A Strict New Privacy Law Is Coming to Quebec. Here's What You Need To Know Now:

A strict new privacy law is coming to Quebec.  If your organization does business in Canada, you should pay attention.

After a recent unsuccessful effort to update Canada’s national privacy law (PIPEDA) to be more like Europe’s GDPR (part of a proposed "Digital Charter"), provincial policymakers began to consider their own privacy law changes. Quebec is the first to enact an overhaul of its existing privacy requirements. This will probably be the first of many provincial privacy laws to be re-written in the near future. Here are a few key elements of the new law that may impact your organization's operations:

• Accountability: A privacy officer should be designated, otherwise the person with the highest level of authority in a business (e.g., the CEO) will be held accountable for compliance.
• Privacy management program: Organizations will have to implement and publish policies and procedures (including governance rules), and will have to demonstrate they are being followed.
• Privacy by default: Organizations must set default privacy settings for technological products or services to the most privacy-preserving level. Specifically, organizations will need to deactivate profiling, tracking or identification technology until individuals expressly opt-in. This will affect websites and mobile apps.
• Privacy impact assessments: A written assessment of privacy risks, and the steps taken to mitigate them, will be required for any (i) IT or digital projects organizations upgrade, acquire or develop; (ii) transfers of personal information outside of Quebec; or (iii) disclosure of personal information for research purposes (unless individuals have consented).  
• Possible data localization requirement: For cross-border data transfers to a third party, the PIA must conclude that the data will be adequately protected, and a contract with the recipient must be in place, otherwise the data must remain in Quebec.  Data localization would be an enormous challenge for most organizations, so attention should be given to the PIA process.
• Consent: Organizations must obtain consent to collect and use personal data, unless an exception applies.  Generally, this consent must not be bundled with other information given to the consumer.  Collecting and using “sensitive personal information” will require a separate, opt-in consent.  Parental consent is required to collect information about kids under 14.
• Consumer access and deletion rights: The right to data deletion and data portability are included.
• Data breach notification: Breaches that carry a risk of harm to consumers must be logged and reported to Quebec’s data protection authority, as well as affected individuals or third parties.
• Automated decision-making: Organizations must inform individuals when an automated decision has been made about them, and explain their rights to access or correct the underlying personal data, get information on how the decision was made, or have the decision reviewed by a human who can change it.
• Biometrics: Organizations must notify the DPA at least 60 days in advance of launching a biometric system or repository and notifying the DPA before using biometrics to identify or verify individual identities.
• Anonymized and de-identified data: The requirement to qualify for this category becomes stricter. It must be essentially impossible to re-identify the data. 
• De-indexing of data: Individuals can demand that their personal information be "de-indexed" which means it cannot be disseminated and any hyperlink from the person's name to other personal information about them be removed.
• Penalties: Fines can be up to C$50,000 per affected individual or 2% of global revenues (4% for criminally-egregious violations); and in addition, the Commission d’accès à l’information du Québec (DPA) could impose administrative penalties of up to C$10,000,000 on private companies.
• Timeframe: Some provisions will come into force on September 22, 2022, but most become effective on September 22, 2023.

These changes will have a number of significant impacts on how organizations collect, use and share data in Canada.

You can read the full Bill 64 here and see a markup showing how it amends the existing law here.

Should governmental entities be allowed to pay ransoms to cybercriminals?

No one wants to pay a cybercriminal in the wake of a ransomware attack, but however distasteful, it might be a rational choice for some organizations in certain circumstances. As long as the ransom is not paid to a prohibited recipient (for example, someone on the OFAC list of SDNs), it is generally legal to pay, although discouraged by officials. Most companies now have insurance to protect themselves from at least some of the risk associated with a ransomware attack, and many would rather pay a ransom than suffer permanent loss of data or prolonged system downtime. Although paying a ransom further encourages ransomware attacks, some organizations may decide to do so if the attacker is known to release data/systems upon payment (and there are now vendors who can tell you whether or not an attacker is likely to do so). 

With governmental assets targeted more frequently in recent days, policymakers are asking whether governmental entities should have a similar ability to decide whether to make payments to recover from a ransomware attack.

In North Carolina, Rep. Jason Saine, who works in the technology sector and has introduced multiple bills addressing information technology, has introduced a bill to prevent government agencies from paying a ransom for encrypted data/systems. The bill has passed the House and is nearing passage in the Senate.

House Bill 813 would prohibit State agencies or local government entities from paying or even communicating with an entity that has engaged in a ransomware incident, and requires State agencies or local government entities experiencing a ransomware demand to consult with the Department of Information Technology. It also requires government entities (like cities, counties, school boards, and community colleges) to report cybersecurity incidents to the Department of Information Technology. Under the bill, the Department of Public Safety would manage statewide response to cybersecurity incidents, including ransomware attacks. It also "encourages" private entities to report cybersecurity incidents to the Department of Information Technology. For purposes of the proposed statute, a "ransomware attack" means a "cybersecurity incident where a malicious actor introduces software into an information system that encrypts data and renders the systems that rely on that data unusable, followed by a demand fora ransom payment in exchange for decryption of the affected data."

You can read more about the bill here.