Quebec Privacy Law: Is Your Organization Ready for New Rules in Force this September?

  • September 21, 2022
  • Ronak Shah, Wendy Mee, Ellie Marshall

On September 22, 2022, the first set of amendments from Bill 64, An Act to modernize legislative provisions as regards the protection of personal informationto Quebec’s Act respecting the protection of personal information in the private sector (Quebec Privacy Act) and the Act to establish a legal framework for information technology (Quebec IT Act) will come into force.

In previous bulletins, we discussed how Bill 64 will change Quebec’s privacy laws. Although most amendments will come into force in September 2023, below we highlight significant changes in force this September. 

PRIVACY OFFICER DELEGATION

The Quebec Privacy Act creates obligations for any person carrying on an enterprise to protect personal information and will now automatically designate the person exercising the highest authority within the enterprise (e.g., the Chief Executive Officer) as the “person in charge of the protection of personal information.” The role of the “person in charge of the protection of personal information” can be delegated to any person, such as a privacy officer, or even a third party. However, this delegation must be made in writing.

The title and contact information of the person in charge of the protection of personal information must also be published on the organization’s website or, if the organization does not have a website, by any other appropriate means.

MANDATORY REPORTING OF “CONFIDENTIALITY INCIDENTS”

Similar to the obligation under the federal Personal Information Protection and Electronic Documents Act (PIPEDA), organizations must notify the Commission d’acces a l’information du Quebec (Commission) and affected individuals of any “confidentiality incident” involving personal information that presents a risk of serious injury. Notifications must be made as soon as possible.

A “confidentiality incident” is defined to mean:

  1. access not authorized by law to personal information;
  2. use not authorized by law of personal information;
  3. communication not authorized by law of personal information; or
  4. loss of personal information or any other breach of the protection of such information.

In assessing whether a confidentiality incident presents a risk of serious injury, the organization must consider the sensitivity of the information, the anticipated consequences of its use, and the likelihood that such information will be used for injurious purposes.

Organizations must also keep a register of all confidentiality incidents and provide the register to the Commission upon request.

Quebec has published draft regulations respecting confidentiality incidents which are set to come into force on September 22, 2022. The regulations set out content requirements for notifications to the Commission and to individuals. The regulations also prescribe that registers of confidentiality incidents must be kept for at least five years after the date the organization became aware of the incident.  In contrast, under PIPEDA, records of all breaches of security safeguards need to be maintained for 24 months, subject to other legal requirements (such as litigation holds) that may require longer retention periods.

DISCLOSURE OF PERSONAL INFORMATION NECESSARY FOR COMMERCIAL TRANSACTIONS

Organizations will now be allowed, subject to certain exceptions, to disclose personal information without the consent of the individual when the disclosure of personal information is necessary for the purpose of concluding a commercial transaction. This amendment will bring the Quebec Privacy Act in line with other private sector privacy statutes, including PIPEDA, and means that personal information may be shared in the due-diligence process.

 A “commercial transaction” is defined to mean the “alienation or leasing of all or part of an enterprise or of its assets, a modification of its legal structure by merger or otherwise, the obtaining of a loan or any other form of financing by the enterprise or of a security taken to guarantee any of its obligations.”  

A data protection agreement must be in place between the parties. The organization receiving the personal information must agree to only use the information to conclude the transaction and to not communicate it without consent or as otherwise permitted by the Quebec Privacy Act. Receiving organizations must also agree to protect the confidentiality of the personal information and destroy it if it is no longer necessary to complete the transaction, or if the transaction falls apart.

BIOMETRIC INFORMATION DATABASE REGISTRATION

The Quebec IT Act regulates the collection and use of biometric characteristics, including where biometric techniques are used to verify or confirm a person’s identity. Previously, organizations were required to notify the Commission of the creation of a database of biometric characteristics and measurements, but no notification timeline was specified. Organizations will now be required to notify the Commission promptly and no later than 60 days before the database is put into service.

Organizations will also be required to notify the Commission of any processes used to verify or confirm an individual’s identity that allows for biometric characteristics or measurements to be recorded, except where such verification or confirmation has been previously disclosed to the Commission and except with the individual’s express consent. Only the minimum number of characteristics or measurements needed to link the person to an act and only such characteristics or measurements as may not be recorded without the person’s knowledge may then be used and recorded for identification purposes.

Any article or other information or content expressed or made available in this Section is that of the respective author(s) and not of the OBA.