On June 12, 2020, Quebec introduced a proposed update to its public and private sector privacy laws. The draft legislation reflects both elements of the European Union’s General Data Protection Regulation (GDPR) and aspects of federal and provincial privacy laws in Canada.
Among the GDPR-like provisions are requirements that companies establish a person in charge of personal information:
The proposal also requires that companies establish a legal basis to process data and carry out privacy impact assessments under various circumstances. It also requires companies to establish in contract to whom processors may transfer data, for how long they may retain it, limitations on how they may use it, and their obligations with respect to confidentiality.
Like the GDPR, the proposed update grants individuals’ rights in their data, including the right to be informed about how data will be collected and for what purposes. Individuals will also have the right to access and correct their data, and to withdraw consent to its processing. Individuals must be notified when information will be transferred outside Quebec, and if a company collects personal information from a third party, it must, upon request, identify the source of the information.
More closely aligned with existing approaches in Canadian law are the bill’s breach notification, notice and consent obligations, and its data destruction requirements.
The proposal introduces mandatory notification requirements following a “confidentiality incident” that presents a risk of serious injury. A confidentiality incident is defined as follows:
The new proposal would amplify existing notice and consent requirements. It also would establish an express obligation to destroy information no longer required for the purposes for which it was collected.
These new rules would apply, under certain conditions, to the personal information of Quebec customers held by organizations doing business in the province. Quebec’s introduction of this proposed update comes after Prime Minister Justin Trudeau’s announced in late 2019 his mandate that Canada’s Minister of Innovation, Science and Industry establish a new set of online rights for citizens, signaling an intent to overhaul data protection in Canada. The country’s Personal Information Protection and Electronic Data Act has been in place since 2004. If your business operates in Canada, it will be important to be aware of new developments in Canada’s federal and provincial laws.
The European Commission’s announced in December that it has begun its process to adopt an adequacy decision for the EU-U.S. Data Privacy Framework (the Framework). Companies seeking to transfer data from countries in the European Union to the United States will need to take steps to be in alignment with this new change.