Summarizing Changes Brought Forward by Quebec’s Bill 64/Law 25

In September 2021, Quebec’s National Assembly assented Bill 64, An Act to modernize legislative provisions as regards the protection of personal information. Bill 64 more closely follows the GDPR’s prescriptive approach and includes new privacy rights of data portability, the right to be forgotten, and calls for greater transparency and control.

Bill 64 requires companies to conduct privacy impact assessments for any “information system project” or “electronic service delivery project” involving the processing of personal information and any transfer of information outside of Quebec.

Of particular interest to digital advertisers and DAAC participants, Bill 64 requires that before using any technology that permits the identification, locating, or profiling of a user, an organization must proactively disclose this use and provide a way to activate these functions. This requirement will apply to internet tracking technologies such as cookies, pixels, beacons, and other IDs.

Bill 64 also permits the use of de-identified information for an organization’s internal research purposes.

Bill 64 requires parental consent for collecting information from children under 14 unless clearly for the child’s benefit. PIPEDA does not differentiate between adults, youth (18 and below), and children (under 13 years of age). Still, the Office of the Privacy Commissioner of Canada (OPC) has consistently viewed personal information relating to youth and children as being of particular sensitivity, especially the younger they are, and has required parental consent for collecting personal information from children under 13 years of age.

The months in which specific provisions come into force are summarized below, but companies are highly encouraged to seek legal counsel for their compliance efforts.

 

September 2022:

  • Designate a person in charge of the protection of personal information (s. 3.1)

  • Mandatory breach reporting (“confidentiality incidents”) to the CAI (s. 3.5, 3.6, 3.7, 3.8)

  • Communication of personal information is permitted without consent for research purposes or the production of statistics; a privacy impact assessment is required (s. 21)

  • Biometric data requires express consent from individuals, and enterprises must disclose the creation of such databases to the CAI (s. 44, 45)

 

September 2023:

  • Enterprises must establish and implement governance policies and practices regarding personal information; provide a framework for the keeping and destruction of the information; define the roles and responsibilities of the members of its personnel (s. 3.2)

  • Conduct a privacy impact assessment for any project to acquire, develop or overhaul an information system or electronic service delivery system involving the collection, use, communication, keeping, or destruction of personal information (s. 3.3, 3.4)

  • Be transparent about the purposes, means, and rights of access to the personal information collected and used, and provide the ability for individuals to withdraw consent; post a clear and simple confidentiality policy (s. 8, 8.2, and 22)

  • Companies must first inform a person of the use of personal information to identify, locate or profile them and of the means available to activate the function (e.g., interest-based advertising) (s. 8.1)

  • Privacy by default. A technological product or service having privacy settings must ensure that those settings provide the highest level of confidentiality by default, without any intervention by the person concerned (s. 9.1)

  • Sensitive personal information requires opt-in consent (s. 12)

  • Exceptions to consent are limited (s. 12)

  • To render a decision based exclusively on an automated process, enterprises must inform the person of the personal information used, reasons and principal factors and parameters that led to the decision, and the right to render correction (s. 12)

  • Consent must be clear, free, informed, and given for specific purposes. It must be requested for each such purpose in clear and simple language (s. 14)

  • The consent of a minor under 14 years of age is given by the person having parental authority (or “tutor”) (s. 14)

  • Sending personal information outside of Quebec requires a privacy impact assessment (s. 17)

  • Consent is not required where the communication of personal information is necessary for carrying out a mandate, performing a contract, or concluding a commercial transaction (s. 18.3, 18.4)

  • Enterprises must destroy the personal information or irreversibly anonymize it to no longer allow the person to be identified directly or indirectly (s. 23)

  • Individuals have the right to be forgotten. An enterprise must cease disseminating information or de-index any hyperlinks about a person if requested (s. 28.1)

  • Contraventions are subject to monetary administrative penalties (90.1 - 93.1)

 

September 2024:

  • Individuals have the right to data portability (s. 27 (s. 120 in the assented bill))

 

Recommended Resources:

BLG - Québec Privacy Law Reform: A Compliance Guide for Organizations

Osler - Preparing for privacy reform in Québec webinar

Gowling WLG - Canadian Privacy Laws: New Rules for a New Era

 

Is your company not yet part of the AdChoices self-regulatory program? The DAAC program is well-established and has tools ready to assist you with your compliance efforts. Now is an excellent time to join.

Please get to know what we do by contacting us at info@daac.ca today.