On September 22, 2021, Quebec’s An Act to modernize legislative provisions as regards the protection of personal information (Bill 64) received Royal Assent after adoption by the Quebec National Assembly. Quebec is the first Canadian jurisdiction to significantly reform its privacy law regime by amending various laws related to the protection of personal information, including the Act respecting the protection of personal information in the private sector (the Private Sector Act), the Act to establish a legal framework for information technology, and the Act respecting Access to documents held by public bodies and the Protection of personal information.
In a previous bulletin, we discussed the many ways Bill 64 creates obligations on private and public sector organizations in Quebec similar to those imposed by the European Union’s General Data Protection Regulations.
Most amendments to Quebec’s Private Sector Act will come into force on September 22, 2023, with only a few provisions coming into force next year. Notably, on September 22, 2022, the requirement to notify the Commission d’acces a l’information (CAI) and affected individuals of a privacy breach (a confidentiality incident) that presents a risk of serious injury will come into force.
Prior to receiving Royal Assent, Bill 64 was amended by Quebec’s Committee on Institutions (Committee). Important changes to Bill 64 made by the Committee include:
-
Expanding the definition of personal information to mean any information which relates to a natural person and allowing that person to be identified either directly or indirectly
-
Permitting organizations to use personal information without consent when its use is necessary for the supply or delivery of a product or the provision of a service, and for the prevention and detection of fraud or the evaluation or improvement of protection and security measures or the evaluation or improvement of protection and security measures
-
Removing the restriction on transfers of personal information outside of Quebec to jurisdictions with “equivalent protection” to Bill 64 and instead permitting transfer to jurisdictions where it would receive “an adequate protection in compliance with generally accepted data protection principles”, after conducting a privacy impact assessment
-
Requiring organizations to demonstrate a serious and legitimate purpose in order to anonymize personal information rather than destroy it
-
A new administrative monetary penalty and a new offence provision for failing to take appropriate security measures to ensure the protection of personal information collected, used, communicated, kept or destroyed
For further information, please contact:
Wendy Mee 416-863-3161
Marie-Hélène Constantin 514-982-4031
Ellie Marshall 416-863-3053
or any other member of our Privacy & Data Protection group.
More insights
Blakes and Blakes Business Class communications are intended for informational purposes only and do not constitute legal advice or an opinion on any issue. We would be pleased to provide additional details or advice about specific situations if desired.
For permission to republish this content, please contact the Blakes Client Relations & Marketing Department at [email protected].
© 2024 Blake, Cassels & Graydon LLP
