Certain provisions of the “An Act to modernize legislative provisions for the protection of personal information” (formerly known as Bill 64) will come into effect in just over a month, on September 22nd. It will affect all businesses doing business in the province of Québec. Will your organization be ready to comply?
Enacted on September 22, 2021, this legislation brings significant changes to Québec’s privacy laws. Its goal is to offer citizens better control over their personal information and it modernizes the legislative framework to adapt it to today’s technological reality.
Several new elements will be added to the current provisions of the “Act respecting the protection of personal information in the private sector”, which already mandates that any person doing business in Québec must take the necessary measures to comply with their obligations in this regard.
Among these existing measures:
Respond diligently to requests for access to personal information, justify any refusal, and inform the requester of the appeals available through the Commission d’accès à l’information du Québec.
Inform, prior to the collection of personal information, the persons concerned of the purposes of the collection, the use that will be made of the information collected and the persons who will have access to it, and take security measures to ensure the protection of personal information.
Ensure that any person to whom you communicate or entrust personal information outside the province maintains a level of protection equivalent to that which you are required to maintain.
The application of the multiple new provisions of the new law is spread over three years, on September 22 of each year until 2024, thus giving ample time for the targeted organizations to prepare for it. It is the Commission d’accès à l’information du Québec (CAI) which is responsible for the enforcement of the law.
New provisions for 2022
Here is an overview of the new provisions that will come into force next month:
Designate a person in charge of the protection of personal information (by default, the CEO is responsible), or delegate the function in writing to another person and publish the contact details of that person.
Form a committee on information access and the protection of personal information.
Report confidentiality incidents involving personal information presenting a risk of serious injury to the CAI, and keep a register of confidentiality incidents which will have to be communicated to the CAI upon request
Notify the CAI before using any biometric technique to verify or confirm the identity of a person.
Disclose the verification or confirmation of identity made by means of biometric techniques.
A new framework for the communication of personal information without the consent of the person concerned for purposes of study, research, or the production of statistics, or in the context of a commercial transaction is also provided for as of September 22, 2022, as well as changes to the authority, responsibilities, and roles of the CAI. These changes include the addition of a new vice-president and a new authority to publish guidelines.