Quebec is on the verge of significant data privacy changes with the introduction of Bill 64. In addition to the numerous requirements that businesses will have to implement, the new penalties that will be imposed on offending companies could have disastrous consequences. This article outlines the substantial penalties that will result from non-compliance, as well as the new powers given to the enforcement authority.  

‍

The information presented below has been verified by our in-house counsel and data privacy specialist. To avoid the hours of research required to understand the scope of the upcoming changes, we invite you to check out our training program.    

What is Bill 64?  

‍

Quebec recently adopted its most restrictive data privacy law to date, thereby modernizing Quebec's entire data privacy landscape. Any business that processes personal information in the province will now be required to comply with the law, starting September 2022.      

Who will be responsible for ensuring privacy and compliance within the company?  

‍

‍

One of the first requirements of Bill 64, and will therefore be required of all Quebec businesses as of this September, is the appointment of a Data Protection Officer (DPO). The role of this person will be, first and foremost, to ensure compliance and, by the same token, increase the protection of the personal information processed by the company.  

‍

Heavy responsibilities will fall on the DPO as this individual will be responsible for establishing the necessary implementations related to data confidentiality within the organization. Understanding the responsibilities of this position will be crucial since the organization, as well as the DPO, will be held accountable in the event of any violations of the law.  

‍

What happens in the event of non-compliance?  

‍

One of the most radical aspects of the reform is undoubtedly the significant penalties in the case of non-compliance with Bill 64. The penalties will be fully enforced by September 2023.  

‍

It is likely that this new amendment will cause the most commotion, as was the case in Europe with the introduction of the General Data Protection Regulation (GDPR), where companies faced similar fines.  

‍

Overall, the penalty breakdown is simple. The new regime introduces two types of penalties; administrative penalties and criminal penalties.

‍

How high could the fines be in the event of a violation?  

‍

‍

Administrative fines could be as high as $10 million or 2% of the organization's worldwide turnover for the previous fiscal year, or up to $25 million or 4% for criminal offences, whichever will be greater. It should be noted that, unlike the European legal regime, in the event of a repeat offence, the fines in Quebec will be doubled.  

‍

Companies are also subject to punitive damages for breaching Quebec’s privacy laws intentionally or through gross negligence.  

‍

Who will be the enforcement authority for Bill 64?  

‍

The Commission d'accès à l'information (CAI) has been given increased powers to ensure compliance with Bill 64. The CAI will now have a much more prominent role and will therefore not be limited to simply issuing recommendations. They will also have the ability to impose fines and initiate criminal proceedings.

‍

What will be considered a violation under the law?  

‍

The severity of a penalty will be assessed based on the particular context underlying the action or omission that led to the non-compliance with one or more of the provisions. As a result, there may be an overlap between some of the elements of both administrative and criminal sanctions. Generally, the intent or seriousness of the violation in question will be the main factors considered in establishing the penalties.  

‍

In order to establish appropriate and fair penalties according to predetermined criteria, the CAI has developed a general framework to judge misconduct. For example, the seriousness of the offence, the sensitivity of the personal information compromised and the degree of cooperation of the offending company will be analyzed in the decision-making process.

Conclusion

‍

The consequences of non-compliance are severe on purpose. The Quebec Government is now holding companies accountable for collecting, storing and processing personal identifiable information. By September 2022, it will be mandatory to appoint a qualified individual to act as the DPO and ensure compliance with the law.

‍

At this stage, it’s too early to predict exactly how the implementation of Bill 64 will unfold across the province. We can only wait and see what resources will be deployed to impose the new sanctions.

‍

In the meantime, we highly recommend taking immediate steps to deal with the wide range of changes that await you. To do so, the training offered by Assurance IT is an excellent starting point in preparing for the various implementations required by Bill 64. Avoid endless hours of research and look into the training today.