Proposed Amendments to Québec Privacy Law: Impact for Businesses
On June 12, 2020, the last day before the Québec National Assembly adjourned until September 2020, the Québec Government introduced Bill 64, An Act to modernize legislative provisions as regards the protection of personal information. This proposal would bring significant changes to Québec private sector and public sector privacy law. This article focuses on proposed amendments to Québec’s Act respecting the protection of personal information in the private sector.
The key impacts of Bill 64 for businesses and major changes to the current legislative framework are:
- New enforcement tools:
- The Commission d’accès à l’information (CAI) would have powers to impose administrative monetary CAD 10,000,000 or, if greater, the amount corresponding to 2% of worldwide turnover in the preceding year.
- Reinforced fines in the case of penal proceedings of a maximum of CAD 25,000,000, or, if greater, the amount corresponding to 4% of worldwide turnover for the preceding fiscal year.
- New private right of action for individuals.
- New breach reporting requirements.
- New requirements for outsourcing and transfers outside of Québec, including an adequacy system seemingly influenced by European law.
- New individual rights inspired by European law: right to data portability, right to be forgotten and right to object to automatic processing.
- New accountability rules:
- Introduction of a new privacy officer role that would rest with CEOs by default.
- New obligation to establish, implement and publish governance policies and practices.
- New obligation to conduct privacy impact assessments (PIAs).
- Privacy by design requirements.
- Reinforced consent requirements (including explicit requirements to obtain express consent in certain situations).
- New transparency requirements, including when organizations are using technologies allowing individuals to be identified, located and profiled.
- Some less stringent rules:
- New consent exceptions for research and business transactions.
- Exclusion of business contact information from the definition of “personal information.”
This content has been updated on May 2, 2024 at 16 h 38 min.