On September 21, the Québec National Assembly adopted Bill 64, an Act to modernize legislative provisions as regards the protection of personal information, which significantly changes Québec’s private sector and public sector privacy regimes.
Our summary focuses on the proposed amendments to the Québec’s Act respecting the protection of personal information in the private sector which coming into force will be phased-in over the course of the next three years.
Highlights of some of the key changes
Requirements effective as of September 22, 2022
Appointment of a Privacy Officer. The CEO will be the Privacy Officer by default.
Reporting of a ‘confidentiality incident’ on a ‘as soon as possible’ basis or ‘promptly’ basis by taking into consideration the gravity of the incident. Breach should be reported to both the Commission d’accès à l’information and the affected individuals.
Transfer of Commercial Transactions without consent subject to contractual agreement.
Study, Research, or Statistics: Communication of personal information may be done without prior consent.
Requirements effective as of September 22, 2023
Firms must implement a privacy framework including the policies, procedures and practices relevant to the protection of personal information.
Firms will have to conduct adequate and tailored Privacy Impact Assessment (PIA) for each acquisition, development and redesign of any information system project or electronic service delivery project involving personal information.
Strengthens transparency rules. Firms must provide individuals the appropriate disclosure – i.e., purposes of the collection; means of collection; rights of access and rectification; right to withdraw consent, communication of the information outside Quebec etc...
Confidentiality/Privacy by default. Except for cookies, firms must ensure that privacy parameters are set by default for any technological product or service that has privacy settings.
Consent. Some of the requirements include consent to be clear, free and informed. Express consent must be obtained for the use of sensitive information for secondary purposes. Individuals providing their personal information after receiving an adequate privacy disclosure are deemed to have consented to its use and its communication for the purposes indicated in the disclosure.
Communication of Information Outside of Québec. Firms must conduct PIA prior to any cross-border transfer of information taking into consideration elements such as the sensitivity of the information, the purposes for which it will be used, the applicable protection measures as well as the applicable legal framework of the targeted jurisdiction.
Right to be De-indexed. Individuals will have the right to demand that their personal information be de-indexed or ceased to be disseminated.
Anonymized Data. Once the purposes for which personal information was collected or used are achieved, generally, the organization must destroy the information or anonymize it in order to use it for a serious and legitimate purpose.
Requirements effective as of September 22, 2024
The right to data portability. An individual will have the right to request that personal information be communicated to them or another organization of their choice in a structured and commonly used format.
To comply with the new privacy requirements introduced by Bill 64, as an organization you should take the necessary steps as promptly as possible considering the upcoming deadline. This includes appointing a Privacy Officer, implementing or updating the privacy framework, assessing the systems to adequately set privacy safeguards etc.…
Comentarios