On September 21, 2021, the Act to Modernize Legislative Provisions as Regards the Protection Of Personal Information (Bill 64) obtained a majority vote in the National Assembly of Quebec 14 months after its initial introduction. The vote means that Bill 64 has been adopted and is set to become law following royal assent. Quebec’s existing privacy framework is set to be overhauled by the incoming Bill 64 and its requirements will have a wide impact on both the private and public sectors. Bill 64 will enter into effect across three years with the first set of provisions becoming effective 12 months after the date of assent.

The Three-Year Entry into Effect of Bill 64

Bill 64 will introduce many new provisions into Quebec’s existing privacy legislation across three years from the date of assent. This will give organizations time to bring their privacy programs up to speed with the new requirements and avoid the new penalties outlined by Bill 64.

Provisions entering into effect after one year:

  • The requirement to appoint a privacy officer
  • The obligation to notify the Commission d’accès à l’information du Québec (CAI) of a data breach
  • The right for organizations to disclose personal information without consent when it is necessary for the fulfilment of a commercial transaction or for scientific purposes

Provisions entering into effect after two years:

  • The requirement for organizations to establish and implement data governance policies
  • Requirements to perform privacy impact assessments (PIAs) for processing activities that involve the collection, use, disclosure, retention, or disposal of personal information; or when disclosing personal information outside of Quebec
  • The requirement to inform data subjects about the use of automated decision-making and profiling technologies
  • Enhanced consent requirements including clear, free, and informed consent for a specified purpose and timeframe
  • The requirement to develop an external privacy policy in clear, plain language
  • Implement privacy by default to products and services offered to the public (this requirement does not apply to cookie settings)
  • The requirement to destroy or anonymize personal information once the original purpose has been fulfilled
  • Offer data subjects the right to restrict processing and the right to erasure

Provisions entering into effect after three years:

  • Offer data subjects the right to data portability

Further to the provisions outlined above, Bill 64 will also introduce new monetary penalties of up to CAD 50,000 (approx. €33,330) for individuals. Businesses will be subject to penalties up to CAD 10,000,000 (approx. €6,667,950) or 2% of worldwide turnover for the preceding year, whichever is greater. The CAI will also have the power to launch penal proceedings with a maximum penalty of CAD 100,000 (approx. €66,660) in the case of a natural person and CAD 25,000,000 (approx. €16,667,130) or 4% of worldwide turnover for the preceding fiscal year (whichever is greater) in all other cases. In the event of a subsequent offense, the fines will be doubled. Bill 64 will also provide a private right of action for individuals who have suffered injury as a result of a violation of the rights introduced by Bill 64. The court can award damages of at least CAD 1,000 (approx. €670).

Read the news: Quebec: CAI welcomes adoption of Bill 64

The adoption of Bill 64 will pose significant challenges for private and public organizations operating in the province who will need to operationalize new processes, update and develop new policies, and account for additional data subject rights. OneTrust offers a number of solutions to help organizations bring their privacy programs up to speed with Bill 64’s new requirements including Policy & Notice Management, Privacy Rights (DSAR) Automation, and Incident Management. Request a demo to learn more.

Further reading on Bill 64:

Follow OneTrust on LinkedIn, Twitter, or YouTube for the latest on Quebec’s Bill 64 and other regulatory developments.