2021 will go down in history as the year of digital transformation.  The on-going Covid-19 pandemic has led to unprecedented levels of technological innovations and digitization, completely changing the way we live and work.

With increased digitalization, the amount of data being captured has also grown exponentially and is expected to register an annual growth rate of 18% from 2021 through 2025.

As a result, there is greater awareness and sensitivity about the use of personal data various businesses.  In response to this concern, Quebec lawmakers passed Bill 64 to modernize various aspects of Quebec’s laws governing individuals’ privacy.

Quebec’s data protection legislative landscape is about to experience a major makeover—one that will impact any businesses that interact with Quebec-based customers (regardless of where they are based).  That is why it is critical that businesses need to understand the fundamental changes introduced by Bill 64, the associated penalties, and key requirements to stay compliant. 

What Is Bill 64?

Bill 64, officially known as an Act to Modernize Legislation Provisions Regarding the Protection of Personal Information, proposes stricter privacy requirements, including enhanced protection, transparency, and consent requirements for Quebec businesses. 

The bill was passed on September 21, 2021, in the National Assembly of Quebec, fourteen months after its initial introduction. This means that the bill has officially been adopted and is set to become law. 

The bill updates and modernizes the existing legal framework regarding individuals’ information and privacy rights and also aligns Quebec’s laws with other Jurisdictions. In fact, many of the proposed amendments in Bill 64 were influenced by other global privacy laws, such as the European Union General Data Protection Regulation (GDPR).

With the start of 2022, organizations doing businesses in Quebec have started the race against time to understand and operationalize the requirements introduced by Bill 64. 

Roll Out Plan and Key Requirements to Stay Compliant

Bill 64 introduces radical changes to Quebec’s private sector and public sector privacy laws. 

Although the bill has officially been adopted, it will be gradually rolled out over the next three years. The first set of provisions becomes effective 12 months after the date of assent.

The bill will be enforced by the Commission d’accès à l’information (CAI) du Québec

Here is an overview of the three phases.

Phase 1 / Year 1 (2022)

Provisions taking effect after one year include:

• Organizations must appoint a privacy officer that will be responsible for compliance.
• Organizations are obligated to notify the commission (CAI) of a data breach.  Affected individuals of any unauthorized use of personal information must also be informed.

Year 2 (2023)

Provisions that will come into force after two years include:

• The requirement for every organization to establish and implement policies and practices regarding data governance
• Organizations must conduct Privacy Impact Assessments (PIAs) for processing activities that involve the collection, disclosure, use, or disposal of personal data
• The right for individuals to request organizations to cease disseminating their personal information and de-index any hyperlink attached to their name
• Requirements for organizations to destroy personal information once the purpose for which the information was collected is achieved
• Organizations that transfer data to third parties must enter into a written agreement with such parties. The other party should provide a description of the measures taken to ensure data confidentiality
• Organizations must obtain express consent to use customer sensitive information for secondary purposes
• Upon collection of personal data, organizations must provide the following information:

• Purpose of collection
• Means of collection
• The rights of access and rectification
• The right to withdraw consent

Organizations must draft and document these changes in clear and simple language.

Year 3 (2024)

The following requirements will come into force in three years.

• Data portability – An individual may request personal information collected from them be communicated to them or another organization in a specified format
• Automated processing – Requirements for organizations to inform individuals when their personal information is used to render decisions based on the automated processing of such information. At the individual’s request, the organizations must notify the individual of the specific data used and the primary factors that led to those decisions.
• Source of information – Should an individual request it, organizations must provide the source used to obtain their data

Penalties for Non-Compliance

Quebec’s Commission on Access to Information (CAI) will have the power to impose penalties for the following reasons:

• Failure to report a data breach
• Failure to ensure the protection of personal information
• Unlawful collection, use, or dissemination of information
• Failure to inform individuals

The maximum fines are CAD 50,000 for individuals and CAD 10,000,000 for businesses or 2% of the worldwide turnover for the preceding year, whichever is greater. 

Depending on the nature of the case, the commission (CAI) will have the power to enforce penal proceedings with a max penalty of CAD 10,000 for natural persons and CAD 25,000,000 or 4% of worldwide turnover for corporations.

In the event of a subsequent offense, the penalties will double. 

Bill 64 will also provide a right of action for citizens who have suffered damages due to privacy infringement. In such cases, the court can award damages of at least CAD 1,000 per individual. 

Why Is Bill 64 Important?

The bill represents a step-change for how businesses in Quebec will collect and manage personal data. Inspired by the European General Data Protection Regulation (GDPR), the bill proposes maximum data protection by introducing new standards for privacy rights and establishing standards that will soon gain traction beyond the province’s borders. 

Some of the provisions that will likely have a high impact on businesses operating in Quebec and beyond borders include:

• Heavy penalties for non-compliance
• Stricker privacy requirements. This includes, among other things, mandatory PIAs, assessment for communication of personal data beyond Quebec, and written consent to transfer an individual’s data to service providers or third parties.

Regardless of whether you’re in Quebec, this bill will affect you in some way. Keep in mind that businesses that deal with private information provided by Quebec organizations must ensure their practices align with Bill 64. 

Is Your Enterprise Ready for These New Changes?

To stay relevant, competitive, and avoid penalties, you’ll need to start preparing early for these new changes. That said, there are a few things you can do before it’s too late.

1. First, try to find quick wins.

For example, if email marketing and marketing automation are important channels for your business, consider Symplify’s Customer Engagement Platform.  Our solution was built with data privacy in mind. We are already GDPR compliant, and our platform addresses the requirements of Bill 64.

2. Next, start preparing now! 

Work with your security teams, privacy committee, compliance team, or whoever in your organization is assigned to address privacy to establish policies that will ensure complete compliance with the requirements above. 

3. Finally, stay connected with Symplify. 

Our Quebec-based experts will continue to keep you updated with best practices and tips to help you make the transition with Bill 64 easier. 

Your key players need to understand the context of Bill 64, its impact on your business, and the penalties for non-compliance. Although the Bill in its current state may still be altered, preparing for this bill early can save you a lot of trouble down the line.