Bill 64 – Quebec’s newest privacy legislation
On June 12, 2020, the Quebec government introduced a bill to modernize the province’s privacy legislation, which will apply to public bodies and private enterprises established in Quebec as well as any business that has a digital presence in Quebec.
Bill 64 will impact how businesses collect and store personal data pertaining to their customers, clients, employees, etc. Any business that has a digital presence in Quebec could be fined if the new Bill 64 requirements are not properly met – especially in the event of a security breach. Businesses could face fines of up to $25 million or 4% of an its previous year’s worldwide turnover. Non-compliance could also damage an organization’s reputation.
WHAT YOU NEED TO KNOW:
Bill 64 proposes a number of new requirements. By default, the person exercising the highest authority within the organization would be responsible to ensure that the organization implements and complies with the Act, once it’s passed. This person can delegate all or parts of that function to a Chief Privacy Officer.
WHAT ARE THE PROPOSED REQUIREMENTS?
Bill 64 proposes several new requirements that apply to all businesses in every industry if they have a digital presence in Quebec:
- New breach notification requirements: i.e., the timely notification of any confidentiality incident to the Comission d’accès à l’information (CAI).
- New individual rights: the right to be forgotten, the right to object automated decision-making, the right to de-indexing, etc.
- New outsourcing requirements: written agreements need to be in place when outsourcing is involved to present the third party’s measures to ensure personal data privacy.
- Privacy impact analysis: would be required to assess if your projects involve personal data and determine how best to secure said data.
- More requirements include (but are not limited to): governance policies and practices, data privacy policies, employees and organizational awareness and training, and time constraints.
ARE YOU READY TO COMPLY WITH BILL 64?
Six questions business owners should ask themselves.
- Where and how is your organization’s data stored?
- What type of personal data is stored or used by your organization?
- How many third parties have access to your organization’s personal data?
- Do you have personal data protection policies?
- What measures are in place at your organization to protect the personal data of your employees and customers?
- Do you have efficient practices and internal controls in place to ensure personal data security?
HOW CAN RICHTER HELP?
The compliance process is long, requires many diagnostics, resources and a detailed understanding of the law. Our multidisciplinary experts can assist you in all strategic actions leading to compliance with Bill 64 and with all tactical actions ensuring your business remains compliant going forward.