EMEA Cybersecurity
Contact Us
Get A Quote

*This is the first article of a series about the Bill 64 adoption in Québec.

Québec’s Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, was adopted by the National Assembly on September 21, 2021, and received official assent on September 22, 2021.

Organizations doing business in Quebec and collecting personal information have already started a race against time to understand and operationalize the new requirements introduced by Bill 64.

The main obligations will come into force in three phases:

First year:

- Designate a Privacy Officer.

- Notify the Commission d’accès à l’information du Québec (CAI) of a data breach.

- Implement changes in disclosure of personal information in a commercial transaction.

Second year :

- Conduct a Privacy Impact Assessment in some specific situations, such as the transfer of personal information outside of Québec.

- Comply with the requirements regarding consent, automated decision making and anonymization.

- Ensure the implementation of a Privacy Program, establishing and implementing data governance policies and developing a clear external privacy policy.

- Implement privacy by default.

- Comply with the right to restrict processing and the right to erasure.

Third year :

- Comply with data portability right.

Further to the new requirements, Bill 64 also provides new penal offences and monetary penalties enforced by the enhanced CAI powers.

The penalties go up to CAD 100,000 in the case of a natural person and, for organizations, up to CAD 25,000,000 or 4% of worldwide turnover for the preceding fiscal year, whichever is greater. Moreover, individuals will have the private right of action, which allows them to sue an organization for damages due to a violation of their privacy rights.

Complying with the new requirements and operationalizing them pose significant challenges for organizations doing business in the province. It takes time and demands substantial resources to create and implement organizational, logical, legal and security measures.

Hitachi Systems Security has a highly experienced team of specialists in cybersecurity, privacy and data protection ready to help organizations build up privacy programs compliant with the new scenario.

Our following articles will present some specificities regarding the main new requirements and how they might affect your internal compliance strategy and your organization’s privacy program.

You can also access our webinar “Adoption of Bill 64: What Are Your New Obligations?” (only available in French) to have an overview of how your organization should prepare.

Written by Hitachi Systems Security Privacy Team on 14 October 2021

Follow us on LinkedIn for the latest on Quebec’s Bill 64 and other privacy and cybersecurity developments.

phone-handsetcrossmenu