Bill 64 Primed to Become Canada’s GDPR
The European Union has the General Data Protection Regulation (GDPR), and Canada is about to follow suit with Bill 64. Currently under Quebec’s Private Sector Act, individuals have the right to be informed in order to obtain their conscience to access their personal information to make changes to their information. Bill 64 gives individuals additional rights akin to those provided by GDPR.
For individual consent, the individual, of course, must be informed to grant it. To obtain consent from the individual in question, the information must be written in clear and simple language and must include the purpose, the means by which the information will be collected, the individuals’ rights and, if applicable, the name of the third party for whom the information is being collected as well as the possibility that the information could be disclosed outside of Quebec.
Second, the proposed legislation provides that on request the individual must be informed of the type of information collected, the categories of persons who will have access to the information within the company, the period of time that the information will be kept and the contact information of the person in charge of protecting the personal information.
Also, like the GDPR, consent for collecting, using or disclosing personal information must be requested separately from any other information provided to the individual.
What does this mean for you? Bill 64 does set out additional obligations for organizations, which are closely aligned with GDPR — especially when it comes to enforcement and fines.
Bill 64 has introduced the concept of “privacy by default,” which refers to the default parameters whereby a business that collects information when offering a technological product or service must ensure, i.e. that the parameters of the product or service provide the highest level of confidentiality by default. This mimics data protection by design and default as mandated by GDPR.
Section 103 of Bill 64 refers to disclosing information outside of Quebec, complete with a new framework. Before transferring personal information outside of Quebec, an impact assessment must be conducted to show that the information will be protected to the same extent as provided under Quebec’s Private Sector Act. There will be a list of countries where the privacy protection laws are equal to those applicable in Quebec, a list that is comparable to the adequacy decisions under GDPR.
If there is a security incident, Bill 64 mandates companies must notify the Commission d’accès à l’information and, if necessary, the affected individuals.
Also, Bill 64 significantly raises fines that may be imposed on private sector entities and public bodies that do not respect Quebec’s privacy protection laws. Private sector entities will be subject to fines of $15,000 to $25 million or an amount equal to 4 percent of the company’s global revenue of the previous fiscal year, whichever is highest. Bill 64 also will give Commission d’accès à l’information the authority to impose a maximum penalty for certain violations following a notice of noncompliance up to $10 million, or an amount equal to 2 percent of the global revenue of the previous fiscal year – whichever amount is higher.
2W Tech has a Cybersecurity Compliance Program that is designed to support our client’s compliance obligations. Most organizations must abide by and maintain a standard for controls that safeguard the confidentiality and privacy of information stored and processed. We work hand in hand with you to learn more about your compliance regulations, help obtain proper agreements, and access relevant system architecture information. Give us a call today to get started on your journey to achieving compliance.