Potentially severe monetary penalties, statutory damages, a security incident reporting regime, new statutory rights, and a range of other amendments affecting private sector organizations were introduced earlier today, as significant reforms to Quebec’s privacy legislation were tabled at the National Assembly of Quebec.
If passed, Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, would introduce the following significant amendments to an Act Respecting the Protection of Personal Information in the Private Sector (the “Quebec Act”):
- Increased fines for offences up to “4% of worldwide turnover for the preceding fiscal year”.
- The introduction of administrative monetary penalties of up to 2% of worldwide turnover for certain violations.
- A statutory damage provision for “injury resulting from the unlawful infringement of a right” under the Quebec Act or certain provisions under the Quebec Civil Code, and statutory punitive damages of at least $1000 where the infringement is “intentional or results from a gross fault”.
- Mandatory “confidentiality incident” reporting obligations in cases where an incident gives rise to a “risk of serious injury”.
- A requirement for organizations to conduct “an assessment of privacy-related factors of any information system project or electronic service delivery project” involving the processing of personal information.
- An assessment requirement and adequacy restriction for transborder data flows -- specifically, a requirement for organizations to do an assessment of privacy-related factors and providing that they may only communicate the information if the assessment establishes that it would receive equivalent protection to the Quebec Act. The Minister must publish in the Gazette a list of States whose legal framework governing personal information is equivalent to Quebec’s.
- New statutory rights, including the right of an individual to require that an organization “cease disseminating [personal information] or to de-index any hyperlink attached to his name that provides access to the information by technological means, if the dissemination of the information contravenes the law or a court order”.
- Notice and transparency requirements around the use of technology that includes functions allowing the person concerned to be "identified, located or profiled."
- A security requirement providing that organizations must ensure that a technological product or service offered that collects personal information “provide the highest level of confidentiality by default, without any intervention by the person concerned”.
- Requirements for organizations to notify individuals when using personal information “to render a decision based exclusively on an automated processing of such information”.
- An exception to consent for commercial transactions, or “for study or research purposes or for the production of statistics”.
The Quebec Bill also implements changes to a number of statutes related to both public bodies and the private sector.
We will discuss the highlights and implications of the new Quebec Bill on AccessPrivacy’s June Monthly Call, to be held on Thursday, June 25, 2020, at 11:30 a.m. Eastern Daylight Time.