top of page
  • Writer's pictureTeam

Guest post: Peter Barbosa on what Quebec's Bill 64 means for compliance in Canada

Updated: Mar 3, 2022

The following Community Voices post was contributed by Peter Barbosa, Co-founder and CEO of Opsware and member our Data Privacy Group

Opsware is a Made in Canada company. As part of that, we knew what we signed up for as Canada has historically been known for its mature mindset towards respecting customer choices and privacy. Legislation such as PIPEDA or CASL at one point (pre-GDPR days) received recognition for how protective they were to individuals. We believe that companies who provide their customers with privacy rights help build brand trust and differentiation.

In recent years PIPEDA and provincial privacy legislation have been looked at as antiquated since they lack important individual rights for the digital age. We support the initiatives around providing privacy rights domestically and globally. It’s our mission to make it simple for companies to provide privacy assurances to their customers.

On the morning of September 21, 2021, the Act to Modernize Legislative Provisions as Regards the Protection Of Personal Information (Bill 64) obtained a majority vote in the National Assembly of Quebec - only 14 months after its initial introduction.

Now that the vote has passed it is set to become law following royal assent. Once given assent, it will be broken out to 3 provisions that will come into effect over the course of 3 years. These provisions will have a major impact on private and public sectors and will overhaul the existing privacy legislation in Quebec.

Roll-out of Bill 64

Quebec’s Bill 64 will apply new requirements on companies globally. This will be spanned over three years from the date of assent. Here is a breakdown of the provisions:

After 1 Year

  • Companies must appoint a data privacy officer

  • Companies have the obligation to notify the Commission d’accès à l’information du Québec (CAI) of a data breach

  • Companies have the right to disclose personal information without consent when it is necessary for the fulfilment of a commercial transaction or for scientific purposes.

After 2 Years

  • Companies must establish and implement data governance policies

  • Companies must perform privacy impact assessments (PIAs) for processing activities that involve the collection, use, disclosure, retention, or disposal of personal information; or when disclosing personal information outside of Quebec

  • Companies must inform data subjects about the use of automated decision-making and profiling

  • Companies must follow enhanced consent requirements including clear, free, and informed consent for a specified purpose and timeframe

  • Companies must develop an external privacy policy in clear, plain language

  • Companies must implement privacy by default to products and services offered to the public (this requirement does not apply to cookie settings)

  • Companies must destroy or anonymize personal information once the original purpose has been fulfilled

  • Companies must offer data subjects the right to restrict processing and the right to erasure and deletion

After 3 Years

  • Companies must offer data subjects the right to data portability and exports


Bill 64 also introduces hefty fines and penalties. The CAI will have enforcement powers, including prosecuting companies for penal fines of up to $25,000,0000 or 4% of the companies worldwide turnover. In addition the CAI can impose monetary administrative penalties of up to $10 million or 2% of the companies worldwide turnover.

Bill 64 even includes a private right of action for individuals who have suffered injury as a result of a violation of the rights introduced.

Getting Ready for Bill 64

As the data privacy tech stack for the modern enterprise, our customers are prepared for the upcoming changes in the Quebec legislation. If you’re navigating this journey as a privacy professional or engineer, Opsware Data can help provide the resources to get your company ready for Quebec’s overhauled privacy legislation.

Join Node Zero community

Node Zero is a free community operated by the Data Collaboration Alliance where members collaborate on reference datasets (including the global Data Privacy Legislation Grid), dashboards, maps, and open tools in support of their sector and important global causes. Learn more.



bottom of page