Québec's Act to Modernize Legislative Provisions respecting the Protection of Personal Information (Bill 64) received royal assent on 22 September 2021 ("Act"). The Act aims to modernize Quebec's private sector and public sector privacy laws, bringing it in line with the Personal Information Protection and Electronic Documents Act (PIPEDA) and the GDPR. The Act will enter into force in phases over a three year period from the date of assent.
The Act amends Québec's Act respecting the protection of personal information in the private sector by introducing additional obligations for private sector organizations, which include the following:
- Ensure that the parameters of the technological products or services used to collect personal information, by default, provide the highest level of confidentiality;
- Establish and implement governance policies and practices regarding personal information that ensure the protection of such information;
- Designate a person to be in charge of the protection of personal information within the organization (i.e. privacy officer);
- Conduct privacy impact assessments;
- Conduct confidentiality incident reporting and maintain a confidentiality incident register; and
- Before communicating personal information outside Québec conduct an assessment of privacy-related factors.
"Any person carrying on an enterprise must establish and implement governance policies and practices regarding personal information that ensure the protection of such information. Such policies and practices must, in particular, provide a framework for the keeping and destruction of the information, define the roles and responsibilities of the members of its personnel throughout the life cycle of the information and provide a process for dealing with complaints regarding the protection of the information. The policies and practices must also be proportionate to the nature and scope of the enterprise’s activities and be approved by the person in charge of the protection of personal information…"