Quebec Bill 64

What Is Quebec Bill 64?

This blog outlines a 101 overview of Quebec Bill 64 in its original form for posterity. Bill 64 was adopted by the National Assembly on September 21, 2021, and is now most commonly referred to as Law 25.

In an increasingly digital world, the protection of personal information continues to be a pressing concern. Governments around the world are enacting new privacy legislation to safeguard individuals' privacy rights and exploring amendments to existing policies. Quebec’s Bill 64 is a comprehensive privacy law in Canada and a perfect example of this legislative trend. Let’s explore some of Quebec Bill 64’s key aspects and their implications for businesses and individuals.

When Does Quebec Bill 64 Take Effect?

The first phase of Quebec Bill 64 is partially already in effect, known as Quebec’s Law 25. On Sept. 22, 2021, Quebec’s legislature unanimously adopted Law 25, an act immediately amending the act respecting the protection of personal information in the private sector. On Sept. 22, 2022, the first phase of the bill came into force, with the majority of the law’s changes planned to take effect on Sept. 22, 2023, with the right to portability coming on Sept. 22, 2024. Organizations must stay updated on Quebec Bill 64’s effective rollout dates to ensure smooth transitions and mitigate any potential non-compliance risks.

What Is the Difference Between Bill 64 and GDPR?

Quebec Bill 64 and the General Data Protection Regulation (GDPR) share a common goal of safeguarding data privacy and providing privacy protection for individuals. However, there are notable differences between the two. The GDPR is a comprehensive privacy regulation applying to the processing of personal data across all European Union (EU) member states. Its scope is broader than Quebec Bill 64, which specifically applies to organizations operating in Quebec, Canada. The GDPR establishes a unified framework for data protection across the EU, while Quebec’s Bill 64 focuses on privacy regulations within the Canadian province. 

Additionally, the GDPR sets stringent requirements for obtaining consent, data breach reporting notifications, and cross-border data transfers. Both privacy legislations emphasize the importance of protecting personal data, but their scope and specific provisions differ due to their distinct regional jurisdictions.

Who Does the Quebec Privacy Law Apply To?

Quebec Bill 64 applies to both private and public sector organizations that collect, use, or disclose the personal data of Quebec residents. This includes businesses, government agencies, non-profit organizations, and other entities handling personal data.

Personal Information Covered Under This Canadian Privacy Law

Quebec Bill 64 defines personal information broadly, encompassing any information relating to an identified or identifiable individual. This includes obvious identifiers like names, addresses, and social insurance numbers, as well as less obvious identifiers like IP addresses, browsing history, and other online identifiers.

Privacy Rights Listed Under Quebec Bill 64

Quebec Bill 64 provides individuals with several privacy rights. These include the right to be informed about the collection and use of their personal information, the right of access to personal information held by an organization, the right to rectify any inaccuracies, and the right to withdraw consent for the processing of personal data, among others listed below.

• The right to be informed about the collection, use, and disclosure of personal information
• The right of access to personal information held by an organization
• The right to receive information about how information held by an organization is used
• The right to rectify inaccuracies or incomplete personal information held by an organization
• The right to withdraw consent for the processing of personal data, with certain exceptions
• The right to object to the processing of personal information for specific purposes, like direct marketing
• The right to have personal information deleted or anonymized in certain circumstances, including when it’s no longer necessary for the purpose for which it was collected
• The right to restrict the processing of personal information under certain conditions
• The right to be informed about any automated decision-making processes significantly affecting individuals and the right to obtain human intervention and explanation in such cases
• The right to data portability, allowing individuals to obtain and transfer their personal information from one organization to another where technically feasible
• The right to lodge complaints with the Commission d'accès à l'information du Québec (CAI) regarding privacy violations and seek remedies for non-compliance with the law

Rights Response Timelines

Under Quebec Bill 64, organizations must respond to individuals' requests regarding their privacy rights within specific timelines. For example, organizations must provide access to personal information within 30 days of receiving a request, and rectify inaccuracies within a reasonable time.

Business Obligations Under Quebec Bill 64

Where Canada’s federal PIPEDA regulation applies only to commercial data collections and transactions, Quebec’s Bill 64 imposes several new requirements on both businesses and non-commercial organizations. These organizations are required to implement privacy policies and procedures, obtain valid consent for the collection and use of personal information, and ensure appropriate security measures are in place to protect personal data from unauthorized access, use, or disclosure. Additionally, organizations must provide employee privacy training and designate a privacy officer in charge of the protection of personal information and responsible for ensuring compliance with the law.

Special Topics Covered by Quebec’s Privacy Act

Quebec Bill 64 addresses several special topics relevant to privacy and data protection.

• Enhanced rules for consent requirements, including the need for valid and informed consent, especially regarding sensitive personal information
• Guidelines for the transfer of personal data outside of Canada, ensuring adequate protection when data is transferred to information systems within jurisdictions with different privacy standards
• Regulations pertaining to the use of artificial intelligence (AI) and automated decision-making systems that may impact individuals' privacy rights to ensure transparency, fairness, and accountability in their implementation
• Provisions for the rights of minors, including specific protections and considerations regarding the collection and use of personal information from individuals under the age of majority
• Measures addressing the right to be forgotten, enabling individuals to request the deletion or removal of their personal information in certain circumstances
• Requirements for organizations to conduct privacy impact assessments (PIAs) when implementing new projects or systems involving the processing of personal information to ensure privacy considerations from the outset
• Provisions related to data breach notification and confidentiality incidents like specifying requirements for organizations to promptly notify individuals and authorities in the event of a data breach that poses a risk to individuals' rights and freedoms
• Regulations regarding the accountability of organizations and imposing obligations to maintain records of processing activities, privacy policies, and procedures to demonstrate compliance with the law
• Guidelines for the exercise of individuals' rights, specifying the procedures and timelines for responding to requests from individuals regarding their privacy rights, like access to personal information or rectification of inaccuracies.

Quebec Bill 64 Exemptions and Limitations

While Quebec Bill 64 seeks to protect individual rights comprehensively, there are certain exemptions and limitations within the legislation. For example, the law allows for the collection, use, or disclosure of personal information without consent for certain purposes like law enforcement, public health, or legal proceedings. However, these exemptions are subject to specific conditions and safeguards.

Quebec Bill 64 Enforcement

To ensure compliance with the legislation, Quebec Bill 64 grants enforcement powers to the Commission d'accès à l'information du Québec (CAI). The CAI will have the authority to investigate complaints, issue fines for non-compliance, and impose sanctions on organizations that commit confidentiality incidents or fail to meet their obligations under the law. The penalties for non-compliance can be significant, underscoring the importance of organizations taking the necessary steps to comply with the legislation.

Ensure Your Quebec Bill 64 Compliance With DataGrail

Quebec Bill 64 represents a significant step forward in protecting individuals' privacy rights in Quebec, Canada. With its broad scope, comprehensive obligations, and stringent enforcement measures, the law aims to bring privacy regulations in line with the digital age. Businesses and organizations operating in Quebec must familiarize themselves with the requirements of Bill 64 and take appropriate measures to ensure compliance. By prioritizing privacy and data protection, organizations can meet legal obligations and gain the trust and confidence of their customers in an era where privacy is increasingly valued.

DataGrail’s Privacy Control Center helps companies meet the demands of Quebec’s data protection law, Bill 64 (now Law 25), and future-proof your compliance in Canada and beyond. Our Request Manager product is perfect for staying on top of Bill 64-enforced data subject requests (DSRs) like rectification, deletion, and opt-out asks. Take control of PIA completion with Risk Monitor, DataGrail’s product that tackles assessments using intelligent workflows, auto-populated fields, and complete workflow visibility.

Don’t wait until the last minute to implement a comprehensive privacy solution. Request your 1:1 demo with DataGrail today, and start building trust and outsmarting risk tomorrow.