Québec privacy compliance - Time’s up!
September 22, 2023, will be a landmark date for privacy and data protection in the province of Québec. Most of the changes brought to Québec’s Act respecting the protection of personal information in the private sector (the “Private Sector Act”) by Law 25 (also known as Bill 64) will come into force on that day.
The reformed Private Sector Act takes inspiration from European data protection laws (including the GDPR), and introduces several major changes that will bring the legal framework for privacy in Québec into the modern era.
The main changes coming into force September 22, 2023 include the following:
- A reaffirmed emphasis on consent as the only legal basis for the collection, use, and communication of personal information;
- Clarity and transparency requirements with regards to privacy and data protection practices;
- New obligations relating to the use of location-tracking and profiling technologies;
- Transparency requirements for automated decision-making (i.e. artificial intelligence);
- Obligation to conduct data privacy impact assessments in certain situations; and
- New requirements for transfers of personal information outside Québec.
These changes are in addition to the previous set of amendments in Law 25 which came into force on September 22, 2022. These changes included:
- The requirement to name a person in charge of the protection of personal information (the equivalent of the “data protection officer” function seen in other jurisdictions);
- Obligations related to data breaches (known as “confidentiality incidents” in Québec), including the obligation to disclose incidents presenting a risk of serious injury;
- New powers for the Québec privacy regulator, the Commission d’accès à l’information.
Time is now running out for businesses to review and update their privacy practices and policies. As a business operating in Québec, you must, if you have not already done so, nominate a person to be in charge of the protection of personal information (failing which this role will default to the person with the highest authority within the enterprise), develop privacy policies which cover all of the personal information held by the business (including customer and employee data), and carry out a data privacy impact assessment prior to any transfer of personal information outside of Québec and implement the necessary safeguards to ensure the data transferred will receive an adequate degree of protection. If transfers of personal information are made in the context of a services agreement with a third party without the consent of the person concerned, this agreement must be made in writing and comply with certain specific legal requirements.
These recently-added requirements in the Private Sector Act are supported by a new regime of administrative penalties and fines. September 22 will also bring into force very steep penalties for non-compliance, up to the greater of $25 million or four percent of worldwide turnover (whichever is greater) for the previous fiscal year.
With these most recent amendments, Quebec is now the strictest jurisdiction in Canada in terms of privacy and data protection. It is therefore critical for businesses to carefully review their privacy practices and policies to ensure continued compliance with this new regime.Our privacy and data protection professionals are closely monitoring ongoing developments and are ready to support you in your privacy compliance efforts.