Bill 64, are you ready? Changes regarding the use of personal information in Québec
This overhaul reflects the need for individuals to protect their personal information. Personal information is information about an individual and allows that individual to be identified. While many of the principles of the Act are similar to the General Data Protection Regulation (GDPR) passed by the European Union, the Act affects all entities operating in Québec and brings a Québec perspective to the key principles of the GDPR. One of the elements included is transparency and clarity of information and aims at making privacy protection a default for all.
Impact
The Act applies to all personal information collected in Québec, so it is not tied to the nationality of the individual, but to the location where the information is collected, regardless of the size of the entity collecting it, or the medium or location where it is held. Thus, an entity outside of Québec may be subject to the Act even if it is not a Québec entity. Other Canadian provinces have announced their desire to review their own laws, and these will be largely inspired by the Québec Act. An entity must obtain free, informed and specific consent to collect personal information and destroy it when the purpose for which the information was obtained is achieved.
The Commission d'accès à l'information du Québec is given more power. The Act provides for administrative monetary penalties of up to $10 million or 2% of sales, and penalties of up to $25 million or 4% of worldwide sales, whichever is greater.
Also, new rights have been created, the right to erasure and the right to access personal information about the individual in a structured technological format.
Change to be made in the short term
A gradual implementation is planned, with the first set of provisions becoming applicable in September 2022. So do not wait to review your processes and procedures, and make sure you have them in place. The remaining provisions will come into effect in September 2023 and 2024.
One of the first provisions is the appointment of a Privacy Officer or equivalent function, equivalent to the Privacy Officer under the GDPR. The Data Privacy Officer is responsible for ensuring that controls are in place for the protection of personal information and that they are working. They also ensure that the rights of individuals are respected. In the absence of an appointment, the responsibility rests with the highest authority in the entity. The name and contact information of this person should be published on websites and publicized so that they can be easily found. This person in charge does not have to be an employee of the company and can be outsourced.
Thus, entities must review their consent mechanism and privacy policy. The Act, in its principle of transparency, requires that privacy policies be published on websites and thus be available to the public. Where policies and methods aimed at de-identifying, i.e., no longer allowing for the direct identification of an individual, or anonymizing, i.e., no longer allowing for the direct or indirect identification of an individual in an irreversible manner, are in place, these must be reviewed, since more details are defined on the subject. The Act also now requires that all projects be accompanied by a privacy risk assessment. The transfer of information outside Québec must also be made only if the level of protection is adequate.
Secondly, it is now important to implement a process for reporting all privacy incidents including to the individual and to keep a record of these incidents. This log should contain indications of the measures taken to prevent recurrence of such incidents.
Changes in subsequent years
In the following years, the various provisions to be put in place relate to the adoption of personal information practices, the implementation of privacy impact assessments, and new consent requirements.
Although Québec entities that apply the GDPR are ahead of the game, it is essential that companies review their processes and controls in place to ensure that they comply with the requirements of the Québec Act.
Mazars, with its experience in implementing the RGPD in several companies, can help you re-evaluate how your entity manages the personal information it collects in order to identify the elements that need to be improved in your processes, with the goal of having good governance of these processes, focused on the needs of your clients and not on compliance.