Data Protection & Privacy
Quebec’s Bill 64, a reform of the province’s privacy legislation, is now law. The amendments to, among others, the province’s private sector privacy legislation received assent on September 22, 2021, and will enter into force gradually over the next three years.
As previously reported in our Insight from June 16, 2020, the reform draws inspiration from the EU’s General Data Protection Regulation (GDPR). Notably, it introduces penalties ranging from $15,000 CAD to $25 million CAD or an amount corresponding to 4 percent of a business’ worldwide annual turnover, whichever is higher.
While Bill 64’s provisions will enter into force gradually by September 22, 2023, some provisions will enter into force as early as September 22, 2022, namely concerning:
Prior to these changes, and subject to some industry-specific exceptions, organizations carrying out commercial activities in Canada only had statutory mandatory and reporting requirements under the Alberta PIPA and where the federal private sector privacy law (i.e. PIPEDA) applied. As of September 22, 2022, organizations will also have to comply with a mandatory notification requirement to affected individuals in Quebec and report the incident to the Commission d’accès à l’information – the provincial privacy regulator. Failure to do so could lead to hefty monetary penalties described above.
We cannot understate the magnitude of this reform. Organizations operating in Quebec must prepare their governance models, technology, and their people to comply with their new obligations as soon as they enter into force.