Quebec Proposed Update to Provincial Privacy Law Includes Elements of the GDPR and Canadian Federal Law

Written by

Melise Blakeslee

On June 12, 2020, Quebec introduced a proposed update to its public and private sector privacy laws. The draft legislation reflects both elements of the European Union’s General Data Protection Regulation (GDPR) and aspects of federal and provincial privacy laws in Canada.

Among the GDPR-like provisions are requirements that companies establish a person in charge of personal information:

  • Sanctions for failures to provide notice, collection or use of personal information in violation of the act, or for failure to report a breach.
  • The amendments would impose penalties on businesses ranging from $15,000 to 25 million or an amount corresponding to 4 per cent of worldwide annual turnover, whichever is higher.

The proposal also requires that companies establish a legal basis to process data and carry out privacy impact assessments under various circumstances. It also requires companies to establish in contract to whom processors may transfer data, for how long they may retain it, limitations on how they may use it, and their obligations with respect to confidentiality.

Like the GDPR, the proposed update grants individuals’ rights in their data, including the right to be informed about how data will be collected and for what purposes. Individuals will also have the right to access and correct their data, and to withdraw consent to its processing. Individuals must be notified when information will be transferred outside Quebec, and if a company collects personal information from a third party, it must, upon request, identify the source of the information.

More closely aligned with existing approaches in Canadian law are the bill’s breach notification, notice and consent obligations, and its data destruction requirements.

The proposal introduces mandatory notification requirements following a “confidentiality incident” that presents a risk of serious injury. A confidentiality incident is defined as follows:

  • Access to personal information not authorized by law,
  • Use of personal information not authorized by law,
  • Release of personal information not authorized by law, or
  • The loss of personal information or any other breach in the protection of such information.

The new proposal would amplify existing notice and consent requirements. It also would establish an express obligation to destroy information no longer required for the purposes for which it was collected.

These new rules would apply, under certain conditions, to the personal information of Quebec customers held by organizations doing business in the province. Quebec’s introduction of this proposed update comes after Prime Minister Justin Trudeau’s announced in late 2019 his mandate that Canada’s Minister of Innovation, Science and Industry establish a new set of online rights for citizens, signaling an intent to overhaul data protection in Canada. The country’s Personal Information Protection and Electronic Data Act has been in place since 2004. If your business operates in Canada, it will be important to be aware of new developments in Canada’s federal and provincial laws.