CLIENT NOTICE – Quebec’s Bill 64 / Law 25

Quebec’s Bill 64 Stage 2 – Coming into effect Sept 22, 2023!

If your organization handles personal data of individuals living in Quebec, you need to comply with Bill 64 – An Act to modernize legislative provisions regarding the protection of personal information.

On Sept 22, 2022 Quebec’s Bill 64 (also known as Law 25) came into effect. Organizations that handle the personal information of people living in Quebec will need to ensure their privacy program and data handling practices will accommodate the stricter provisions for consent, privacy rights and data breach notifications.

The full requirements of Bill 64 come into effect in 3 stages. As of September 22, 2022, organizations must have appointed a Privacy officer and must report any incidents involving a breach of personal information, where the incident presents a “risk of serious injury”.

Starting September 22, 2023 additional requirements come into effect:

Policies, processes, consent and transparency

Policies and processes should be implemented, and in some case made public, to ensure the protection of personal information on issues including the retention and destruction of personal information, the consent process, the handling of personal information by employees, and the complaint handling process. These processes must accommodate new individual rights: the right to be forgotten, the right to be informed of automated decision-making, and the right to data portability.

Collecting Consent

Bill 64 imposes new requirements when obtaining consent. When obtaining consent from an individual, they must be informed of the following in clear and simple language:
How the information is collected
How the individual can access and review the information held about them
That they have the right to withdraw consent at any time
The names and/or category of third parties to whom the information may be released (if applicable)
That their personal information could be released outside Quebec (if applicable)

Contractual requirements around the outsourcing of information

Your contracts with 3rd party service providers handling personal information need to have contractual clauses outlining how the service provider protects the confidentiality of personal information, the purpose for which it is being provided, requirement to report a breach of confidentiality, and the right of the company to conduct audits. They should also confirm the destruction or return of the personal information upon expiry of the contract.

Privacy Impact Assessment requirements

Bill 64 requires companies to conduct privacy impact assessments for any “information system project” or “electronic service delivery project” involving the processing of personal information and any transfer of information outside of Quebec.

Two main situations where a privacy impact assessment will be prescribed: (1) when exporting data outside of Quebec, and (2) when acquiring, developing or redesigning an information system or electronic service delivery project involving personal information. These assessments should be proportionate to the sensitivity of the information, the purpose for which it is to be used, and the amount, distribution and format of the information.

Privacy Impact Assessments templates should be customized based on guidelines by the regulatory authority that are expected to be published before September 2023.

Disclaimer:

Strategic Communications is providing this information as a customer service; it should not be construed as legal advice or a legal opinion on any specific situation. Clients should contact their legal advisor if they have questions about the legal requirements applicable to its situation.