On September 21, 2021, the Government of Québec passed its Bill No. 64 Act to Modernize Legislative Provisions respecting the Protection of Personal Information, which, among other things, had the effect of amending the Act Respecting the Protection of Personal Information in the Private Sector (the “Private Sector Act“).
The implementation of the new legal requirements to which private sector companies will be subject will take place in 3 phases taking effect, respectively, September 22, 2022, September 22, 2023 and September 22, 2024.
As a result, as of September 22, 2022, companies will have to:
1° Appoint a Privacy Officer
Any person who operates a business will be responsible for the protection of the personal information they hold. As such, the person with the highest authority in the company will have to ensure compliance with and implementation of the Private Sector Act
The Act provides that the person shall exercise the function of a privacy officer, but may delegate that function in writing, in whole or in part, to any person.
The title and contact details of the person responsible must be published on the company’s website or, if it does not have a website, made accessible by any other appropriate means.
2° Report and keep a record of any confidentiality incident presenting a serious risk of harm
Companies must notify the Commission d’accès à l’information du Québec (the “CAI“) and the person concerned of any privacy incident involving personal information presenting a serious risk of harm and keep a register that must be provided to the CAI upon request.
The concept of a “privacy incident” includes the access, use, or disclosure not authorized by law, of personal information, or a loss or other impairment regarding the protection of such information.
As for “personal information”, it includes any information relating to a natural person that can directly or indirectly identify that person.
In considering the assessment of “serious risk of harm”, this assessment will, inter alia, consider the sensitivity of the information concerned and the likelihood that the information will be misused.
3° Disclose to the CAI any bank of characteristics or biometric measures 60 days before its commissioning, as well as the verification or confirmation of identity made by means of these characteristics
More generally, it will also be mandatory, after September 22, 2022, to notify the CAI before using any biometric technique (e.g., facial recognition, voice recognition etc.) to verify or confirm the identity of a person. This technique may not be used without the express consent of the individual.
In the event of a breach of their obligations:
- businesses could be liable to criminal penalties of up to 4% of their worldwide turnover or $25M, whichever is greater;
- businesses could also be liable to prosecution for damages; and
- as of September 23, 2023, the CAI will have the power to impose administrative monetary penalties of up to 2% of the worldwide turnover of the business in default or $10M.
It is therefore in the best interest of businesses to prepare for the first phase of the implementation of the new provisions of the Private Sector Act.