Quebec Bill 64 - Will This Personal Data Privacy Law Impact Your Business?
On September 21st, 2021, the Quebec NationalAssembly adopted Bill 64. This Act was introduced in order to modernize legislative provisions as regards the protection of personal information. This legislation could bring significant changes to Quebec’s private sector and public sector privacy laws.
But how exactly will this bill affect businesses and organizations operating in Quebec? Could this new bill negatively or positively impact businesses? In this guide, we’ll break down the basics of Bill C-64, its context in data governance, requirements for Quebec businesses, and what Quebec business owners need to prepare for.
What is bill 64?
Bill C-64 is a bill that has recently been adopted by the Quebec National Assembly. This bill was created and adopted to provide a more robust and modern set of provisions that will protect personal identifiable information (PII), particularly in the form of online data.
Requirements Under Bill 64 for Businesses
To really grasp what is going to change once Bill 64 goes into effect, it helps to understand the requirements of the bill itself.
Appoint a Privacy Officer
- This requirement will be enforced within one year.
- CEOs of every business will be designated that business’s privacy officer by default unless another individual is appointed the role.
- A privacy officer is tasked with ensuring that the organization implements every requirement of the act.
- A privacy officer is also required to publish their contact information on their organization’s websites.
Reporting Breaches
- This requirement will be enforced within one year.
- Organizations are required to notify the CAI and any potentially impacted users if a confidentiality breach occurs, especially if such a breach presents a risk of serious injury to the users.
- “Serious injury” is determined by rating the sensitivity of the data that has been lost. For example, if a SaaS platform is hacked and credit card numbers are stolen, that would be considered a serious injury.
- All businesses must keep a record of breaches so they can be provided to the CAI if needed.
Privacy Programs, Policies, and New Practices
- This requirement will be enforced within two years.
- All Quebec organizations must create policies and new practices involving how their users’ personal information will be protected.
- These practices must involve a new framework for storing and destroying data, define the roles of personnel at different points of the data’s lifecycle, and a policy for handling complaints regarding these processes.
- The details of such practices must be published on the business’s website.
Privacy Impact Assessments
- This requirement will be enforced within two years.
- Businesses will need to conduct privacy impact assessments (PIAs) for every area of their data systems that use personal user data in some way.
- PIAs must be proportionate to the overall sensitivity of the information involved.
Automated Processing
- This requirement will be enforced within two years.
- Organizations must get in touch with users if their personal information is used to make a decision based solely on the automated processing of their data.
- Businesses must also information users (at their request) if their personal data is being used for business decisions, why their information is being used, and the factors involved.
Cross-Border Transfers
- This requirement will be enforced within two years.
- Businesses will need to conductPIAs before communicating a user’s personal data outside of the territory ofQuebec.
- This is done to ensure that user data will be protected efficiently.
- PIAs under this requirement will need to consider the sensitivity of the data, the purpose for its transportation, and the legal provisions in the country or state it will be transferred to in the context of user data protection.
- As a result of these PIAs, communications might be subject to a formal agreement that considers the result of the PIA and lays out measures to reduce the risks identified.
Outsource Processes
- This requirement will be enforced within two years.
- Businesses that move personal data to a service provider will need to create a formal written agreement with the service provider.
- This agreement will outline a few major things: The measures that will be taken by the provider to protect user data, an agreement that the provider will only use user data to render their services, and an agreement for the provider to quickly notify the organization’s privacy officer if there is a potential violation of C-64 or the written agreement.
Full Transparency
- This requirement will be enforced within two years.
- Businesses must offer a few different pieces of information to users after their personal data is collected. These include the purpose of the collection, why it is being collected, the user’s rights in terms of access, and the user’s right to withdraw consent at any point.
- In some situations, the following information must also be communicated to users: The name of the third-party organization collecting the data, the categories those organizations fall into, and the possibility for that data to be transferred away from Quebec.
- Businesses will also need to publish a formal privacy policy on their website if they plan on collecting or gathering personal data via technology.
- An organization’s privacy policy should written clearly, in English and French, and using simple and honest terms.
Profiling and Identification Technologies
- This requirement will be enforced within two years.
- Businesses must inform their users of the collection of their data using new technology that could potentially profile or identify the user.
- Businesses must inform their users of how such technology is activated.
- In the context of this requirement, profiling refers to the gathering and use of personal data to identify certain features of a human person. Specifically, this is used for the purpose of analyzing an individual’s economic standing, health, preferences, demographics, shopping behavior, work performance, etc.
Consent
- This requirement will be enforced within two years.
- Any user who provides their information after consenting to a website’s privacy notice has relinquished their data to that organization.
- Consent has to be clear, freely given, and adequately informed.
- Each and every visitor to a website must consent to a thorough privacy notice upon entering the website.
- Minors under 14 years old must be provided by a parental authority figure or similar individual.
Privacy by Default
- This requirement will be enforced within two years.
- Businesses that gather personal data by offering a product or service with privacy settings (software or any other form of technology) must ensure that those settings are at the highest level of confidentiality by default.
- Cookies are exempt from this requirement.
Retention and Destruction of Information
- This requirement will be enforced within two years.
- Once consent is given and a user’s personal information is provided to a business, that business must destroy that data after it has been used for its ultimate purpose.
- Instead of destroying data, organizations also have the option of anonymizing that data.
The Right to De-Indexation and Data Subject Access Requests
- This requirement will be enforced within two years.
- Users can request that businesses stop using their personal data and de-index any links attached to their name that allows for access to their information, as long as the dissemination does not follow other requirements set by Bill 64.
- Users can request to access their data at any point.
The Right to Data Portability
- This requirement will be enforced within three years.
- Users can require that the data that was collected by the business can be provided to them in a structured, readable format.
- This requirement does not include data that has been generated by the business from the original data.
The Impact That Bill 64 Will Have on Canadian Businesses
If business owners fail to adhere to the requirements noted in Bill 64, legal action will be taken. Specifically, administrative monetary penalties will be enforced by the Commission d’acces a l’information (CAI). Such offenses will have hefty fines on their own, but individuals will also now have the power to sue businesses for violating their privacy rights.
Enforcement and potential punishment will depend on which aspects of the act were violated. For example: The collection, use, disclosure, or destruction of personal data in contravention of the Act will result in penal offenses, financial penalties, and the possibility of a lawsuit. However, failure to provide an appropriate privacy notice will result in no penal offense but could result in fines or private right of action.
The maximum penalty for a penal offense under bill 64 is $25 million. Administrative monetary penalties could be as much as $10million, while losing a private right of action suit could result in even more damages to owe.
In general, as long as business owners apply common sense principles to their use of user data and ensure that their websites, apps, and other digital platforms align with the rules set under Bill 64, there should be no issues in the future. Basic data compliance practices are key.