Quebec Proposed Update to Provincial Privacy Laws Includes Elements of the GDPR and Canadian Federal Law

Written by

Achieved Compliance

On June 12, 2020, Quebec introduced a proposed update to its public and private sector privacy laws. The draft legislation reflects both elements of the European Union’s General Data Protection Regulation (GDPR) and aspects of federal and provincial privacy laws in Canada.

Among the GDPR-like provisions are requirements that companies establish a person in charge of personal information:

  • Sanctions for failures to provide notice, collection or use of personal information in violation of the act, or for failure to report a breach.
  • The amendments would impose penalties on businesses ranging from $15,000 to 25 million or an amount corresponding to 4 per cent of worldwide annual turnover, whichever is higher.

The proposal also requires that companies establish a legal basis to process data and carry out privacy impact assessments under various circumstances. It also requires companies to establish in contract to whom processors may transfer data, for how long they may retain it, limitations on how they may use it, and their obligations with respect to confidentiality.

Similar to the GDPR, the proposed update grants individuals rights in their data, including the right to be informed about how data will be collected and for what purposes. Individuals will also have the right to access and correct their data, and to withdraw consent to its processing. Companies must notify individuals when they transfer information outside Quebec. If a company collects personal information from a third party, it must, upon request, identify the source of the information.

More closely aligned with existing approaches in Canadian law are the bill’s breach notification, notice and consent obligations, and its data destruction requirements.

The proposal introduces mandatory notification requirements following a “confidentiality incident” that presents a risk of serious injury.

The following defines a confidentiality incident:

  • Access to personal information not authorized by law,
  • Use of personal information not authorized by law,
  • Release of personal information not authorized by law, or
  • The loss of personal information or any other breach in the protection of such information.

The new proposal would amplify existing notice and consent requirements. It also would establish an express obligation to destroy information no longer required for the purposes for which it was collected.

These new rules would apply, under certain conditions, to the personal information of Quebec customers held by organizations doing business in the province. Quebec introduced this proposed update following Prime Minister Justin Trudeau's announcement in late 2019. Trudeau mandated Canada's Minister of Innovation, Science, and Industry to establish a new set of online rights for citizens, indicating an intent to overhaul data protection in Canada. The country’s Personal Information Protection and Electronic Data Act has been in place since 2004. If your business operates in Canada, it will be important to be aware of new developments in Canada’s federal and provincial privacy laws. Contact us today to ensure your organization remains compliant and well-prepared for any changes on the horizon.