The Canadian Frontier: Preparing for Quebec Bill 64 & CPPA
The current version of the Consumer Privacy Protection Act (CPPA) didn’t make it through Canada’s Parliament in September, but it gave rise to Quebec’s Bill 64: an act to modernize the protection of personal information.
After moving through the legislative process for a year and a half, Bill 64 was adopted and received approval from the Quebec National Assembly on September 22, 2021.
Bill 64: What’s Next for Privacy in Canada
Now adopted, Bill 64 will impact several laws that will collectively modernize personal data protection and the existing data privacy framework in Quebec. Political parties and practices, public and private sectors, and private organizations will all be affected and required to comply — or face serious penalties.
The impacted requirement — accounting for data subject access requests (DSARs), consent, privacy impact assessments (PIAs), and confidentiality obligations — will gradually take effect over the next three years as massive privacy reform for Canada. This progression may very well pave the way for the passage of the CPPA.
Enforcement and Fines
A considerable feature of Bill 64, which has received some attention, involves the strength behind it to enforce compliance.
New Monetary Fines
Quebec’s Commission on Access to Information (CAI) will have the power to impose new monetary administrative fines for the following reasons:
- failure to inform individuals
- unlawful collection, use, or disclosure of information
- failure to ensure the protection of personal information
- failure to report a breach or incident
The maximum amount of the fines are CAD 50,000 for individuals and CAD 10,000,000 for businesses or, if greater, 2% of total revenue from the previous year.
In comparison, penal offenses such as refusing to cooperate with investigations or provide required documentation come with increasing scope and fines managed by the Attorney General. In this scenario, the maximum amount that can be penalized will be CAD 5,000 to CAD 100,000 in the case against a person. Then, in all other business-related cases, it will consist of CAD 15,000 to CAD 25,000,000, or 4% of total revenue from the previous year.
In the event of consecutive infractions, the fines will be doubled.
Governance and Protection
Privacy Officer
Similar to GDPR, Bill 64 introduces the principle of accountability by the organization, placing the responsibility of protecting personal information on the role of a “Privacy Officer.”
Policies and Practices
Bill 64 requires all organizations to implement privacy governance policies and practices. Data governance consists of frameworks for maintaining and deleting information, defined roles and responsibilities, data lifecycle management, and the process for dealing with data rights requests.
In addition, the privacy-related information from these policies must be published on the company’s website in clear and basic language.
PIAs
Bill 64 also requires organizations to use PIAs to assess all privacy-related data involving collecting, using, disclosing, or deleting personal information.
Rights of Individuals
Right to Erase
In addition to deletion, Bill 64 allows for individuals to require organizations to:
- stop the sharing of personal information
- de-index hyperlinks with access to that information
- re-index hyperlinks that allow for access to the information
Right to Data Portability
Bill 64 allows individuals to request a copy of personal information in a digital transcript. The information, at their request, must be disclosed in a structured digital format to an individual or an authorized body.
Right to Opt-Out of Automated Decision-Making
Finally, Bill 64 requires that organizations must alert individuals when personal information decisions are rendered based on automated processing of information. Once the information is requested, the requestor must be informed of:
- the reasons that led to the decision
- the personal information used for the decision
- the right of the person to correct the personal information used to render the decision
How to Prepare for Quebec Bill 64
To get ready for the CPPA, 21% of Canadian businesses expect to spend $10 million or more, and 37% expect to hire ten full-time staff, according to PwC Canada. In addition, Bill 64 will impact Canadian businesses, which will have to adjust to new best practices and use privacy frameworks to maintain compliance.
Organizations that have taken a proactive approach to the EU’s General Data Protection Regulation (GDPR) will be in better shape for Quebec Bill 64 — but will still need to take the necessary actions to comply with the unique provisions of the new Canadian law.
BigID’s data intelligence platform enables organizations to discover, classify, and map all personal, sensitive, and regulated data across policies and the entire data landscape. As a result, companies can fulfill Bill 64 compliance obligations, operationalize privacy, automate data rights requests, manage privacy risk through PIAs, and ultimately protect customers’ data.
Check out BigID in action to see how we help businesses address Quebec Bill 64 compliance requirements and build a proactive privacy program to adapt to the current regulation.