On June 12, 2020, Quebec introduced a proposed update to its public and private sector privacy laws. The draft legislation reflects both elements of the European Union’s General Data Protection Regulation (GDPR) and aspects of federal and provincial privacy laws in Canada.
Among the GDPR-like provisions are requirements that companies establish a person in charge of personal information:
The proposal also requires that companies establish a legal basis to process data and carry out privacy impact assessments under various circumstances. It also requires companies to establish in contract to whom processors may transfer data, for how long they may retain it, limitations on how they may use it, and their obligations with respect to confidentiality.
Similar to the GDPR, the proposed update grants individuals rights in their data, including the right to be informed about how data will be collected and for what purposes. Individuals will also have the right to access and correct their data, and to withdraw consent to its processing. Companies must notify individuals when they transfer information outside Quebec. If a company collects personal information from a third party, it must, upon request, identify the source of the information.
More closely aligned with existing approaches in Canadian law are the bill’s breach notification, notice and consent obligations, and its data destruction requirements.
The proposal introduces mandatory notification requirements following a “confidentiality incident” that presents a risk of serious injury.
The new proposal would amplify existing notice and consent requirements. It also would establish an express obligation to destroy information no longer required for the purposes for which it was collected.
These new rules would apply, under certain conditions, to the personal information of Quebec customers held by organizations doing business in the province. Quebec introduced this proposed update following Prime Minister Justin Trudeau's announcement in late 2019. Trudeau mandated Canada's Minister of Innovation, Science, and Industry to establish a new set of online rights for citizens, indicating an intent to overhaul data protection in Canada. The country’s Personal Information Protection and Electronic Data Act has been in place since 2004. If your business operates in Canada, it will be important to be aware of new developments in Canada’s federal and provincial privacy laws. Contact us today to ensure your organization remains compliant and well-prepared for any changes on the horizon.
The European Commission’s announced in December that it has begun its process to adopt an adequacy decision for the EU-U.S. Data Privacy Framework (the Framework). Companies seeking to transfer data from countries in the European Union to the United States will need to take steps to be in alignment with this new change.