Quebec passes a new privacy law – Quebec Bill 64

After much debate regarding whether Canada’s federal privacy bill, the Personal Information Protection and Electronic Documents Act (PIPEDA), offers sufficient privacy protections for consumers, Quebec passed a new privacy law, Quebec Bill 64. While Quebec already had a privacy law, the Act Respecting the Protection of Personal Information in the Private Sector, Canada’s legislature considered that law to be substantially similar to PIPEDA. In fact, the Privacy Policy disclosures that were required to be made, the privacy rights offered to individuals, and the enforcement mechanisms of both laws were essentially the same. However, with the passage of Quebec Bill 64, quite a few changes have been made that diverge this law from PIPEDA. While the text of Quebec’s Bill 64 has not been officially made available, we were able to obtain a copy and, in this article, we will discuss who this new law applies to and how it will affect your business. 

Who does Quebec Bill 64 apply to?

Quebec’s Bill 64 applies to persons who collect, hold, use or share personal information in the course of carrying on an enterprise within the meaning of Article 1525 of the Civil Code. Article 1525 of the Civil Code defines “enterprise” as “the carrying on by one or more persons of an organized economic activity, whether or not it is commercial in nature, consisting of producing, administering or alienating property, or providing a service.” This new law will apply to anyone participating in an economic activity, even if that activity is not commercial, meaning that nonprofit organizations will need to comply with this law, as well as for-profit organizations. 

The fact that nonprofit organizations will need to comply with Quebec’s new privacy law is an important difference to PIPEDA, which generally applies to organizations that engage in commercial activity. While this means that nonprofit organizations are generally exempt from PIPEDA, they could be subject to PIPEDA if they engage in commercial activities such as the selling, bartering, or leasing of donor lists. 

Privacy Policy disclosures required by Quebec Bill 64

Quebec’s Bill 64 also diverges from PIPEDA by requiring the following disclosures to be made in Privacy Policies: 

  1. The purposes for which personal information is being collected; 
  2. The means through which the personal information is being collected; 
  3. The right of access, portability, and rectification of personal information; 
  4. The person’s right to withdraw consent to the communication or use of the personal information collected; 
  5. How privacy rights requests can be sent to the organization;
  6. If personal information is collected using technology that allows the person to be identified, located and profiled, the Privacy Policy must inform the person of the use of such technology and of the means available, if any, to deactivate the functions that allow the person to be identified, located, or profiled; 
  7. If personal information will be used for automated decision making, that fact must be disclosed;
  8. The possibility that the personal information may be communicated outside of Quebec; 
  9. The title and contact information of the person in charge of the personal information. 

In contrast, PIPEDA does not require Privacy Policies to disclose whether the personal information will be used for automated decision making, nor how users can deactivate functions that allow a person to be identified, located, or profiled. These Privacy Policy changes mean that organizations that need to comply with Quebec’s Bill 64 will need to update their Privacy Policies prior to the law going into effect in September, 2023.

Quebec’s privacy law enforcement

Perhaps the biggest and most important difference between PIPEDA and Quebec’s Bill 64 is enforcement. Under Quebec’s new privacy law, if an individual has a complaint, the individual can make a complaint to Quebec’s Commission d’acces a l’information. If the individual is not happy with the resolution of the complaint, they can appeal to the Court of Quebec. The administrative penalties for failure to comply are also steep – a maximum of CAD $50,000 in case of an individual violating the law or a maximum of CAD $10,000,000 or, if greater, 2% of the worldwide turnover for the preceding fiscal year in case of an organization violating the law. Lastly, Quebec’s Bill 64 even allows the prosecutor to institute penal proceedings for violations of the law. 

Quebec’s Bill 64 effectively resolves the gripes about PIPEDA’s lax enforcement and penalties by allowing individuals to sue businesses directly, imposing heavy penalties, and even allowing the institution of penal proceedings for violations. Thus, if you are collecting the personal information of residents of Quebec, it is extremely important to prepare for this law prior to its effective date in September, 2023. 

What is Termageddon doing about Quebec’s privacy law?

We are currently engineering a Privacy Policy questionnaire that will determine whether you need to comply with this new law, and adding new questions to the questionnaire that would help us create the disclosures required by this law in the generated Privacy Policy. We will inform Termageddon clients via email once this update is available. We are also monitoring Quebec’s legislature for additional guidance on the law’s interpretation and will inform you once such guidance has been released. If you do not have a Privacy Policy or do not have a plan to keep it updated with Quebec’s new privacy law, make sure to check out Termageddon’s Privacy Policy generator.