Proposed amendments to Quebec’s privacy legislation: new penalties comparable to the EU’s GDPR
-
Legal Development 16 June 2020 16 June 2020
-
Data Protection & Privacy
Last Friday, the Quebec government introduced Bill 64, which would update, among other statutes, the Act Respecting the Protection of Personal Information in the Private Sector. Drawing inspiration from the EU’s General Data Protection Regulation (GDPR), the amendments would impose penalties on businesses ranging from $15,000 to 25 million or an amount corresponding to 4 per cent of worldwide annual turnover, whichever is higher.
The new rules would apply, under certain conditions, to the personal information of Quebec customers held by organizations doing business in the province.
They also introduce mandatory notification requirements following a “confidentiality incident” that presents a risk of serious injury. A confidentiality incident is defined as follows:
- access to personal information not authorized by law,
- use of personal information not authorized by law,
- release of personal information not authorized by law, or
- the loss of personal information or any other breach in the protection of such information.
In such case, the organization must notify the Commission d'accès à l'information. It must also notify anyone whose personal information is affected by the breach, failing which the Commission may order it to do so. The organization must also keep a record of the incident. If it fails to report the incident when required to do so, it may be subject to the newly introduced sanctions.
The update to the law also grants additional protections to individuals regarding the use of their personal information and its retention. In particular, businesses will have to request separate consent for each new use of data. In addition, they will not be able to share personal information with third parties, without the consent of the individuals. The amendments also require the destruction or anonymization of personal information when the intended use ends.
Any organization that holds personal information will also have to designate a person responsible for the protection of personal information and put in place policies and practices for this purpose.
End