Canadian Privacy Laws & Quebec’s Bill 64

Data protection and data privacy are priorities for businesses and consumers around the world. While penalties for improper data use and storage are motivators for compliance, businesses must realize that ensuring privacy and building trust with their stakeholders mean much more than checking a box; they provide a competitive advantage.

Canada is the latest country to work on ramping up its federal privacy laws, commonly known as “the Act.” In June, the government introduced the Digital Charter Implementation Act, 2022 or Bill C-27, for the responsible development and use of artificial intelligence (AI), and the continued implementation of Canada’s Digital Charter. As such, the Digital Charter Implementation Act, 2022 will include three proposed acts: the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act.

While federal authorities are still mapping out comprehensive privacy laws, any firm doing business in Canada must still adhere to the most rigorous provincial privacy laws—and that’s where Quebec’s Bill 64 comes in. In September 2021, Quebec adopted Bill 64 with the intent to amend much of Canada’s current privacy legislation and strengthen the province’s private and public sector privacy law, with special focus on protecting personal information in the private sector (PPIPS).

Getting Ahead of Quebec’s Updated Privacy Law Bill 64 

Complying with Quebec’s Bill 64 is an urgent priority for any Canadian organizations. While the Bill takes full effect in September 2024, initial provisions go into effect on September 22, including potentially steep fines for non-compliance.

Bill 64 will double down on the Private Sector Act, Quebec’s main regulation for the way any business based in or outside of Quebec collects, stores, uses, shares, and discloses personal information of those living in the province. And it is likely this will extend to other provinces in Canada. 

Staying Ahead of the Bill 64 Roll Out

Bill 64 will be rolled out over the next two years, with the first of the changes taking effect on September 22, 2022. More aspects of the Bill will be enforced a year later on September 22, 2023, with the final provisions due on September 22, 2024. 

Here is a summary of the significant amendments to Bill 64 and their respective deadlines.

What will be in force as of September 22, 2022:

• Increased fines. Bill 64 hikes fines for non-compliance with privacy legislation of up to $25 million CAD or 4% of worldwide revenue for the preceding fiscal year. And authorities will double fines for subsequent offenders.
• DPO in place. Companies must name a Data Privacy Officer or other employee responsible for overseeing compliance with the Private Sector Act.
• Breach reporting. Companies must report breaches that present a “risk of serious injury” to affected individuals to the Commission d’accès à l’information (CAI). This is rolled over from PIPEDA (Personal Information Protection and Electronic Documents Act) requirements.

What will be in force as of September 22, 2023:

The provisions enforced next year require substantial effort to meet, and many organizations will likely require the better part of the next year to meet them.

• Automated processing notification. Businesses will have to disclose if they are automatically processing personal data.
• Written agreements with third party service providers. Service providers can process data based only on a written agreement, which must include information about the purpose of processing and data security measures in place. A best practice is to conduct data discovery to understand the data being shared and with whom it’s being shared.
• Privacy program. The Data Privacy Officer and their team at covered entities must establish and implement governance policies and procedures for collecting and processing personal data. This includes a policy for sharing personal data with third parties. Businesses will also be obligated to destroy any personal data they do not need anymore or anonymize it if they do wish to use it.
• Privacy by default. Businesses developing new technology products or services must set default privacy settings to the “highest level of confidentiality.” This is one guideline already covered in GDPR’s Article 25. It requires businesses to embed privacy in their products and services. This won’t apply to cookies, in any case.
• External Privacy Policy. Businesses must disclose to customers how they use their data — be it what data, how they’re using the data and any third parties involved in processing the data.
• Consent. When collecting personal information, businesses must ensure consent is “clear, free and informed and provided for specific purposes.” This extends the standards set by PIPEDA and includes secondary use of sensitive personal data. Companies must have a process to track these consents to maintain as evidence of use.
• Privacy impact assessments (PIA). Covered entities must conduct a privacy impact assessment when collecting, using, communicating, retaining or destroying personal information. It is important to note that the PIA should be commensurate within the data’s sensitivity, the purpose and amount of data. This includes cross-border transfers to determine the safety of the transfer.
• Data subject requests. Bill 64 includes new rights for data subjects, including the right to be forgotten. Consumers may request that a business cease disseminating their personal information or de-index anything associated with their name. 

By 2024, the data portability right will be enacted, allowing users total control over their data. They’ll have the right to obtain their personal information from any entity currently holding it and move it elsewhere. To avoid being penalized, businesses must take ownership when it comes to data privacy and protection — that includes knowing the location, and amount and type of information they store, use and share.

Meeting Privacy Regulations in Canada

Even with the federal Bill C-27 still in development, Quebec’s Bill 64 is a dramatic wake-up call for any company doing business in Canada. Since Bill 64 is meant to build on federal PIPEDA standards, many firms are well-positioned to begin preparing for it. Yet Bill 64 is sharply raising the penalty for non-compliance while demanding greater scrutiny and transparency regarding data handling. Doing business in Canada means doing business under the auspice of Bill 64. 

And ensuring you are prepared for Bill 64 to come into effect in late September begins with having awareness of where your organization’s personal data resides.

Enterprise Recon by Ground Labs can empower your firm to find, track, categorize, and remediate sensitive data, allowing your organization to be compliant with Bill 64 and, eventually, federal Bill C-27.  You can ensure your organization solidifies its data privacy and compliance plans by finding where all its privacy related data resides to properly protect PII.

Bill 64 pushes firms that are active in Canada to hold themselves to a higher standard. And it’s possible that other governing bodies worldwide will follow Quebec’s example. Enterprise Recon provides accurate, fast and thorough data discovery capabilities that prepare organizations for compliance in 2022 and beyond. 

Book a demo with Ground Labs today to stay on track with provisions of Canada’s privacy laws.