On September 22, 2021, Quebec An Act to modernize the legislative provisions relating to the protection of personal information (Bill 64) received royal assent after adoption by the National Assembly of Quebec. Quebec is the first Canadian jurisdiction to fundamentally reform its privacy protection regime by amending various laws related to the protection of personal information, including the Act respecting the protection of personal information in the private sector (the Private Sector Act), the Act establishing the legal framework for information technologies, and the Act concerning Access to documents held by public bodies and the Protection of personal information.
In a previous bulletin, we discussed the many ways in which Bill 64 creates obligations for private and public sector organizations in Quebec similar to those imposed by the European Union’s General Data Protection Regulation.
Most of the changes to Quebec’s Private Sector Act will come into effect on September 22, 2023, and only a few provisions will come into effect next year. In particular, on September 22, 2022, the obligation to notify the Commission Access to Information (CAI) and the persons concerned of a breach of privacy (a confidentiality incident) that presents a risk of serious injury will come into force.
Before receiving Royal Assent, Bill 64 was amended by Commission of Quebec Institutions (Committee). Significant changes made to Bill 64 by the Committee include:
Broaden the definition of personal information to mean any information that relates to a natural person and allows that person to be identified directly or indirectly
Allowing organizations to use personal information without consent when its use is necessary for the provision or delivery of a product or the delivery of a service, and for the prevention and detection of fraud or the evaluation or improvement of protection and security measures or evaluation or improvement of protection and security measures
Remove the restriction on transfers of personal information outside Quebec to jurisdictions enjoying âequivalent protectionâ in Bill 64 and instead allow the transfer to jurisdictions where they would benefit from âadequate protection in accordance with generally accepted principles of data protection â, after carrying out a privacy impact assessment
Require organizations to demonstrate a serious and legitimate purpose in order to anonymize personal information rather than destroy it
A new administrative monetary penalty and a new offense provision for failure to take appropriate security measures to ensure the protection of personal information collected, used, disclosed, retained or destroyed