Quebec’s Bill 64 Introduces New Governance Obligations for Businesses Processing Personal Information
This article is part of our Bill 64 Blog Series, which will provide readers with a 360° view on Bill 64 and its sweeping amendments to Quebec’s Act Respecting the Protection of Personal Information in the Private Sector (the “Private Sector Act”). To view other blog posts in the series, please visit this page.
The Act to Modernize Legislative Provisions respecting the Protection of Personal Information (“Bill 64” or the “Bill”) received royal assent on September 22, 2021, and is set to bring important changes to the Province of Quebec’s Act Respecting the Protection of Personal Information in the Private Sector (“Private Sector Act”). As part of a series of blogs on how businesses can best prepare for the introduction of these new obligations, this blog discusses the corporate governance obligations incumbent on businesses that are set to enter into force as early as September 22nd, 2022.
Bill 64 makes notable governance-related amendments to the Private Sector Act requiring action from businesses, including:
- appointing a “Person in Charge of Personal Information” (the “PCPI”) within the organization;
- establishing and publishing governance policies and practices with respect to personal information;
- conducting a privacy impact assessment for the development, acquisition, or redesign for electronic service delivery projects involving personal information; and
- establishing response procedures for rights-based requests made by individuals whose personal information may be collected.
Policies and Publication
The Private Sector Act had not strictly required companies to put forward a governance policy with respect to the treatment of personal information, although such practice was voluntarily common. Businesses will now have to maintain governance policies and practices aimed at protecting personal information and that are proportionate to the nature and scope of their activities. These policies must be drafted in a clear manner and published by appropriate means by the business, including on the business’ website. Some baseline requirements that will need to be addressed in a governance policy include:
- a framework for keeping and destroying the personal information collected;
- defined roles and responsibilities for personnel throughout the life cycle of the personal information held;
- a process for dealing with complaints regarding the protection of personal information held; and
Bill 64’s approach to policy and procedure requirements largely align with existing requirements under PIPEDA and the GDPR. One potential difference is the particularly detailed nature of the policy and procedure disclosures required for compliance with Bill 64. Bill 64 requires policies to establish the lifecycle of personal information as well as the responsibilities of personnel with respect to personal information. A second difference is the method of dissemination required by the Amended Private Sector Act, which requires more frequent and public disclosure than PIPEDA or the GDPR. Bill 64 requires businesses to publically disseminate the entirety of their privacy policies. PIPEDA’s “openness” principle has been interpreted in a similar albeit less stringent and explicit manner through the Privacy Commissioner’s office and guidance. PIPEDA compliant organizations must make information on policies and procedures readily available without unreasonable effort, which includes disclosure on publicly available sources like a website, or in the agreement where consent is obtained. Similarly, the GDPR requires some public disclosure of privacy policies, but the full policy need not be disseminated until either a request is submitted or data is collected.
As discussed in a previous post, the Private Sector Act did not contain specific requirements to notify affected individuals or the Comission d’accès à l’Information (the “CAI”) in the event of a confidentiality incident. Bill 64’s additions to the Private Sector Act require that businesses must promptly notify the CAI, as well as any other person whose personal information was affected, promptly after a confidentiality incident that poses a “risk of serious injury.” Businesses must also keep a registry of all confidentiality incidents regardless of the consequences of the breach, and send the registry to the CAI upon request.
Bill 64 aligns breach response, reporting, and record-keeping requirements more closely those under the PIPEDA and GDPR frameworks. PIPEDA requires that organizations keep and maintain records of every breach of security safeguards involving information under its control, whether they pose a “real risk of significant harm” or not, and to provide a record to the Privacy Commissioner upon request. Where breaches pose a “real risk of significant harm”, businesses must report the breach to the Office of the Privacy Commissioner and affected individuals as soon as feasible. The GDPR maintains similar, albeit more stringent requirements. Businesses are required to keep and maintain a record of confidentiality breaches and remedial measures taken, and provide them to supervisory authorities on request. In the event that a breach causes a high risk of harm to a data subject, the business must report to the relevant supervisory authority within 72 hours, and affected data subjects must be notified without undue delay.
Bill 64 also provides individuals with the right to make requests concerning their personal information. Business must respond to such requests promptly. Individuals have the right to request access, to correct inaccurate information, to have their personal information de-indexed or re-indexed, or to cease dissemination thereof, in certain circumstances, and to have personal information held by the company sent to a third party in a structured format. In each case, businesses must have a means of accepting the request, responding to it, and exercising the required request in a reasonable timeframe. These Bill 64’s provisions most accurately mirror those of the GDPR, for which each of these types of requests must also be met with a response by businesses within a reasonable timeframe.
Before Bill 64, businesses were responsible as a whole for the implementation of measures to protect the personal information of their customer base. While the appointment of privacy officers was a common practice amongst businesses prior to Bill 64, a new role is now mandatory for every enterprise engaged in commercial activity, the PCPI. The PCPI serves as both the public’s and the business’ key liaison for matters involving personal information and is responsible for implementing a variety of personal information protection measures within the company. These include:
- implementing and approving governance policies and procedures;
- providing input and feedback on privacy related concerns for new projects involving personal information;
- responding within 30 days to access and rectification requests;
- providing written reasons for their refusal to accept requests for access or rectification;
- recording the communication of breach notifications to third parties who may reduce risks;
- assessing the risk of injury during a confidentiality incident;
- serving as the contact point for requests to collect personal information from individuals; and
- attesting to the de-indexation/re-indexation and cessation of dissemination for personal information, when required to do so by the Amended Private Sector Act;
By default, the person with the highest authority in the business is the PCPI. However, this position may be delegated to any other person in writing, including persons outside of the business. The PCPI must also have their title and contact information published on the business’ website.
Another operational change discussed in our previous TechLex post on cross-border transfers is the introduction of new privacy impact assessment requirements. The Amended Private Sector Act requires the PCPI to be consulted at the onset of any project involving the acquisition, development, and redesign of an information system or electronic service delivery project. Additionally, personal information transferred outside of the province must also be subject to a privacy impact assessment that takes into account the sensitivity of the information, the contractual and non-legal protection measures in place, and the legal framework of the target transfer jurisdiction. Bill 64’s requirements are more onerous by comparison to those required by the GDPR. The GDPR requires a data protection impact assessment (“DPIA”) only when data processing involves a “high risk to the rights and freedoms of natural persons.” Where data processing involves a combination profiling, automated decisions with legal consequences, specifically sensitive data, or a merging of data, a DPIA may be required to be conducted prior to processing. By comparison, Bill 64 requires a PIA to be conducted in order to establish said risks, and is done in all cases involving IT systems acquisition or cross-border data transfer rather than only those of high risk. Businesses will need to align their internal policies and processes to conform with impact assessment requirements in conjunction with the PCPI’s oversight.
Concrete Steps to Take Now
With the variety of corporate governance requirements introduced by Bill 64, businesses should consider the following concrete steps to ensure compliance:
Appoint a Person in Charge of Personal Information
Appointing a PCPI must be treated as a priority as this obligation is set to come into force on September 22, 2022 (whereas most amendments become effective on September 22, 2023). The Amended Private Sector Act requires that every business engaged in commercial activity appoint a PCPI (internally or a third party). Businesses should consider their options and the technological competency of PCPI appointees, given the broad scope of obligations incumbent on the PCPI under Bill 64’s changes.
Establish a Breach Registry
An equally pressing obligation set to come into force on September 22, 2022, is the establishment of a breach registry and related policies and procedures. Bill 64’s amendments require that businesses keep a readable registry of all confidentiality incidents, not only those which cause a risk of serious harm. Businesses already compliant with existing privacy regimes should adapt their practices and policies to ensure compliance with Bill 64’s breach reporting obligations, including remediation procedures.
Plan to Respond to Rights-based Requests
Businesses should consider planning their responses to the rights-based requests introduced by Bill 64. This includes starting to draft policies and mapping out procedures to respond in a timely manner to requests for access, rectification, de-indexation/re-indexation/cessation of dissemination, and data portability. Note that compliance with data portability requests are subject to the longer 3-year entry into force period (September 22, 2024).
Create Clear and Robust Governance Policies Relating to Personal Information
As a long term but important obligation, businesses should begin considering how to draft a clear and robust governance policy relating to personal information. The Amended Private Sector Act requires privacy policies to provide detailed and comprehensive information for the life cycle of data collected by the business. This therefore also requires data mapping, which could take time to properly conduct. Governance policies must also be disseminated in an appropriate manner, which needs to be considered for businesses who do not maintain a significant online presence. Included among the necessary governance policies is a template private impact assessment and related procedures to affect them when new IT systems are introduced, and when personal information is transferred to third parties. Crafting a comprehensive governance policy also serves as an opportunity to consider the business’ overall privacy strategy, and to rectify any deficiencies to ensure compliance by September 22, 2023.
Bill 64 has made significant additions to the reporting requirements that businesses who process personal information in Quebec should be aware of. With amendments to the Private Sector Act relating to corporate governance set to come into force as early as September 22nd, 2022, and heavy penalties for non-compliance coming into force on September 22nd, 2023, businesses should begin planning how to align their governance practices with Bill 64’s new requirements.
To learn about how the Cyber/Data Group can assist you in updating existing governance practices, and how to prepare your business for compliance with Bill 64’s changes, please contact national co-leaders Charles Morgan and Daniel Glover for more information.
Act respecting the protection of personal information in the private sector, CQLR c P-39.1, as amended by Bill 64, section 3.2 [the “Amended Private Sector Act”].
 Amended Private Sector Act, section 3.2.
 Amended Private Sector Act, sections 3.2 and 8.2.
Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5. Schedule 1, Section 4.1.4(a-d) [“PIPEDA”]
 EU Regulation 2016/679, General Data Protection Regulation, Article 12 [“GDPR”]; GDPR Recital 58.
 GDPR, Article 13.
 GDPR Recital 58.
 PIPEDA, Section 4.8.
 Amended Private Sector Act, section 3.5 al 2.
 Amended Private Sector Act, section 3.8.
 PIPEDA, section 10.3.
 PIPEDA, section 10.1
 GDPR, Article 33(5).
 GDPR, Articles 34–35.
 Amended Private Sector Act, section 3.1 al 2.
 Amended Private Sector Act, section 3.1 al 2.
 Amended Private Sector Act, section 3.3.
 Amended Private Sector Act, section 17.
 GDPR, Article 35.