Québec’s updated privacy law raises the bar for businesses operating in Canada’s second-most populous province, imposing additional compliance obligations on companies already contending with U.S., European, and Asian privacy regimes.
The law brings Québec more in line with Europe’s General Data Protection Regulation, but nuances mean businesses must act precisely or face hefty regulatory penalties and consumer-led litigation through the law’s private right of action.
Bill 64, which received royal assent in September, requires companies to conduct privacy impact assessments for the transfer of personal information outside of Québec and appoint designated privacy officers. Most of the law’s provisions take effect in September 2023, but others come into force in 2022 or 2024.
“The message from the Québec government is, ‘We’re taking privacy laws seriously,’” said Vanessa Coiteux, a partner at Stikeman Elliott LLP in Montréal. “We’re a small piece of North America, but there are significant penalties and obligations here.”
Additional Obligations
Québec is one of the few Canadian provinces to have a stand-alone private sector privacy law. Canada, unlike the U.S., also has a broad federal statute—the Personal Information Protection and Electronic Documents Act.
The new law, among other obligations, requires businesses to report to the Québec privacy regulator and notify individuals of data breaches where there is risk of “serious prejudice.”
The federal law already makes breach reporting mandatory, but Bill 64 now mandates it for organizations coming under the Québec law’s jurisdiction, said Chantal Bernier, who leads Dentons’ Canadian privacy and cybersecurity practice and who formerly helmed the Office of the Privacy Commissioner of Canada.
Companies will also have to conduct privacy impact assessments for certain data processing, including sending information outside of Québec, said Antoine Aylwin, co-leader of Fasken Martineau DuMoulin LLP’s privacy and cybersecurity group.
“Data flows is going to certainly be a big issue,” Aylwin said. “When you do privacy impact assessments, you have to document the process, and that can be a challenge.”
The added provision that businesses delete consumer data after it’s been used for its intended purposes will also prove difficult from an operational perspective, Aylwin said.
Substantial Risk
The law gives Québec’s Commission d’accès à l’information, the province’s privacy regulator, the ability to fine entities that break the law. Administrative penalties range up to CA$10 million ($8.01 million) or 2% of an entity’s worldwide annual turnover for the preceding year, and penal offenses range up to CA$25 million or 4% of worldwide annual turnover.
“This is a game changer—companies will have to pay attention to avoid enforcement and ensure compliance,” Aylwin said. “This is, I would say, the biggest modification, and it gives a lot of teeth to the legislation.”
Bill 64 moves the province from the ombudsman model of privacy to an enforcement-oriented model, Bernier said. On top of the potential for administrative penalties and fines, where an individual exercises the private right of action for infringement of privacy, demonstrating intention or gross negligence, the Court must award punitive damages of no less than CA$1,000, she added.
Unlike the California Consumer Privacy Act, Bill 64 has no revenue or personal data scope.
That means even regional businesses in New England that don’t transact in California or Europe but do sell to Québec consumers should look hard at their data collection practices and data flows to ensure they’re not violating Bill 64 once it takes effect, said Cynthia Larose, the Boston-based chair of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo P.C.’s privacy and cybersecurity practice.
“Canada is not known to be as litigious as the U.S., but that private right of action could be costly for businesses,” Larose said. “If a similar provision pops up in other Canadian provinces, or gets enacted federally in the final version of the new Consumer Privacy Protection Act, that changes the risk pattern and risk assessment for U.S. companies.”
Looking Forward
Other provinces are already looking at Québec’s freshly passed Bill 64 for inspiration. Ontario and British Columbia, the country’s first and third most populous provinces, recently announced reviews of their current legislation.
“If you read the white paper from the Ontario government—Modernizing Privacy in Ontario—which is looking at having its own private sector privacy law, the number of references to the new Québec law really shows its impact in terms of policy direction,” Bernier said.
The requirement that businesses appoint a privacy officer becomes effective in September 2022, so companies should start looking now, said Éloïse Gratton, national co-leader of Borden Ladner Gervais LLP’s privacy and data protection practice.
“In the short term, businesses need to make sure they’re able to track incidents and know how to report those to regulators,” Gratton said. “If they’re updating privacy policies or consent forms, the new transparency requirements are also something they need to keep in mind.”
Automating compliance procedures with technology can help companies ensure they’re handling data properly because ad hoc approaches are often difficult to scale, said Michael Welch, managing director of strategy and risk at MorganFranklin Consulting.
“Sustaining that over the long run is a challenge, especially if you have multiple geographies you’re managing,” Welch said. “Once a law has been enacted, there may be modifications, as well as new ones coming down the pipe or additional ones for each locality.”
While Bill 64 imposes obligations similar to the GDPR—including rules around data portability, automated decision-making, and data transfers—the “devil is in the details,” and businesses subject to both must understand the delta between the GDPR and Bill 64, said Corey Omer, partner at Davies Ward Phillips & Vineberg LLP in Montréal.
“Treating this as a marathon rather than a sprint will give businesses the time they need to come up with an effective plan and meet compliance requirements,” Omer said.