New enforcement mechanisms include monetary administrative penalties, penal offences with fines
Quebec National Assembly’s Committee on Institutions has completed its clause-by-clause consideration of Bill 64, An Act to modernize legislative provisions as regards the protection of personal information. This consideration started in February and concluded on Aug. 24.
Affected businesses may benefit from having someone in charge of protecting personal information and from implementing a process for managing and reporting security incidents, says Éloïse Gratton, partner and national co-leader of the privacy and data protection practice group at Borden Ladner Gervais LLP.
Gratton notes that new enforcement mechanisms will take effect, specifically monetary administrative penalties imposed by the Commission d’accès à l’information and penal offences with significant fines. There is also a new right to sue an enterprise for damages arising from unlawful infringement of a right conferred by the Private Sector Act or by articles 35 to 40 of the Civil Code, as well possible punitive damages if the infringement is intended or caused by a gross fault.
According to Gratton, lawyers can consider advising businesses to conduct gap analysis assessments for identifying which of their practices are affected by the legislation, to explore ways they may implement the bill’s more challenging requirements, to deactivate by default technologies that can locate or profile individuals and to ensure that their products and services have privacy settings offering the highest level of confidentiality.
The legislation includes certain consent exceptions that apply to specific situations where personal information has been de-identified or anonymized. Lawyers can encourage their business clients to adjust their relevant practices ahead of time by assessing their research projects and their processes and methods for de-identifying or anonymizing data, Gratton says.
Another new requirement pertains to privacy impact assessments (PIAs) relating to the acquisition, development and redesign of some types of systems and prior to communicating personal information beyond Quebec. In line with this, businesses should ideally develop a procedure that ensures they can swiftly identify situations where a PIA is required, can implement a template for this purpose and can train the teams who will be responsible for preparing PIAs, Gratton says.
The legislative process of Bill 64 in the National Assembly only has two remaining steps, the consideration of the report of the Committee on Institutions and the final passage debate, said a bulletin posted on BLG’s website. One may expect passage of the bill by the end of October, given the resumption of the National Assembly on Sept. 14 and given that further changes are unlikely, the bulletin added.
In the coming weeks, BLG’s privacy and data protection team plans to release a comprehensive guide to help businesses abide by these new privacy requirements, many of which will be difficult to implement, according to the bulletin.