Quebec’s new privacy law comes into force in less than six months. Any business that violates the privacy rights of Quebec citizens may face significant fines and civil litigation risks, regardless of where they are headquartered. It may take months to prepare, so business leaders should consider undertaking an audit and remediating compliance gaps as a high priority.
Last year, the province of Quebec introduced sweeping changes to their privacy laws with the adoption of An Act to modernize legislative provisions regarding the protection of personal information, commonly referred to as Bill 64. It amends the Act respecting the protection of personal information in the private sector (PPIPS), Quebec’s private sector privacy law, and the public sector privacy law.
The following are essential details related to the modernized PPIPS (the “Act”):
Which business must comply with the Act? Any business operating inside or outside of Quebec that processes the personal or sensitive information of Quebec citizens. Quebec accounts for nearly one-quarter of Canada’s population, so this qualifier casts a wide net.
What is deemed to be personal information? Generally, any information that is directly or indirectly linkable to a Quebec citizen, including email address, phone numbers, birth dates, education, financial and employment data, or their IP address, to name a few. Sensitive personal information, such as medical, biometric, ethnicity, religion, or “otherwise intimate information,” will be subject to stricter protections.
When does the Act come into force? The Act will be phased in over three years, with the first requirements coming into force on September 22, 2022. On the following two anniversary dates, additional compliance requirements will be introduced.
What are the penalties for businesses that are in breach of the Act? Similar to the General Data Protection Regulation (GDPR) in the EU, where over $1.5 Billion in fines have been issued since 2018, potential penalties may be severe. They include:
1. Administrative monetary penalties of up to the greater of $10 million or 2 percent of worldwide revenue for the preceding financial year.
2. Penal provisions of up to $25 million or 4 percent of worldwide revenue for the preceding financial year.
3. The right for individuals to sue private sector organizations for violating privacy laws under certain circumstances. They are also entitled to punitive damages under certain circumstances.
Where should you start? Businesses would be well advised to begin undertaking measures to ensure compliance with the Act. The following are six essential steps to get started:
1. Designate a Privacy Officer: Covered entities must appoint a Privacy Officer to ensure compliance is achieved and monitored. A person with the “highest authority” (usually the CEO) assumes this role by default; however, they may delegate responsibilities to an internal representative or third-party service provider. Contact information for the Privacy Officer must be provided on the company website or by other means if a website doesn’t exist. If outsourcing to a third party, organizations should ensure that their advisor has the appropriate credentials, such as a formal designation from the International Association of Privacy Professionals (i.e., CIPM, CIPP, and CIPT).
2. Conduct a compliance audit: To achieve compliance, many businesses will be expected to make significant changes to how they conduct business across multiple functional groups, including sales, marketing, product development, procurement, information technology, and human resources. Businesses should strongly consider undertaking a compliance audit against Quebec’s PPIPS and other modernized global privacy regulations. Ongoing monitoring will be required to ensure compliance is maintained to address regulatory updates in Quebec and other covered jurisdictions. This audit may take several months to complete and even longer to achieve compliance. Given that the Act comes into force on September 22, 2022, it is recommended that businesses get started as soon as possible.
3. Locate and classify your data: Any business processing personal or sensitive information should have a complete and accurate view of the data stored in-house and shared with third parties. The type, location, sensitivity level, security level, and retention policy for all data should be categorized. Without a proper data inventory, it will be impossible to comply with key provisions of the Act, such as confirming consent, responding to data access requests, reporting data breaches, conducting privacy impact assessments (PIAs), and ensuring third party data sharing requirements are met. Use this exercise as an opportunity to locate and categorize data from other covered jurisdictions where new privacy regulations are in place, such as California, Colorado, Virginia, Utah, the EU, and the UK, to name a few.
4. Build a privacy program: All businesses covered under the Act will be required to establish and document governance policies and procedures to ensure personal information is protected. This includes building a framework for retaining and destroying information, responsibilities of personnel through the lifecycle of the information, and processes for handling data subject access requests and complaints. Ensure that all stakeholders across the organization are involved in developing the privacy program and are assigned clear responsibilities to ensure compliance is maintained. Consider forming a privacy committee that includes the Privacy Officer, IT and information security, marketing, and other key stakeholder representatives.
5. Train your people: Compliance is not something that happens on its own; employees are the primary risk factor when it comes to privacy breaches. The stakes for non-compliance are significant; therefore, it will be essential to ensure that all levels of the organization, from the board to front-line staff, are included in training programs. Consider implementing privacy compliance training as part of your onboarding process, ideally via on-demand modules, which require passing a test prove evidence of comprehension. As a best practice, ensure training is updated as regulations evolve and that employees are required to complete refresher sessions semi-annually.
6. Report breaches: Failure to report a “confidentiality incident” involving personal or sensitive information of Quebec citizens that could cause “real risk of significant harm” impose the most severe penalties. Examples of confidentiality incidents may include phishing attacks, malware deployments, botnets, brute force attacks, or internally caused breaches, such as inadvertently emailing personal records to the wrong recipients. Reporting breaches also extend to incidents involving third-party data processors that have custody and control of personal information, reinforcing the importance of data inventories and third-party data-sharing agreements.
Let’s face it, properly assessing and implementing privacy compliance is complex, and it’s not getting any easier, particularly given the number of jurisdictions introducing new regulations.
Ultimately, it can take months – sometimes years – to properly conduct a privacy compliance assessment and apply the recommended controls. Those who have not begun their journey would be well advised to get started immediately.
Vayle can help. Schedule a no-obligation consultation with one of our Privacy Compliance Advisors today.
This article is for information purposes only and does not constitute legal advice.