Anyone operating a business that violates the privacy rights of people in Quebec or fails to meet Quebec’s stringent new requirements for protecting personal information may face administrative monetary penalties, fines, binding orders, and civil action.
On September 21, 2021, Canada’s second-most populous province quietly ushered in a new era of personal information protection with the adoption of An Act to modernize legislative provisions regarding the protection of personal information, otherwise known as Bill 64. It amends the Act respecting the protection of personal information in the private sector (PPIPS), Quebec’s private sector privacy law, and the public sector privacy law.
PPIPS applies to anyone operating a business based in or outside of Quebec that processes Quebecers’ personal information. Similar to the European Union’s General Data Protection Regulations (GDPR), the Act’s amendments will dramatically affect how private sector organizations manage and protect Quebecers’ personal information. It also contains specific provisions for imposing fines, enforcement orders, and administrative monetary penalties.
Suppose your business is processing Quebec citizens’ personal information, including email addresses, phone numbers, birth dates, education, financial, and employment data, or any information directly or indirectly linkable to an individual like their IP address. Or, you are processing “sensitive personal information,” such as medical, biometric, ethnicity, religion, or “otherwise intimate information” that is subject to stricter protections. In these cases, PPIPS may apply to you.
What’s at stake for organizations that don’t comply?
Any business that fails to meet the requirements introduced by the Act could face serious consequences. These include:
- Administrative monetary penalties (AMPs). Quebec’s regulator, Commission d’accès à l’information du Québec (CAI), may impose administrative monetary penalties of up to the greater of $10 million or 2 percent of worldwide revenue for the preceding fiscal year.
- Penal provisions. The Act also gives the CAI the power to pursue penal proceedings. Private sector organizations deemed to violate the Act may face fines of up to the greater of $25 million or four percent of worldwide revenue for the preceding fiscal year. Fines will be doubled for subsequent offenders.
- Private right of action. Individuals will be entitled to sue private sector organizations for damages for violating privacy laws under certain circumstances. They are also entitled to punitive damages starting at $1,000 in certain cases.
Although the official date of assent was September 22, 2021, components of the Act will be phased in over a three-year period, with most coming into place by the second year. Given it may take months, or potentially years, to implement some of the Act’s requirements, it’s essential for businesses to start preparing immediately.
The road ahead: Doing business in Quebec
To avoid violating the Act, organizations need to take care to follow its requirements. Below is a partial summary of what you’ll need to achieve compliance:
- Appoint a privacy officer. A person with the “highest authority” in the company (usually the CEO) assumes this role by default but may delegate responsibilities to an individual or group to ensure the PPIS is implemented and complied with. Regardless, accountability remains with the top executive. The privacy officer’s title and contact information must be published on the company’s website or by other means if a website doesn’t exist. Businesses that cannot justify or afford to hire a full-time resource should consider outsourcing this function to an external data privacy expert.
- Establish a privacy program. All covered businesses will be required to define and implement governance policies and procedures to ensure personal information is adequately protected. Requirements include a framework for keeping and destroying information, responsibilities of personnel through the life cycle of the information, and a process for handling complaints. The best way to accomplish this is by creating a holistic privacy program and governance framework led by an experienced privacy advisor.
- Confirm consent. When collecting personal information, organizations must ensure consent is “clear, free, and informed and provided for specific purposes.” Sensitive information will require opt-in consent. You should review all channels where personal or sensitive information is captured and associated consent mechanisms. Consent confirmations should be recorded and timestamped in case a regulator or individual demands evidence. Ensure that you have the right technology and associated advisory services in place to customize consent rules by jurisdiction.
- Prepare for data subject requests. The Act includes new rights for data subjects, including the right to be forgotten, the right to data portability, and de-indexing rights, in addition to the access and rectification rights that already exist, among others. Ensure that you have the proper channels and capabilities to capture, record, and fulfill such requests. Inserting a data subject access request (DSAR) form within your privacy notice is recommended.
- Conduct privacy impact assessments (PIAs). Businesses will be required to conduct PIAs when acquiring, developing, or redesigning any information system or electronic services delivery project that involves processing Quebec citizens’ personal information, when transferring personal information outside Quebec (including a transfer risk assessment to ensure consistent protection), or when sharing with third parties for research purposes. This may involve changes to both policies and internal governance as well as measures to mitigate risks discovered in PIAs. If you are unsure about what is involved with a PIA, engage a third-party advisor who can help create and implement the proper framework.
- Implement Privacy by design / by default. Those looking to launch new technology products or services must ensure that the default privacy settings are set to the “highest level of confidentiality.” Businesses covered under GDPR’s Article 25 are already required to meet similar requirements. Consider enrolling your product and technology teams in specialized training to ensure they are equipped to address this requirement and actively involve them in your PIAs.
- Contract when sharing. When sharing the personal information of Quebec citizens with vendors and other third parties, a written agreement must be in place to ensure specific requirements are met related to data processing, protection, and disposal. New rules will also apply when transferring Quebec citizens’ personal information outside of the province. A good first start is to conduct a data discovery and mapping process to understand the types of data being shared and with whom it’s being shared.
- Report breaches. As stipulated by existing federal requirements, businesses must report a “confidentiality incident” involving personal or sensitive information that could cause “risk of significant injury.” In the event this occurs, notifications must be sent “promptly” to both the CAI and affected individuals. Failure to comply may result in personal liability for company directors. Given breaches usually involve data subjects in different jurisdictions, each requiring its own reporting rules, it is vital to have a breach plan in place, including prescribed reporting times and contacts.
Compliance requirements are coming. Be prepared.
Determining whether a data subject resides in Quebec or another Canadian province may prove difficult. Since Quebec accounts for nearly one-quarter of Canada’s population, those doing business in the province will need to evaluate whether to apply the Act’s requirements across all Canadian data subjects. And, Ontario has just proposed a provincial new privacy law similar to Bill 64, which, if enacted, means that over 60% of Canada’s population could soon be covered under modernized personal information protection rights.
Despite what is required by law, forward-thinking leaders are pre-emptively building a privacy-first approach to their business to bolster trust and transparency with their clients, employees, and other stakeholders. Companies would be well advised to get started on their privacy journey.