Bill 64, regarding the protection of personal information was adopted in September 2021, and will enter into effect in Québec beginning in the fall of 2022. What do the changes mean for a business like yours? We have enlisted an expert in the field, Mtre Erwan Jonchères from Lex Start Lawyers, to answer this question for you.
An overview of Bill 64
Bill 64 is an initiative of the Québec Government aimed at reinforcing and modernizing its mechanisms for the protection of personal information. Why? Simply to provide its citizens with better protection! The new ambitious regulations will require all public bodies and businesses operating in Québec to exercise greater transparency with respect to the collection and sharing of personal information (definition provided in French), and to allow users to exercise greater control over their information.
Six reminders related to the application of Bill 64
1. Application will be implemented in three phases
Fortunately, this means that businesses will be able to adapt to their new obligations gradually. But be aware: The first changes enter into effect on September 22, 2022. The subsequent phases are planned for September 2023 and 2024. Below you will find a description of the changes that come into effect this fall.
2. The importance of explicit consent is being reinforced
Businesses must clearly inform their users as to the personal information that they wish to collect, and must obtain their consent before doing so. In addition, they must divulge the identity of any third parties to which they will be transmitting the collected information, and above all, they must allow individuals to request the modification or deletion of information.
3. All businesses must appoint a person responsible for the protection of personal information
Yes, all businesses – even if your organization only has two employees. The person responsible for the protection of personal information, or Privacy Officer, will become the contact person for all matters related to compliance with Bill 64. They will be responsible for the creation of policies, governance practices and all processes related to the protection of personal information. Is this a complicated role? Yes, but it is also an essential and mandatory role. Learn more about this topic by clicking here (related article available in French).
On September 22, 2022, the highest ranking executive within each business will become the Privacy Officer by default, but the role can be delegated to another person who is more familiar with this area.
4. Confidentiality incidents must be managed and reported
Any breach or loss of personal information – no matter how minimal – must be recorded in a registry and sent to the Commission d’accès à l’information (CAI). If the CAI determines that there is a risk of serious injury, the business will also be required to inform the individuals affected by the incident.
5. The proposed penalties are severe, but…
Depending on the severity of the offence, fines of up to $25 million or 4% of worldwide income could be applied. Yikes! On the other hand, don’t forget that a business that takes the protection of personal information seriously has a much better chance of gaining the trust of its users.
6. Prepare yourself for the application of Bill 64
According to Mtre Erwan Jonchères, the best way for organizations to prepare for the upcoming changes is to conduct an audit of their practices related to personal information. “Which types of personal information do you collect? How is it collected? Who processes the information? How do you use it? Who is it sent to? Map out the flow of information to get a better overall picture”, he advises.
For more detailed information concerning Bill 64 and the steps to take to prepare your business for the three phases of its application, visit the official website of the Commission d’accès à l’information du Québec (in French).