Updated: May 29
On 21 September 2021, the Quebec National Assembly passed Law 25/Bill 64, An Act to modernize legislative provisions regarding the protection of personal information. This act serves as an amendment to the Act Respecting the Personal Information in the Private Sector, where significant changes have been made.
Law 25 / Bill 64 applies to you if :
Your business is headquartered in the Province of Quebec or
You have website visitors from Quebec.
Like other data protection laws worldwide, Bill 64 applies to a relationship between a business and a user where at least one comes from Quebec.
Following are the key takeaways from the Quebec Law 25 (Bill 64) Privacy legislation: 1. Increased penalties for non-compliance- Bill 64 increases the fines for noncompliance with privacy legislation, providing that private sector entities be subject to fines ranging from $15,000 to $25,000,000, or an amount corresponding to 4% of worldwide turnover for the preceding fiscal year, whichever is greater.
2. Private Right of action- penal prosecution regarding violations of both the Public Sector Act and the Private Sector Act were to be instituted within three years of the date of the infraction.
3. Mandatory breach reporting- there is currently no requirement for Quebec entities to report data breaches or other security incidents. Bill 64 introduces the requirement that both public and private entities report incidents to both the Commission d'accès à l'information and to the persons whose data is affected where the incident "presents a risk of serious injury".
4. Exemptions to consent requirements- If the use of the information is necessary to prevent or detect fraud, or to assess and improve security measures; or If the use of the information is necessary for the purpose of providing or delivering a product or providing a service requested by the individual.
5. Privacy by design- The concept of "privacy by design" remains in place in the final version of Law 25/Bill 64, but the scope of application of the requirements in this regard has been narrowed somewhat. Under the final version of Law 25/Bill 64, the requirements mentioned above will only apply to technological products or services offered "to the public" (as opposed to, say, those made available by an employer to its employees), and only where the product or service at issue "has privacy parameters". 6. Designation of individuals responsible for personal information- In private entities, this person will, by default, be the CEO. Under the initial version of Law 25/Bill 64, this responsibility could be delegated to another member of the enterprise's personnel. Under the amendments, however, this right of delegation has been expanded, allowing a CEO to delegate this power to "any person", internal or external to the enterprise. Businesses will thus be permitted to outsource this function to a third party. 7. Enhanced requirements for the communication of personal information outside Quebec- The initial version of Law 25/Bill 64 called for drastically increased requirements on enterprises wishing to transfer personal information outside the province of Quebec, providing that such a transfer could occur only if the target jurisdiction offered protection "equivalent to" that which the information would be afforded in Quebec. Under the amendments, this requirement has been tempered; transfers will be permitted to jurisdictions offering "adequate protection," to be assessed "in particular in light of generally recognized principles regarding the protection of personal information." 8. New notification requirements- The amendments add that an enterprise will also be required to inform the individual of the names of the third parties to whom the information collected will have to be communicated to in order to fulfill the purposes for which it was collected. Under this amendment, a simple statement that the information may be shared with third parties will not be sufficient. Instead, enterprises will be required to disclose the name of each such third party or categories of third parties.