Guest post: Peter Barbosa on what Quebec's Bill 64 means for compliance in Canada
Updated: Mar 3
Opsware is a Made in Canada company. As part of that, we knew what we signed up for as Canada has historically been known for its mature mindset towards respecting customer choices and privacy. Legislation such as PIPEDA or CASL at one point (pre-GDPR days) received recognition for how protective they were to individuals. We believe that companies who provide their customers with privacy rights help build brand trust and differentiation.
In recent years PIPEDA and provincial privacy legislation have been looked at as antiquated since they lack important individual rights for the digital age. We support the initiatives around providing privacy rights domestically and globally. It’s our mission to make it simple for companies to provide privacy assurances to their customers.
On the morning of September 21, 2021, the Act to Modernize Legislative Provisions as Regards the Protection Of Personal Information (Bill 64) obtained a majority vote in the National Assembly of Quebec - only 14 months after its initial introduction.
Now that the vote has passed it is set to become law following royal assent. Once given assent, it will be broken out to 3 provisions that will come into effect over the course of 3 years. These provisions will have a major impact on private and public sectors and will overhaul the existing privacy legislation in Quebec.
Roll-out of Bill 64
Quebec’s Bill 64 will apply new requirements on companies globally. This will be spanned over three years from the date of assent. Here is a breakdown of the provisions:
After 1 Year
Companies must appoint a data privacy officer
Companies have the obligation to notify the Commission d’accès à l’information du Québec (CAI) of a data breach
Companies have the right to disclose personal information without consent when it is necessary for the fulfilment of a commercial transaction or for scientific purposes.
After 2 Years
Companies must establish and implement data governance policies
Companies must perform privacy impact assessments (PIAs) for processing activities that involve the collection, use, disclosure, retention, or disposal of personal information; or when disclosing personal information outside of Quebec
Companies must inform data subjects about the use of automated decision-making and profiling
Companies must follow enhanced consent requirements including clear, free, and informed consent for a specified purpose and timeframe
Companies must implement privacy by default to products and services offered to the public (this requirement does not apply to cookie settings)
Companies must destroy or anonymize personal information once the original purpose has been fulfilled
Companies must offer data subjects the right to restrict processing and the right to erasure and deletion
After 3 Years
Companies must offer data subjects the right to data portability and exports
Bill 64 also introduces hefty fines and penalties. The CAI will have enforcement powers, including prosecuting companies for penal fines of up to $25,000,0000 or 4% of the companies worldwide turnover. In addition the CAI can impose monetary administrative penalties of up to $10 million or 2% of the companies worldwide turnover.
Bill 64 even includes a private right of action for individuals who have suffered injury as a result of a violation of the rights introduced.
Getting Ready for Bill 64
As the data privacy tech stack for the modern enterprise, our customers are prepared for the upcoming changes in the Quebec legislation. If you’re navigating this journey as a privacy professional or engineer, Opsware Data can help provide the resources to get your company ready for Quebec’s overhauled privacy legislation.
Join Node Zero community
Node Zero is a free community operated by the Data Collaboration Alliance where members collaborate on reference datasets (including the global Data Privacy Legislation Grid), dashboards, maps, and open tools in support of their sector and important global causes. Learn more.