Quebec Bill 64, also known as Law 25, represents a significant overhaul of privacy regulations and data protection measures within the province of Quebec, Canada. Enacted with the primary objective of enhancing individuals’ privacy rights and safeguarding their personal information, this comprehensive legislation introduces several obligations, fines, and penalties for organizations that handle personal data. In this article, we will delve into the details of Quebec Bill 64, providing an overview of its provisions, a calendar of obligations, and an insight into the associated fines and penalties.
We can help you get your website ready and compliant, you can schedule a 15 minute cosultation in which we will evaluate your site and tell you what are the next steps in your compliance process.
What is Quebec Bill 64?
Quebec Bill 64, officially known as “An Act to modernize legislative provisions as regards the protection of personal information,” was adopted on June 12, 2020, and represents a significant reform of Quebec’s privacy laws. This legislation aligns Quebec’s data protection standards with international norms, particularly the European Union’s General Data Protection Regulation (GDPR), reflecting the growing global importance of data privacy.
Key Provisions of Quebec Bill 64:
- Enhanced Consent Requirements: Bill 64 introduces stricter rules for obtaining consent to collect and process personal information. Organizations must now provide clear and easily accessible information about data processing activities and obtain explicit consent.
- Data Portability and Deletion: Individuals gain greater control over their personal data. They can request their data be transferred to another organization and also request its deletion, subject to certain exceptions.
- Data Minimization: Organizations must limit the collection of personal information to what is necessary for the intended purpose, reducing the amount of unnecessary data processing.
- Mandatory Breach Notification: Organizations must report data breaches to the relevant authorities and affected individuals within a specified timeframe.
- Designation of Data Protection Officers: Certain organizations must appoint a Data Protection Officer (DPO) responsible for ensuring compliance with the law.
- Privacy Impact Assessments: Organizations are required to conduct Privacy Impact Assessments (PIAs) for high-risk data processing activities.
- International Data Transfers: Stricter regulations regarding the transfer of personal data outside of Quebec are introduced.
Quebec Bill 64, also known as Law 25, imposes obligations on a wide range of entities and individuals, including businesses, organizations, government bodies, and individuals who process personal information. The law is designed to protect the privacy rights of individuals and regulate the handling of personal data in the province of Quebec, Canada. Here is a breakdown of who is obliged to comply with Quebec Bill 64:
- Businesses and Organizations: This includes corporations, non-profit organizations, government agencies, and other entities that collect, use, or process personal information in the course of their operations. Businesses and organizations are subject to various requirements under the law, such as obtaining explicit consent, conducting privacy impact assessments, and notifying authorities and affected individuals in case of data breaches.
- Data Processors: Any entity or individual that processes personal data on behalf of others (data processors) is also obligated to comply with the law’s provisions. This ensures that data processors follow the same data protection standards as the organizations they provide services to.
- Data Protection Officers (DPOs): Organizations that meet certain criteria, such as those processing a significant volume of personal data or engaging in high-risk data processing activities, are required to designate a Data Protection Officer (DPO). DPOs are responsible for ensuring compliance with the law’s requirements within their respective organizations.
- Directors and Officers: Directors and officers of organizations may be held personally liable for non-compliance with Quebec Bill 64. This personal liability serves as an incentive for senior management to prioritize data protection within their organizations.
- Individuals: While individuals themselves are not directly obliged to comply with the law, they benefit from the enhanced privacy protections it provides. They have rights under the law, such as the right to request access to their personal data, request its deletion, and be informed about how their data is being processed.
- Public Authorities: Public authorities and government bodies that process personal information are also subject to the law’s requirements. They must comply with the same data protection standards as private-sector organizations.
It’s important to note that the specific obligations and requirements under Quebec Bill 64 may vary depending on the size and nature of the organization, the types of data being processed, and other factors. Organizations and individuals should carefully review the law and seek legal counsel or guidance to ensure full compliance with its provisions.
Are entities outside quebec subject to Quebec Bill 64 (law 25)?
Yes, entities outside of Quebec can be subject to Quebec Bill 64 (Law 25) under certain circumstances. The application of the law to entities outside of Quebec primarily depends on the nature of their activities and their interaction with the personal information of individuals in Quebec. Here are some key considerations:
- Extraterritorial Application: Quebec Bill 64, like many data protection laws, may have extraterritorial application. This means that it can apply to organizations located outside of Quebec if they process the personal information of individuals in Quebec. This is especially relevant if the organization offers goods or services to individuals in Quebec or monitors their behavior.
- Data Controllers and Processors: Both data controllers (organizations that determine the purposes and means of processing personal data) and data processors (entities that process data on behalf of data controllers) may be subject to the law. If a data controller or processor is located outside of Quebec but handles the personal data of Quebec residents, they must comply with the law’s provisions.
- International Data Transfers: Quebec Bill 64 includes provisions related to international data transfers. Organizations transferring personal data from Quebec to entities outside the province must ensure that the recipient organizations offer an equivalent level of protection as required by the law. This may involve the use of contractual clauses or other mechanisms to ensure data protection compliance.
- Online Services: Entities that operate websites or online services accessible to individuals in Quebec should be aware of the law’s application. If such services collect and process personal data from Quebec residents, they may need to comply with the law’s requirements, even if they are physically located outside of Quebec.
- Interactions with Quebec Residents: Any organization, regardless of its location, that collects or processes personal information from residents of Quebec must ensure compliance with the law’s principles and obligations, especially regarding consent, data protection, and breach notification.
It’s essential for organizations outside of Quebec that handle personal information related to individuals in Quebec to assess their obligations under Quebec Bill 64. Compliance with the law may require adjustments to data processing practices, privacy policies, and consent mechanisms to align with the law’s requirements and protect the privacy rights of Quebec residents. Legal advice or consultation with privacy experts may be necessary to ensure proper compliance.
Calendar of Obligations:
To help organizations comply with Bill 64, the following timeline of obligations has been established:
- 2023: Implementation of the new consent rules, data portability, and data deletion provisions.
- 2024: Mandatory breach notification requirements come into effect.
- 2025: Organizations must have appointed Data Protection Officers (DPOs) by this date.
- 2026: Full implementation of data minimization and Privacy Impact Assessment (PIA) requirements.
- 2028: Stricter regulations for international data transfers take effect.
Fines and Penalties:
Quebec Bill 64 introduces substantial fines for non-compliance, demonstrating the seriousness with which data privacy is treated. The fines can be applied as follows:
- Administrative Penalties: Organizations that violate the provisions of Bill 64 can face administrative penalties of up to 4% of their worldwide turnover or $25 million, whichever is higher.
- Criminal Offenses: In cases of intentional violations, individuals involved may face criminal charges with penalties of up to $250,000 for a first offense and up to $500,000 for subsequent offenses.
- Directors’ Liability: Directors and officers of organizations can be held personally liable for non-compliance, with penalties of up to $50,000 for individuals and $500,000 for corporations.
Quebec Bill 64, also known as Law 25, represents a significant milestone in the protection of personal information in Quebec. With a focus on enhancing consent requirements, data portability, and breach notification, it places individuals’ privacy rights at the forefront. Organizations operating in Quebec must be proactive in ensuring compliance with the law’s obligations to avoid substantial fines and penalties. As the implementation timeline progresses, it is imperative for businesses and institutions to adapt their practices to align with the new data protection standards to protect both their customers and themselves in an increasingly data-driven world.