Bill 64's amendments to Quebec's Act respecting the protection of personal information in the private sector ("Quebec Privacy Act") will expose organizations to potentially severe financial penalties, enhanced litigation risk and significant compliance costs. While new penalty provisions do not come into force until 2023, companies carrying on business in Quebec must ensure they are compliant with new obligations in force as of September 22, 2022. 

Unless otherwise noted, all citations refer to the Quebec Privacy Act, as amended by Bill 64

1. Chief Privacy Officer/"Person in Charge"

• As of September 2022, the individual who has the “highest authority” in an organization is required to exercise the function of “person in charge” of the protection of personal information (“PIC”). The PIC may delegate “in writing” all or part of that function to “any person” (s. 3.1).
• The PIC must create records of personal information communications to reduce the risk of confidentiality incidents (s. 3.5).
• The PIC must also be consulted when assessing the risk of injury to an individual in the context of a security incident (s. 3.7).
• Amendments in force September 2023 will require the PIC to be directly involved in decisions related to the organization's information governance practices (ss. 3.2, 3.3, 3.4) and in responses to individuals' requests to exercise their personal information rights (ss. 28.1, 30, 32, 34, 35).

Key AccessPrivacy Resources: Role of Chief Privacy Officer topic hub; unofficial translation of the CAI's Privacy Impact Assessment Guide (available in French here)

2. Security Incident Response 

• As of September 2022, an organization with cause to believe that a "confidentiality incident" involving personal information has occurred is required to take reasonable measures to reduce the risk of injury and to prevent new incidents of the same nature, and to determine whether the incident presents a risk of serious injury to an individual (s. 3.5).
• If a confidentiality incident presents a risk of serious injury, the organization must promptly notify the Commission d'accès à l'information (CAI) and any affected individuals, as well as any person or body that could reduce the risk (s. 3.5). 
• Organizations must keep a record of all confidentiality incidents and send a copy to the CAI at its request (s. 3.8). 
• A draft regulation has been introduced by the Government of Quebec regarding the content of confidentiality incident reports and the scope of record-keeping requirements, as contemplated by the new ss. 3.5 and 3.8 of the Quebec Privacy Act. 

Key AccessPrivacy Resource: Breach Notification topic hub 

3. Biometrics 

• The Act to establish a legal framework for information technology (the "Quebec IT Act") contains specific provisions relating to biometric data, including consent and registration requirements. 
• As of September 22, 2022, Bill 64 amendments to the Quebec IT Act will require organizations to:
  • Disclose in advance to the CAI any process involving the recording of biometric characteristics to verify or confirm a person’s identity. Existing express consent obligations also apply to such processes. (s. 44 of the Quebec IT Act); and
  • Notify the CAI of the creation of a database of biometric characteristics and measurements at least 60 days before the database is operative. (s. 45 of the Quebec IT Act).

Key AccessPrivacy resources: Bill 64 - Amendments to Biometrics Regime; Biometrics topic hub 

4. Exceptions to consent

• Exception to Consent for Commercial Transactions (s. 18.4):
  • As of September 2022, an organization may communicate personal information without the consent of the persons concerned where it is necessary to conclude a commercial transaction.
  • Relying on this exception requires first entering into an agreement with the recipient, stipulating permitted use of the information and setting out data minimization requirements.

• Exception to Consent for Study and Research (ss. 21, 21.0.1, 21.0.2):

  • As of September 2022, an organization may communicate personal information without the consent of the persons concerned to a recipient wishing to use the information for study or research purposes or for the production of statistics.

  • Relying on this exception requires first conducting a privacy impact assessment and submitting to the CAI a written agreement with the recipient of the information, stipulating permitted use of the information and setting out data minimization requirements.

Key AccessPrivacy resources: Consent Exceptions: Business Transactions topic hub; Consent Exceptions: Statistical, Scholarly Study, or Research topic hub; unofficial translation of the CAI's Privacy Impact Assessment Guide (available in French here)

General Resources

AccessPrivacy has developed a suite of resources, available to subscribers, to help organizations fulfill their new compliance obligations. In addition to the specific resources noted above, please see:  

• Coming into Force Dates - Bill 64
• Annotated Act respecting the protection of personal information in the private sector (Québec) as amended by Bill 64
• Quebec Private Sector Privacy Law: Demonstrable Accountability Checklist
• Comparison of Key Elements of Quebec’s Privacy Law Reform , Bill 64, and the General Data Protection Regulation (EU)

 

Additionally, Adam Kardash and Julien Morissette discussed these new obligations in Montreal on June 7, 2022. The presentation recording is available for free on-demand.