On September 22, 2021, the Quebec government adopted Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, enacting significant changes to the requirements governing the use and protection of personal information under various statutes, including notably the Act respecting the protection of personal information in the private sector (the “Private Sector Act”) and the Act respecting Access to documents held by public bodies and the Protection of personal information (the “Public Sector Act”).
Bill 64 is making quite a splash in the privacy legal compliance space in Canada. The Bill affords Quebec residents increased rights and control over their personal information, and also significantly increases the obligations of public and private sector entities that hold personal information. The changes enacted by Bill 64 come into force gradually – those taking effect on September 22, 2022, such as mandatory breach reporting, designation of the person responsible for personal information, and new consent exemptions, are the topic of a recent PRIVATECH blog article on Bill 64. The majority of the provisions of the Bill are set to come into force a year later, on September 22, 2023, with the final provisions effective on September 22, 2024.
Many entities doing business in Quebec need to implement significant changes to the ways in which they collect, store, share, and retain personal information in order to comply with the requirements of the Bill. Those who fail to do so may face prescribed noncompliance consequences – the most punitive in Canada. Although private right of action is not in force until 2023, Bill 64 increases the fines for noncompliance with privacy legislation in two weeks, providing that private sector entities will be subject to fines ranging from $15,000 to $25,000,000, or an amount corresponding to 4% of worldwide turnover for the preceding fiscal year, whichever is greater. This remains unchanged in the final version of the Bill.
For physical persons however, the initial version of Bill 64 presented last summer provided for fines ranging from $5,000 to $50,000 under both the Private Sector Act and the Public Sector Act. This maximum amount has been doubled to $100,000 in both cases.
Earlier this summer, the Government of Quebec introduced draft regulations regarding the content of confidentiality incident reports and the scope of record-keeping requirements, as outlined by the new ss. 3.5 and 3.8 of the Quebec Privacy Act.
Bill 64 will make failure to take appropriate security measures to protect personal information an offence under both the Private Sector Act and the Public Sector Act. Public bodies and private sector entities who do not take the security measures necessary to ensure the protection of the personal information collected, used, released, kept or destroyed and that are reasonable given the sensitivity of the information, the purposes for which it is to be used, the quantity and distribution of the information and the medium on which it is stored will be subject to the fines above.
NOTE: Early bird pricing for PRIVATECH’s CIPP/C course ends soon! Register now for this comprehensive certification training, where Bill 64 and other privacy developments in Canada will be discussed in-depth.