On September 22, 2021, Bill 64, An Act to modernize legislative provisions as regards the protection of personal information (‘Bill 64’ or ‘the Act’) received assent, making Quebec the first province in Canada to proceed with a major privacy regime reform amidst attempts and consultations at the federal level. Quebec’s privacy regulator, the Commission d’accès à l’information (the “CAI”), has taken an expansive view on application of the Act. If an organization collects, uses or discloses personal information of individuals located within Quebec, the Act likely applies to the organization’s handling of personal information, even if the organization does not have an office or facilities in Quebec.
This short article focuses on the four key requirements coming into force in on September 22, 2022:
1. Confirm your Privacy Officer
Organizations must name a designated employee responsible for complying with Bill 64. By default, the amended law designates the person ‘with the highest authority’ (such as the CEO) with compliance oversight, but organizations may designate any individual as privacy officer so long as they publish the name, title and contact information of the individual responsible on the organization’s website.
The privacy officer must have decision making authority, understand the organization’s data flows, actively enforce privacy policies , and have the required skill to provide data protection guidance. This is consistent with expectations across the country.
2. Review and update your data breach response plan
Bill 64 refers to data breaches as ‘confidentiality incidents’. Such an incident is any access to, use or communication of personal information not authorized by law, as well as the loss or any infringement of the protection of such information. Although this appears at first glance to align with PIPEDA and the Alberta Personal Information Protection Act, the definition of a confidentiality incident could technically be interpreted more broadly than a breach of security safeguards. We are expecting to see more guidance on this topic from the CAI very soon. The CAI and any affected individuals must be notified if there is a risk of serious injury to those individuals. The forthcoming regulations will likely provide details regarding the form of the notice.
Organizations will also now have to keep a register of confidentiality incidents. Once again, a regulation will determine the content of this register – to date, it is expected to include at least the date and nature of the incident, and the number of persons concerned. Since a copy of the register will also be sent to the CAI on request, it is important that organizations implement, among other things, appropriate systems for keeping such a register.
3. Understand obligations when disclosing personal information as part of a commercial transaction
Where the disclosure of personal information is necessary in order to carry out a commercial transaction, for example, a financing, merger or asset sale, personal information may be disclosed to a third party involved in the transaction without the need for individual consent. However, the organization transferring personal information to facilitate such a transaction must enter into an agreement that meets certain requirements designed to protect the personal information being transferred. In particular, the third party must: use the information only for finalizing the commercial transaction; not disclose the information without the consent of the individuals concerned; take the measures required to protect the confidentiality of the information; and destroy the information if the commercial transaction is not completed or if using the information is no longer necessary for finalizing the commercial transaction. These requirements are in line with privacy legislation throughout Canada.
4. Exception to Consent for Study and Research
An organization may communicate personal information without the consent of the persons concerned to a recipient wishing to use the information for study or research purposes or for the production of statistics. Relying on this exception requires first conducting a privacy impact assessment and submitting to the CAI a written agreement with the recipient of the information, setting out permitted use of the information.
The CAI has created a workspace dedicated to Bill 64 compliance and will publish guidance here. However, the workspace is only available in French.
For assistance with Bill 64 compliance, contact PRIVATECH.
Join PRIVATECH for our CIPP/C training end of October that will include in-depth supplemented material on Bill 64, including provisions that will come into force in September 2023 such as mandatory privacy impact assessments and service provider oversight requirements. Early bird special is on now! CLICK HERE for more information.