will react to Bill 64, businesses outside of Quebec should nevertheless evaluate the potential operational impacts posed by the law.

Even if a business does not have any physical presence in Quebec, it could still be subject to the jurisdiction of its data protection authority if personal information is processed relating to Quebec residents.

Despite everything just mentioned, for the moment at least, it seems that there are no immediate plans to revamp the Personal Information Protection and Electronic Documents Act (PIPEDA), which is Canada's primary federal privacy law.

This may be partly on account of the fact that Canada has been seen as a global leader in data protection, with strong privacy laws and enforcement.

Still, it remains to be seen how Bill 64's provisions will play out in practice as it introduces new ideas into Québec's data protection framework.

Who Must Comply With Bill 64?

All organizations with customers, employees, or operations in Québec must comply with the law.

When Does Quebec's Privacy Law Come into Force?

When Does Quebec's Privacy Law Come into Force?

While some provisions will come into force sooner than others, the Act as a whole will be implemented in September 2023. This gives organizations time to prepare for the new requirements and ensure they are compliant with the law.

The following time frame provides a snapshot of various amendments and when they come into effect:

2022
  • The appointment of a person in charge of the protection of personal information
  • Mandatory reporting of confidentiality incidents
  • Communication of personal data for concluding a commercial transaction
  • Communication of personal information for research purposes
  • Amendments to the biometrics provisions of the QC IT Act
2023
  • Governance policies and practices regarding personal information
  • Privacy impact assessments
  • Transparency and privacy notices
  • Identification, geolocation tracking, and profiling technologies
  • New consent requirements
  • New consent exceptions
  • Privacy by default
  • Automated decision-making
  • Transfers of personal information outside Québec
  • Outsourcing personal information
  • Retention and destruction of personal information
  • Right to be forgotten
  • New enforcement mechanisms
2024
  • Right to data portability

2022 Compliance Requirements

2022 Compliance Requirements

The Establishment of a "Privacy Officer"

Every business must now appoint a person to protect personal information. That individual will have the title of "Privacy Officer."

In order to fulfill this role, the Privacy Officer must have an understanding of the Act and be familiar with the various ways in which personal information can be protected.

Specifically, the Privacy Officer must be able to address issues surrounding:

  • Questions or complaints about how the organization handles personal information
  • Requests to correct personal information
  • Access to information requests

The cybersecurity duty falls on the shoulders of the CEO by default. As the highest authority within an organization, it is up to that individual to ensure that their company is doing everything possible to protect its data.

With that said, the law permits the CEO to delegate the responsibility to someone inside or outside the organization. Still, the CEO must do it in writing, and records must be kept as to who is precisely responsible.

Once the Privacy Officer is established, that individual's title and contact information must be posted on the organization's website.

Interestingly, Bill 64 does not require the Privacy Officer to be located in Québec or know French. However, businesses should consider it a best practice to ensure that their Privacy Officer has a working knowledge of both.

Reporting Breaches in Confidentiality

As soon as a business has reason to believe that a breach has occurred involving personal data in its custody, it must take reasonable measures to reduce any risk of harm and to prevent similar incidents from occurring.

This includes notifying individuals who may have been impacted by the breach and taking steps to protect their privacy.

Bill 64's definition of "confidentiality incident" is "access to, use, or communication of personal information not authorized by law, as well as the loss or any infringement of the protection of such information."

This is a stricter definition of a data breach than that used by other Canadian privacy laws. Bill 64 widens the scope to include the unauthorized use of personal information.

Additionally, as soon as an organization becomes aware of a risk of serious injury, it is required to notify the Commission d'accès à l'information (CAI) and any person whose personal information may be affected.

The organization that was a victim of a breach may also notify credit institutions and other third parties without gaining the consent of impacted individuals. If it believes doing so can help reduce the risk of harm to impacted customers. During the process, the business may only disclose necessary personal information.

The caveat here is that a business cannot notify third parties if doing so might interfere with law enforcement and regulatory investigations.

The threshold for when an organization must report a "risk of serious injury" appears to be equivalent to the reporting threshold of a "real risk of significant harm" under PIPEDA:

  • This means that the business must consider
  • The sensitivity of the data concerned
  • The anticipated repercussions of its use
  • The likelihood that such data will be used for harmful purposes

Finally, in order to keep your business safe and in compliance with the law, you will need to log every confidentiality incident. By keeping a register of these incidents, you will be able to provide information to the CAI upon request.

Keep in mind that starting in late 2023, the CAI will have the authority to order any individual involved in a confidentiality incident to take any measure needed to protect the rights of those concerned.

This includes, but is not limited to:

  • Suspending or terminating access to information system
  • Removing content from online platforms
  • Prohibiting or restricting contact with persons concerned

Communication of Personal Information for Commercial Transactions

During commercial transactions, personal information may be communicated to other parties without the consent of the persons concerned.

The parties in question must agree prior to the communication, stipulating that the receiving party must:

  • Use the data only for concluding the commercial transaction
  • Not communicate the data without the consent of the person concerned
  • Take the necessary measures required to protect the confidentiality of the data
  • Destroy the data if the commercial transaction is not concluded, or
  • If using the data is no longer necessary for concluding the commercial transaction

After the commercial transaction concludes, the law requires that the receiving party notify the persons impacted within a reasonable period of time that it now holds personal data concerning them in connection with the transaction.

This notification must include how and why the recipient intends to use their personal information.

This amendment brings Bill 64's approach to commercial transactions in line with PIPEDA, Alberta's PIPA, and BC's PIPA.

Communication of Personal Information for Research Purposes

Suppose your organization is interested in conducting research or studies that involve personal information. In that case, you will now be able to do so without having to go through the process of seeking authorization from the CAI or obtaining consent from individuals.

Under the law, businesses may communicate personal information without prior consent to any body or person who intends to use it for research purposes. However, the organization must reach the following conclusions and conduct an assessment of privacy factors before doing so.

The organization must:

  • Believe that the objective of the study or research or of the production of statistics can be achieved only if the data is communicated in a form allowing the persons concerned to be identified
  • Believe that it is unreasonable to require the person or body to obtain the consent of the persons concerned
  • Believe that the objective of the research or study of the production of statistics outweighs, in light of the public interest, the consequences of communicating and using the data on the privacy of the persons concerned
  • Ensure the personal information is used in such a manner as to ensure confidentiality, and
  • Ensure only the necessary information is communicated

2023 Compliance Requirements

2023 Compliance Requirements

Establish and Implement a Privacy Framework

Businesses will have to establish and implement a privacy framework comprising practices and policies that are proportional to the extent and nature of the company's activities to protect personal information.

Bill 64 sets out specific policies regarding the protection and destruction of personal data, the responsibilities and roles of staff members throughout the information life cycle, and the implementation of a process to handle complaints.

The Privacy Officer must approve the privacy framework. In addition, the organization must publish on its website, in clear and straightforward language, detailed information about these policies and practices. This will help customers make knowledgeable decisions about their personal data when interacting with your company.

Ensure Transparency

The GDPR has brought about a new era of transparency and control for individuals with respect to their personal data. Bill 64 continues the trend by demanding increased levels of accountability on the part of organizations.

Under the law, companies now have expanded disclosure obligations, including:

  • The purposes for which personal data is collected
  • The means by which the data is collected
  • Rights of access and rectification
  • The individual's right to withdraw consent to the communication or use of the information
  • Whether there is the possibility that the data may be communicated outside Québec, and
  • The categories of third parties or names of the third parties, or
  • To whom it is necessary to communicate the data

The addition of this new provision will certainly add complexity for organizations as they strive to comply with Québec's data protection law. However, by taking a risk-based approach and working closely with their third-party processors, organizations should be able to manage the additional obligations imposed by this amendment.

As previously stated, businesses that use technology to gather personal data will now have to post clear and easy-to-understand notices regarding their privacy practices.

Types of technology specifically mentioned during the data gathering process include the use of digital marketing technologies to track, identify, and profile individuals, such as certain kinds of cookies.

The term "technology" under Bill 64 is also understood to include:

  • Mobile devices and applications
  • Streaming media services

Before collecting personal information, businesses must give their users prior notice that they are, in fact, using these kinds of technology. They must also provide their users with a notice any time they amend their privacy notice.

While this might sound inconvenient to some, it is intended to lead to more transparency and trust between businesses and consumers.

In light of the above, it's recommended that businesses ensure that their Privacy Policies are placed on the company website. Companies should also place links to their Privacy Policies in applications and all business-related emails.

Privacy Impact Assessments

Bill 64 takes a note from the GDPR and requires businesses to carry out a privacy impact assessment of all projects involving the use of personal information.

The nature of these projects includes those that involve the development, acquisition, or redesign of an electronic service or information system. Businesses must now put into place privacy by design measures.

Privacy By Default

Essentially, a company's privacy framework for public-facing services or products must be set (without requiring a user to do anything) at the highest confidentiality level possible by default.

There are new rules for consent under the law. For instance, if an organization provides notice of its purposes for collecting personal information at the time of collection, consent is assumed when the business carries out its purposes with personal information in hand except in cases of medical, biometric, or otherwise intimate information.

Bill 64 reframes consent as being "clear, free, and informed and [...] given for specific purposes," which is slightly different from "manifest, free, and enlightened, and [...] given for specific purposes."

That said, it is vital to note that unless the additional use falls within one of the exceptions listed in the law, businesses must obtain consent from the person concerned.

The changes in the law allow for greater flexibility in how companies can use personal data.

For example, a company can use personal information for a different use than that for which it was originally collected without notifying customers if:

  • There is a direct and relevant connection with the initial purpose
  • It is obviously for the benefit of the customers concerned
  • It is necessary for the prevention and detection of fraud or the evaluation and improvement of protection and security measures
  • It is necessary for the supply or delivery of a product or the provision of a service requested by the person concerned, or
  • It is necessary for study or research purposes, or for the production of statistics, where the information is de-identified

Finally, businesses must ensure that parental consent is obtained when collecting, using, or communicating information obtained from children who are less than 14 years old.

Enforcement and Penalties for Non-Compliance

Enforcement and Penalties for Non-Compliance

The CAI will now have the ability to levy heavy administrative monetary penalties for violations of Bill 64. This should act as a deterrent for companies from violating the Act and help ensure that consumers are better protected.

Penalties for non-compliance can be severe, reaching up to CA$50,000 for individuals and $10 million or 2% of an organization's global turnover.

While it is not likely that your business will be fined the maximum amount should you violate the law, it is crucial to be aware of potential penalties and what constitutes a violation.

By understanding how personal data must be collected, used, and stored according to Bill 64, you can help keep your customer's data safe and protect your company from potential fines.

Summary

Quebec's privacy law is incredibly complex and comprehensive.

To stay compliant and avoid penalties, organizations must take a holistic view of their internal compliance processes and update these where necessary to mitigate the risks associated with data privacy violations.

By doing so, they can ensure that they are best positioned to protect their customers' private information while also mitigating financial risks.

The point is that time is ticking away for businesses to bring themselves into compliance with Quebec's privacy law. By creating a compliance plan, your organization can ensure that it is on track to meet the requirements of Bill 64.