Doing Business in Québec

Privacy Impact Assessments. Organizations are required to conduct a privacy impact assessment (PIA) with respect to any project to acquire, develop or redesign an information system or electronic service delivery system involving the collection, use, disclosure, retention or destruction of personal information. PIAs must be proportionate to the sensitivity of the information concerned, the purpose for which it is to be used, the quantity and distribution of the information and the medium on which it is stored. Cross-Border Transfers. Prior to communicating personal information outside Québec, enterprises must undertake a PIA that assesses and confirms that the information will receive an adequate level of protection according to “generally accepted data principles.” This assessment applies whether or not the information is transferred to a foreign data controller or to a data processor entrusted with the collection, use, communication or storage of the information on the enterprise’s behalf. Communication of personal information outside Québec must be the subject of a written agreement that addresses the results of this assessment and, if applicable, the terms agreed on to mitigate any risks noted in the assessment. Accountability. The Modernization Act also imposes on enterprises a suite of responsibilities and obligations relating to the preservation, protection and destruction of personal information, including the obligation to establish and implement governance policies and practices regarding personal information that ensure the protection of such information. These policies and practices must, in particular, provide a framework for the keeping and destruction of the information, define the roles and responsibilities of the members of its personnel throughout the life cycle of the information

Modernization Act, Québec has ushered in the most consumer-friendly privacy law in Canada. Some of the most significant changes are outlined below. With the exception of the requirement for reporting and notification of confidentiality incidents, which came into force in September 2022, all the changes listed below came into force on September 22, 2023: Reporting and Notification of Confidentiality Incidents. Enterprises are required to keep a register of all “confidentiality incidents,” defined to include privacy breaches and unauthorized access to, use of or communication of personal information. When such an incident poses a “serious risk of injury,” it must also be reported to CAI, and notice must be provided to individuals whose personal information was involved. Enterprises are also required to take reasonable measures to reduce the risk of injury from suspected confidentiality incidents and to prevent new incidents of the same nature. Fines and Penalties. The CAI has been granted expanded powers of enforcement under the Modernization Act that allow it to impose administrative monetary penalties for a wide range of violations to the Private Sector Act. Other than for natural persons, these penalties could be as high as C$10 million or, if greater, 2% of worldwide turnover for the preceding fiscal year. The Act mandates the CAI to develop a general framework for the application of administrative monetary penalties, but guarantees enterprises certain safeguards, such as notification before the imposition of a penalty, an internal review process and a right to contest a review decision before the Court of Québec. The Act also provides the CAI with the power to institute penal proceedings before the courts for violations of the statute. Other than for natural persons, fines upon conviction can range from C$15,000 to C$25 million or, if greater, 4% of worldwide turnover for the preceding fiscal year.

Davies | dwpv.com