Quebec’s updated privacy law raises the bar for businesses operating in Canada’s second most populous province, imposing additional compliance obligations on businesses already struggling with U.S., European privacy regimes and Asian.
The law brings Quebec closer to the European General Data Protection Regulation, but nuances mean companies must act with precision or face heavy regulatory penalties and consumer-led litigation through the right of action. deprived of the law.
Bill 64, which received royal assent in September, requires companies to conduct privacy impact assessments for the transfer of personal information outside Quebec and to appoint privacy officers. designated privacy. Most of the law’s provisions come into effect in September 2023, but others come into effect in 2022 or 2024.
“The message from the Government of Quebec is, ‘We take privacy laws seriously,” said Vanessa Coiteux, partner at Stikeman Elliott LLP in Montreal. “We’re a little piece of North America, but there are significant penalties and obligations here. “
Additional obligations
Quebec is one of the few Canadian provinces to adopt a law on the protection of personal information in the private sector. Canada, unlike the United States, also has broad federal law — the Personal Information Protection and Electronic Documents Act.
The new law, among other obligations, requires companies to report to the Quebec privacy regulator and notify individuals of data breaches when there is a risk of “serious harm”.
Federal law already makes reporting violations mandatory, but Bill 64 now makes it mandatory for organizations under Quebec law, said Chantal Bernier, who leads Canadian life protection practice. Cyber Security and Privacy Policy of Dentons and who previously headed the Office of the Privacy Commissioner of Canada.
Companies will also need to perform privacy impact assessments for certain data processing, including sending information outside of Quebec, said Antoine Aylwin, co-leader of the privacy and cybersecurity group. by Fasken Martineau DuMoulin LLP.
“Data flow is definitely going to be a big deal,” Aylwin said. “When doing privacy impact assessments, you have to document the process, and that can be a challenge. “
The additional provision that companies delete consumer data after it has been used for its intended purpose will also prove difficult from an operational standpoint, Aylwin said.
Significant risk
The law gives the Quebec Access to Information Commission, the province’s privacy regulator, the ability to impose fines on entities that break the law. Administrative penalties are up to C $ 10 million ($ 8.01 million) or 2% of an entity’s worldwide annual revenue for the previous year, and criminal offenses are up to $ 25 million. CAD dollars or 4% of annual worldwide sales.
“It’s a game changer – companies will have to be careful to avoid enforcement and ensure compliance,” said Aylwin. “This is, I would say, the biggest change, and it gives the legislation a lot of bite.”
Bill 64 shifts the province from an ombudsman’s privacy model to an enforcement-driven model, Bernier said. In addition to the potential for administrative penalties and fines, when a person exercises their private right of action for invasion of privacy, proof of intent or gross negligence, the court must award punitive damages from at least CA $ 1,000, she added.
Unlike the California Consumer Privacy Act, Bill 64 has no impact on income or personal data.
This means that even regional New England businesses that do not transact in California or Europe but sell to Quebec consumers should carefully review their data collection practices and data flows to ensure that they do not. ” will not break Law 64 once it goes into effect, Cynthia said. Larose, the Boston-based president of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo PC practices privacy and cybersecurity.
“Canada is not known to be as contentious as the United States, but this private right of action could be costly for businesses,” Larose said. “If a similar provision appears in other Canadian provinces or is enacted federally in the final version of the new Consumer Privacy Protection Act, it changes the risk pattern and the risk assessment for consumers. American companies. “
Looking forward
Other provinces are already taking inspiration from Bill 64, recently adopted in Quebec. Ontario and British Columbia, the country’s first and third most populous provinces, recently announced revisions to their current legislation.
“If you read the Government of Ontario’s white paper – Modernizing Privacy in Ontario – which is considering having its own private sector privacy legislation, the number of references to the new Quebec law really shows its impact in terms of political orientation, ”said Bernier. noted.
The requirement for companies to appoint a privacy officer goes into effect in September 2022, so companies should start looking now, said Eloïse Gratton, national co-head of privacy practice and Data Protection Officer of Borden Ladner Gervais LLP.
“In the short term, companies need to make sure they are able to track incidents and know how to report them to regulators,” Gratton said. “Whether they are updating privacy policies or consent forms, the new transparency requirements are also something to keep in mind.”
Automating compliance procedures with technology can help companies ensure they are handling data properly, as ad hoc approaches are often difficult to scale, said Michael Welch, chief executive officer of strategy and operations. risks at MorganFranklin Consulting.
“Maintaining that for the long haul is a challenge, especially if you manage multiple geographies,” Welch said. “Once a law has been enacted, there may be changes, as well as upcoming new ones or additional ones for each locality.”
While Bill 64 imposes obligations similar to the GDPR, including rules regarding data portability, automated decision-making and data transfers, the “devil is in the details” and businesses subject to both must understand the delta between GDPR and Bill 64, said Corey Omer, partner at Davies Ward Phillips & Vineberg LLP in Montreal.
“Treating this like a marathon rather than a sprint will give businesses the time they need to develop an effective plan and meet compliance requirements,” said Omer.
“Amateur web enthusiast. Award-winning creator. Extreme music expert. Wannabe analyst. Organizer. Hipster-friendly tv scholar. Twitter guru.”