A majority of the updates to Québec’s private sector privacy law in Law 25, also known as Bill 64, An Act to modernize legislative provisions as regards the protection of personal information (Bill 64), will come into force on September 22, 2023. Some provisions will come into effect on September 22, 2022. We have outlined a few of the significant upcoming changes below.
Québec joins the growing jurisdictions requiring organizations (“persons carrying on an enterprise”) to report breaches. Bill 64 references “confidentiality incidents,” which are unauthorized access, use or communication of personal information, the loss of personal information or any other breach of the protection of such information. This is similar in concept to a breach of “security safeguards” articulated in the Personal Information Protection and Electronic Documents Act, (PIPEDA).
Regardless of the significance of the incident, an organization must take reasonable steps to reduce the risk of injury and to prevent similar incidents. There are also record keeping requirements for all confidentiality incidents.
Notification and reporting requirements will arise if the incident presents a “risk of serious injury,” which is determined by considering the sensitivity of the information, the anticipated consequences of its use, and the likelihood that the information will be used for injurious purposes. This test may be similar to the “real risk of significant harm” standard in other laws; however, it may be interpreted more narrowly based on a greater focus on the likelihood of harm.
Presently, draft regulations set out the requirements for individual notices and reports to the Commission, as well as the organization’s incident register retention requirements.
Default and Designation of a Privacy Officer
In the absence of the written delegation of authority to a privacy officer, the individual with the highest authority in the organization will be responsible for ensuring implementation of and compliance with the Act Respecting the Protection of Personal Information.
Organizations are required to publish the privacy officer’s title and contact information on the organization’s website, or make it available by any other appropriate means in the absence of a website.
Reporting Biometric Uses and Databases
Québec’s privacy laws already address biometrics more specifically than other Canadian legislation. Biometrics can include physical traits, like eyes, face shape and fingerprints, and behaviours, like voice and keystrokes, as well as biological characteristics, like blood and saliva.
Now, organizations will be required to provide information to the Commission about the creation of a database of biometric characteristics and measurements at least sixty (60) days before the database is used. Organizations must also notify the Commission before beginning to verify or confirm a person’s identity using biometric means.
Formal Agreements required to Share Personal Information in a Commercial Transaction
Québec will be aligned with other private sector laws in Canada permitting disclosure of personal information for the purposes of a “business transaction” such as a merger, acquisition or sale of a substantial aspect of the business. Consent of the individuals involved will not be required as long as the organizations meet certain requirements, including having an agreement to limit use and safeguard the information. If the transaction is completed, the individuals must be notified of the transfer of their personal information.
If you have any questions about Bill 64, please contact a member of our Privacy & Data Management Group.
Ryan Berger is a leading privacy and employment lawyer, with a primary focus on providing strategic advice to businesses and employers.
Ryan leads the firm’s Privacy Group and routinely advises public and private sector ...
Lawson Lundell's Privacy and Data Management Blog provides updates on the most recent issues emerging in the legal and business communities. We cover a range of issues, legal developments, and new technology as they impact privacy and data management. We will focus on how organizations can protect, manage and innovate with information considering the various risks, regulatory and governance requirements.
Legal Disclaimer: The information made available on this webpage is for information purposes only. It does not constitute legal advice, and should not be relied on as such. Please contact our firm if you need legal advice or have questions about the content of this webpage.