Quebec’s Bill 64: An Overview of Key Changes for 2022 to Quebec’s Privacy Regime
On September 22nd, 2021, the National Assembly of Quebec passed Bill 64, with the goal of modernizing Quebec’s privacy laws. Bill 64 introduces significant changes to the Canadian privacy landscape which will apply not only to organizations doing business in Quebec, but also to organizations that handle personal information from residents of Quebec. These changes will come into force over the course of three years. The first round of implementation began on September 22nd, 2022, with subsequent implementations occurring annually until September 22nd, 2024.
Obligations arising from Bill 64’s amendments to the Quebec’s private sector privacy law (“Private Sector Act”) will be enforced through strict non-compliance penalties. Private sector organizations that commit an offence under the amended Private Sector Act may be penalized up to $25 million or four percent of annual global revenues for the preceding year, whichever amount is greater. The amendments also provide for administrative monetary penalties and for private rights of action for damages resulting from unlawful infringement of the right to privacy. The new enforcement regime is not set to take effect until September 22nd, 2023, however compliance as early as possible is recommended.
This article provides an overview of four major changes that took effect on September 22nd, 2022, but is not an exhaustive or complete list. Organizations with a presence in Quebec or processing personal information of Quebec residents should seek legal advice on compliance with Quebec’s updated privacy regime.
Key Changes for 2022
Four significant changes came into effect on September 22nd, 2022, which are further set out below:
- Appointment of a privacy officer
- Mandatory privacy breach reporting
- Permitted disclosures of Personal Information without Consent
- Biometric Database Requirements
- Required Appointment of a Privacy Officer
Under the amended Private Sector Act, each organization must have a named privacy officer – an individual responsible for implementing the new requirements and safeguarding personal information. By default, the CEO, or otherwise the highest-ranking individual in the organization, is deemed to occupy this position. However, the privacy officer is free to delegate the role to another individual, so long as such delegation is made in writing. The privacy officer’s title and contact details must be publicly available on the organization’s website, or by other appropriate means where the organization has no online presence.
- Mandatory Reporting of Privacy Breaches
The Private Sector Act amendments also impose new requirements for organizations to report privacy breaches. A breach, or confidentiality incident, would involve any unauthorized access, use or disclosure of personal information, loss of personal information, or other breach in the protection of personal information. Organizations that have cause to believe that a confidentiality incident has occurred must take reasonable measures to reduce the risk of injury and to prevent future incidents.
If a breach occurs, organizations must undergo an assessment to determine the level of risk posed. If an organization has determined that a breach poses a risk of serious injury, the organization must promptly notify Quebec’s Commission d’Accès a l’Information (“CAI”), as well as anyone whose information was involved in the breach, unless an exception applies. Draft regulations published by the CAI set out the required contents of such breach notices.
Organizations are required to record all confidentiality incidents for at least five years after becoming aware of the incident, regardless of the assessed level of risk. The draft regulations contain requirements for the breach details that must be recorded.
- Permitting Personal Information Disclosure Without Consent
Further, the amended Private Sector Act now permits organizations to disclose personal information without consent of the individuals concerned in certain situations, such as where necessary to conclude a commercial transaction or for the purpose of conducting research. Several conditions must be met to benefit from these disclosures without consent, which are further described in the amended legislation.
- Database of Biometric Measurements
Bill 64 also amended Quebec’s information technology law, which regulates the use of biometric databases. Following the amendments, organizations may use biometric systems for verification or confirmation of identity only if they first obtain express consent from individuals concerned and disclose the biometric database to the CAI. The disclosure must be made no later than 60 days before a biometric database is brought into service.
The amendments that came into force on September 22nd, 2022 through Bill 64 represent only the first wave of changes to Quebec’s privacy legislation. With an even greater set of changes on the horizon for 2023, as well as steep non-compliance penalties, organizations would be prudent to determine the extent to which they are subject to Quebec’s new privacy regime and assess their compliance obligations.
Note: LaBarge Weinstein LLP does not have lawyers qualified in the Province of Quebec and we are providing the above summary for information purposes only. If you feel the foregoing requirements might apply to you, we are happy to provide a referral to qualified Quebec legal counsel.