A strict new privacy law is coming to Quebec. If your organization does business in Canada, you should pay attention.
- Accountability: A privacy officer should be designated, otherwise the person with the highest level of authority in a business (e.g., the CEO) will be held accountable for compliance.
- Privacy management program: Organizations will have to implement and publish policies and procedures (including governance rules), and will have to demonstrate they are being followed.
- Privacy by default: Organizations must set default privacy settings for technological products or services to the most privacy-preserving level. Specifically, organizations will need to deactivate profiling, tracking or identification technology until individuals expressly opt-in. This will affect websites and mobile apps.
- Privacy impact assessments: A written assessment of privacy risks, and the steps taken to mitigate them, will be required for any (i) IT or digital projects organizations upgrade, acquire or develop; (ii) transfers of personal information outside of Quebec; or (iii) disclosure of personal information for research purposes (unless individuals have consented).
- Possible data localization requirement: For cross-border data transfers to a third party, the PIA must conclude that the data will be adequately protected, and a contract with the recipient must be in place, otherwise the data must remain in Quebec. Data localization would be an enormous challenge for most organizations, so attention should be given to the PIA process.
- Consent: Organizations must obtain consent to collect and use personal data, unless an exception applies. Generally, this consent must not be bundled with other information given to the consumer. Collecting and using “sensitive personal information” will require a separate, opt-in consent. Parental consent is required to collect information about kids under 14.
- Consumer access and deletion rights: The right to data deletion and data portability are included.
- Data breach notification: Breaches that carry a risk of harm to consumers must be logged and reported to Quebec’s data protection authority, as well as affected individuals or third parties.
- Automated decision-making: Organizations must inform individuals when an automated decision has been made about them, and explain their rights to access or correct the underlying personal data, get information on how the decision was made, or have the decision reviewed by a human who can change it.
- Biometrics: Organizations must notify the DPA at least 60 days in advance of launching a biometric system or repository and notifying the DPA before using biometrics to identify or verify individual identities.
- Anonymized and de-identified data: The requirement to qualify for this category becomes stricter. It must be essentially impossible to re-identify the data.
- De-indexing of data: Individuals can demand that their personal information be "de-indexed" which means it cannot be disseminated and any hyperlink from the person's name to other personal information about them be removed.
- Penalties: Fines can be up to C$50,000 per affected individual or 2% of global revenues (4% for criminally-egregious violations); and in addition, the Commission d’accès à l’information du Québec (DPA) could impose administrative penalties of up to C$10,000,000 on private companies.
- Timeframe: Some provisions will come into force on September 22, 2022, but most become effective on September 22, 2023.