Quebec Introduces New Amendments to Its Privacy Regimes

On June 12, 2020, the Government of Quebec tabled Bill 64, an Act to modernize legislative provisions as regards the protection of personal information (Bill), before the National Assembly of Quebec. The Bill proposes to update the existing framework applicable to the protection of personal information by amending various laws of the province of Quebec, including the Act respecting the protection of personal information in the private sector and the Act respecting Access to documents held by public bodies and the Protection of personal information (Acts).

Should the Bill be passed, both private and public sector organizations in Quebec would be subject to increased data protection obligations, in many ways similar to those imposed by the European Union’s General Data Protection Regulations (GDPR). Key features of the Bill include:

• Heftier Fines and New Monetary Administrative Penalties: In the event of non-compliance with the Acts, the following fines could be imposed:
  • For private sector organizations, fines of up to C$25-million or, if greater, an amount corresponding to four per cent of the enterprise’s worldwide turnover for the preceding fiscal year; and
  • For public sector organizations, fines between C$15,000 and $150,000
• In addition to these fines, the Bill would also grant increased powers to the Commission d’accès à l’information du Québec (Quebec Regulator), which would be able impose monetary administrative penalties of up to C$10-million on non-compliant private enterprises and up to C$50,000 on individuals
• Breach Notification Requirements: New notification requirements would be imposed when responding to incidents, which result in the unauthorized disclosure of personal information. Where such a breach raises the possibility of serious injury to an individual whose personal information is disclosed, the affected private or public sector organization would have the obligation to promptly notify both the Quebec Regulator and any affected individuals.
• Mandatory Privacy Impact Assessment: Privacy impact assessments would have to be conducted in relation to any information system project or electronic service delivery project involving the collection, use, release, keeping or destruction of personal information.
• Data Protection Officer: Both private and public sector organizations would be required to designate an individual responsible for overseeing the protection of the personal information in their custody.
• Privacy by Design: Private-sector organizations would have to ensure that the parameters of the technological products or services they use to collect personal information, by default, are set to the highest level of protection, without any intervention by the individual. Further, if the technology used to collect personal information includes functions allowing an individual to be identified, located or profiled, or if the personal information collected is used to make a decision based exclusively on automated processing of such information, additional information must be provided to the individuals from whom the personal information is being collected.
• Consent: The Bill provides for additional consent requirements, specifically:
  • Requests for consent to the collection of personal information must be made separately from all other information provided to an individual;
  • Consent must be expressly given for certain uses or disclosures of sensitive personal information; and
  • Consent of the person having parental authority must be obtained to collect, use and release personal information concerning a minor under 14 years of age.
• Disclosures Without Consent: Clarifications on the conditions of certain disclosures without the individual’s consent are included in the Bill, as well as additional conditions that would be imposed on private enterprises and public bodies with respect to the disclosure of personal information without the individual’s consent for research purposes.
• Data Portability Right: Individuals would be granted the right to access computerized personal information concerning themselves in a structured, commonly used technological format, or to request that such access be granted to a third party.
• De-indexation Right: Individuals would be granted the right to require that their personal information cease to be disseminated, or that any hyperlink attached to their name which provides access to such information by a technological means be de-indexed or re-indexed.
• Anonymization of Personal Information: The Bill allows for the possibility of anonymizing personal information, instead of destroying it, once the purposes for which it was collected have been fulfilled, provided that certain standards are met.
• Increased Transparency and Accountability: Private and public sector organizations would have to publish their governance rules regarding personal information on their website. Additionally, those that collect personal information through technological means will be required to publish a privacy policy as well.

The Bill is expected to be debated at the National Assembly and further amendments may be proposed. If adopted, the Bill will come into force one year after the Bill receives royal assent.

For further information, please contact:

Marie-Helene Constantin           514-982-4031
Sunny Handa                                514-982-4008
Imran Ahmad                               416-863-4329

or any other member of our Privacy & Data Protection group.