On September 22, the Act to modernize legislative provisions relating to the protection of personal information (“Bill 64”) received royal assent, after its adoption by the National Assembly of Quebec a day earlier.
The Act represents a major reform of the current privacy regime in Quebec, with changes aimed at improving transparency, enhancing consent requirements, and increasing data confidentiality. Its enforcement will be spread out over three years, and will affect both the private and public sector businesses operating in Quebec.
“The passing of Bill 64 cannot be overstated,” said Imran Ahmad, Head of Technology and Co-Chair of Data Protection, Privacy & Cybersecurity at Norton Rose Fulbright Canada.
“It’s the first domino in a series of changes that will be reshaping the Canadian privacy landscape,” Ahmad said in an email. “Increased enforcement powers coupled with a GDPR-type approach — our clients are looking at it as a major compliance initiative for 2022 and beyond.”
The Act introduces amendments “that will cause structural changes” in the way organizations do business, says Chantal Bernier, head of the Privacy and Cybersecurity practice group for Dentons Canada LLP in Ottawa.
First, she says, mandatory privacy impact assessments (PIAs) will now be required for i) any project of acquisition, development and redesign of an information system project or electronic service delivery project involving personal information; ii) the transfer of personal information outside of Québec; and iii) the communication of personal information without consent for study, research or statistics.
This means that “organizations must create processes internally to determine when their activities meet the requirement to have a PIA,” Bernier adds, as well as how to go about them: “who does the PIAs, what is the method they want to implement … ?”
Second, since the Act strengthens the requirements for accountability — meaning internal compliance processes for compliance with privacy law – it requires organizations “to step back, look at their compliance structures and processes, and ask themselves if they still meet the test.”
Third, the Act regulates the use of de-identified and anonymized information. The Bill defines de-identified information as information that “no longer allows the person concerned to be directly identified.”Anonymized information is that which is “at all times reasonable to expect in the circumstances that it irreversibly no longer allows the person to be identified directly or indirectly.”
Information that was anonymized and no longer personal used to be outside the scope of privacy law, she says, but now its use is much more restricted.
“Organizations will need to look at their practices, to make sure they still meet that test.”
And fourth, organizations using…
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
