Let’s look at Quebec’s Bill 64.

Does your business have an office in Quebec, or engage with Quebec-based customers? Are you planning to grow in the Quebec market? If yes to any of these, then keep reading.

On September 21, Quebec’s National Assembly passed Bill 64, An Act to modernize legislative provisions as regards the protection of personal information. It’s similar to the EU’s General Data Protection Regulation (GDPR), and is the most stringent Canadian privacy legislation to date.

Last week we attended a webinar hosted by Kobalt.io to learn more about Bill 64 and its implications, which include:

  • A clear outline regarding the requirements for collection, use, disclosure, and storage of personal information,
  • A requirement for consent for secondary uses of any personal information,
  • The need for businesses to appoint a privacy officer, who will advise on policy-related matters,
  • Mandatory breach reporting, with a formal protocol to identify, triage, mitigate, and respond,
  • The need for vendor contracts and related service agreements to have sufficient privacy protection clauses, with vendors having proper safeguards to protect clients’ personal information, and
  • Penalties for non-compliance, which include a right to private action (i.e., class action litigation), administrative monetary penalties (up to 2% of annual worldwide revenue or $10 million), and penal offences (up to 4% of annual worldwide revenue or up $20 million),

Bill 64 has a three-year phase-in period. Phase one includes appointing the privacy offer and and mandatory breach reporting rules, and is effective September 22, 2022; phase two takes effect on September 22 of 2023, and includes items such as outsourcing, consent, cross-border data transfer and retention and destruction. The third phase covers issues related to data portability, and takes effect on September 22, 2024.

Borden Ladner Gervais LLP has a good overview of Bill 64’s key requirements here, and will soon publish a more comprehensive guide to help businesses comply with these changes. And as always, seek legal advice where clarification is required.

Disclaimer

%d bloggers like this: