Bill 64 on data confidentiality: how to prepare for it
On June 12, the Government of Québec introduced Bill 64, the Act to modernize legislative provisions as regards the protection of personal information.
Inspired by the European Union’s General Data Protection Regulation (GDPR), its objective is to enhance the quality of protection of citizens’ personal data and to oblige public and private organizations to take concrete action in the area of information security. The law also provides for considerable fines in the event of non-compliance.
Things to remember about Bill 64
Québec businesses will be required to disclose a data breach if it poses a risk of serious harm to: (i) the Commission d’accès à l’information du Québec; (ii) the person(s) affected; and (iii) any organization that could help mitigate the harm. Failure to comply with this obligation may result in penalties ranging from $5,000 to $50,000 for a physical person, from $15,000 to $25,000,000 for a legal person or even, in certain cases, an amount corresponding to 4% of the latter’s worldwide sales for the previous fiscal year.
In the event of a confidentiality incident, organizations must take measures to reduce the risk of harm to the individuals concerned and to prevent such incidents from recurring.
Sensitive information is now defined as information that, because of its nature, context, use or disclosure, implies a high level of reasonable expectation of privacy.
The right to erasure, i.e. allowing an individual to have information held by a company about him or her deleted when its collection is not authorized by law or when the purpose for which it was collected is fulfilled.
Offending companies may now be sued for damages.
The obligation to appoint a person responsible for the protection of personal information within each subject organization, regardless of size.
Withdrawal of the right for businesses to disclose personal information for prospecting purposes without the consent of the individuals concerned.
The obligation for organizations to destroy or make anonymous personal information when the purposes for which it was collected are fulfilled.
When Parliament resumes in the fall, Bill 64 will be presented and its adoption is expected to follow shortly thereafter. The coming into force of the legislation will be subject to a one-year delay for most of its provisions. Québec businesses therefore have time to prepare for this eventual legislation.
How to prepare for it
Set up an incident response process to be ready if the worst happens.
Review all your privacy policies.
Review all your contracts with third parties, specifically the clauses dealing with information handling.
Review your consent forms.
Conduct an audit of the personal information your company holds and make sure you have adequate safeguards in place.
« This bill is an important step towards better protection of personal information and all Quebec businesses must prepare for it. »
Senior Cybersecurity Consultant