Déjà Vu, But with Canadian Flair: Ready For Quebec’s Take On the GDPR?

Last year, the Canadian province of Quebec enacted a major overhaul of its existing private sector privacy law through Bill 64, An Act to modernize legislative provisions as regards the protection of personal information [1] (as amended, the “Quebec Law”). Though most provisions of the Quebec Law take effect in September 2023, a first tranche takes effect this September 22, 2022.

Let’s make sure your organization is ready.

Why It Matters

Quebec’s current law, an Act respecting the protection of personal information in the private sector, already establishes a fairly comprehensive data protection regime. But the new Quebec Law introduces a variety of GDPR-style requirements, and has significantly more teeth—including new administrative and penal sanctions of up to 4% of annual worldwide turnover and a statutory private right of action (but note, these new enforcement mechanisms only come into effect in September 2023). As of 2023, Quebec data privacy law will exceed its Canadian federal and provincial counterparts, and join the California CPRA as one of the most stringent data protection regimes in North America. The Quebec Law includes GDPR-style individual opt-out, deletion, and portability rights, restrictions on automated decision-making, more stringent consent requirements, including a shift to an opt-in marketing regime, cross border transfer requirements, mandatory breach reporting, privacy-by-design obligations, and mandatory privacy impact assessments. Most of these only come into effect on September 22, 2023.

Requirements as of September 22, 2022

There are three key requirements[2] that organizations subject to the Quebec Law should be aware of coming into effect on September 22 of this year.

1. Appoint a Quebec Data Protection Officer (DPO). The Quebec Law automatically bestows the responsibility for Quebec data privacy and protection on the individual with the highest level of authority within an organization (though it’s not entirely clear, this would presumably be the CEO or other similar officer). The good news is that the Quebec Law explicitly contemplates that this responsibility can be delegated, in full or in part, “in writing.” We expect most organizations will take advantage of this and appoint an existing data protection officer or similar individual to take on this responsibility. Organizations are also required to publish this person’s title and contact details on their website.

• Follow your ordinary, written process for appointing officers and delegating authority, for example, corporate consents and resolutions.
• The Quebec Law has many specific requirements for when the DPO needs to be involved or consulted (for example, the Law requires the DPO to be consulted when deciding whether to provide notice in connection with a data breach), so make sure this person is at the right level and has the authority to carry out these tasks.
• The online Privacy Policy applicable in Quebec is a great place to post the DPO’s title and contact details.

2. Mandatory Breach Reporting Requirements for Certain “Confidentiality Incidents.” The Quebec Law requires organizations to report certain personal data breaches (known under the Law as “Confidentiality Incidents”) to impacted individuals and the Quebec data protection authority, the Commission d’Accès à l’information du Québec (CAI). Confidentiality incidents are those that involve access, use, or disclosure of Personal Information not authorized by law or loss of Personal Information or any other breach of the protection of such information. The definition of “Personal Information” is broad and includes any information that identifies or relates to an identifiable individual. Confidentiality incidents are reportable to individuals and the CAI when they present a risk of serious harm to impacted individuals. This determination needs to be made in consultation with the Quebec DPO. Organizations are also required under the new Law to take measures to reduce the risk of harm that could be caused to individuals and to prevent similar incidents from occurring in the future.

• Ensure you have an incident response plan in place, or review your existing plan and related documents, to ensure that Confidentiality Incidents and the reporting requirements are sufficiently covered.
• Notice content requirements are covered by a separate regulation, a draft of which can be found here (p. 2094). The CAI will also likely have a prescribed reporting form on its website.

3. Maintain a Register of Confidentiality Incidents. Organizations are required to maintain records concerning all Confidentiality Incidents experienced by the organization—even those not subject to the mandatory reporting requirement (i.e., those that do not involve a risk of serious harm). Per the draft regulations, the records must include items such as a description of the incident and personal information affected, the relevant dates, a description of the factors that lead the organization to conclude whether or not there is a risk of serious harm, and the measures taken in order to reduce the risk of harm.

• The CAI can ask for a copy of these records, so it is critical that they be up to date and complete.
• Leverage (and expand if necessary) existing breach registers, such as those maintained for GDPR.
• Ensure that security and IT teams are aware of these requirements and their responsibilities.

That’s au revoir for now—but we will make sure to circle back with another client alert leading up to September 22, 2023.

[1] There is no as-amended version of the Bill currently available on the Quebec National Assembly website. The Quebec data protection authority, the Commission d’Accès à l’information du Québec (CAI), posted an unofficial amended version in French only on its website, accessible here.

[2] There are also certain other requirements, such as relating to databases of biometric information used for identification purposes, which we do not address in this alert.