BILL 64 VS GDPR

Comparison of protection measures for personal information in the private sector.

On the 12th of June 2020, when BILL 64 was filed at the National Assembly, Mrs. Sonia Lebel listed the limitations and gaps of the current Quebec laws of personal information protection both in the private and public sectors. The objective of the bill is to raise the protection for personal information in Quebec, by adding legal obligations of transparency, confidentiality of personal information and user consent, and by heightening the level of responsibility of ministries and public organisms, private companies and, that is a first, political parties. This article focuses on the amendment to the Private Sector, in comparison with the applicable provisions and measures existing under the General data protection regulation (GDPR) and their consequences for the enterprises that will have to apply them.

Toward harmonization with the GDPR

The proposed modifications of relevant provincial laws bring the latter close to the modifications brought forward by the GDPR. Indeed, one can only welcome the (re-)taking of control by the citizenry, through reforms like the attribution of rights such as the right to data portability, the right to erasure and to dereferencing, or the right to not be subject to automated decision-making, profiling included. Also, the new requirements of protection by design and default (“privacy by design”), a practical application of a long-awaited principle necessary for better protection of personal data in Quebec, bring forward a series of challenges to entrepreneurs who collect personal information through their products and technological service since they will have to make sure that the settings and configurations of the former and the latter provide the highest level of privacy by default, imposing thereby the adaptation of processes of digital applications.

New obligations and responsibilities of enterprises

Several other obligations, in matters ranging from data collection to data transfer, will soon be applied to entrepreneurs. We will list them in the table below, it is, however, necessary to remind you of how important it is to respect these obligations as they trigger penal and civil liability. Indeed, the principle of corporate responsibility has been explicitly integrated into Bill 64, on the one hand through the creation of the “ responsible for protecting the personal information” in charge of ensuring the compliance and execution of the ACT RESPECTING THE PROTECTION OF PERSONAL INFORMATION IN THE PRIVATE SECTOR (ARPPIPS), which will from now on be the responsibility of the highest-ranked manager of the enterprise; on the other hand, with the enhancing of control and sanction powers for the CAI (Quebec’s data protection agency). The former, without submitting a file to the DPCP (Quebec’s director of public prosecutions), impose administrative fines going up to $10,000,000 or, if greater, the amount corresponding to 2% of worldwide turnover for the preceding fiscal year, or criminal fines going up to $25,000,000 or 4% of global turnover. Like in Europe, it is the application of important fines and the possibility of being sued for damages which will have a strong deterrence effect on possible reckless data management by enterprises. Indeed, 2019 having been filled with numerous cases of data breaches, one can observe that threats do not only come from the failure of security systems or ill-intentioned acts but also of bad risk management strategies that did not guarantee appropriate corporate governance. Following in that, Bill 64 proposes new obligations that are triggered when a data breach happens. At the same time, the Bill provides the necessary tools to handle such incidents and risks. In addition to the requirement of applying the principle of “privacy by design and by default”, a Privacy Impact Assessment is now needed when the data processing can result in a high risk to the rights and freedoms of natural persons.

So as to better understand the convergence points and the divergence points between the protection methods offered by Bill 64 and the GDPR to the private, please review the summary table below.

Overview table of Bill 64 and GDPR (Download)

Since the application in 2018 of the GDPR has scared many, to avoid any worries, we suggest Quebec entrepreneurs prepare their Bill 64 compliance plan for their governance and personal information protection governance as of now, or at least before the applicability of Bill 64 in 2021. Indeed, Bill 64 will go through the next steps for its adoption when the National Assembly returns in the fall, and before coming into force, the transitory and final provision inside the bill will only come into force one year after its assent.

Preparing your organization to legislative changes

Enterprises and entrepreneurs here is some advice to help you start to prepare for these changes:

1. Review your privacy policies and personal information policies and your contracts with third parties;

2. Review your consent forms;

3. Do a risk analysis: an audit of all the personal information you store and determine their degree of sensitivity and the required level of protection;

4. Put internal policies in place and response plans in case a data breach happens;

5. Set up the highest levels of cybersecurity;

6. Promote awareness of the importance of data privacy among your employees and make them aware of the ethical issues on these matters.

Evaluate your personal information protection maturity level

Prudence AI offers a free 15 min. consultation.

This post was edited by Dobah Carre and Vincent Bureau.