As a Privacy Professional it has been somewhat frustrating trying to sort out the new privacy landscape defined by Quebec’s Bill 64. The Bill itself makes changes to 21 different Acts, but the Act for the Private Sector (ACT RESPECTING THE PROTECTION OF PERSONAL INFORMATION IN THE PRIVATE SECTOR or PPIPS) and the Public Bodies Act (ACT RESPECTING ACCESS TO DOCUMENTS HELD BY PUBLIC BODIES AND THE PROTECTION OF PERSONAL INFORMATION or PBPPI) are certainly the ones most altered by Bill 64.
When we looked up these Acts on LegisQuebec we realized the most up to date version of these laws were posted in 2007! Initially we tried jumping back and forth between Bill 64 and these laws but it became tedious and somewhat confusing. The team here at Newport Thomson decided we would roll up our sleeves and develop a version of these two laws, by integrating the changes from Bill 64 into the official published versions in LegisQuebec.
All we were trying to understand was: what are the new obligations for any business operating in Canada? It is easy to think “this is a Quebec law and my business is based in Ontario or BC or wherever, so it does not apply to me. This only applies to Quebec organizations”. But think about it. Bill 64 protects personal data of all citizens of Quebec. With strong enforcement powers the CAI (Quebec Privacy Commissioner) can issue undertakings and notices of violations up to $25M per incident. We assert that any organization that operates in Canada has a number of Quebec citizens in their databases(s), therefore, Bill 64 applies. Just as California set the new privacy standards for the US via the CCPA and CPRA, Quebec has now done the same for Canada via PPIPS and PBPPI. It would be impossible to have one set of practices for Quebec and a different set for the rest of Canada, so most organizations will operate to the highest standard. New Privacy Management Programs for any organization operating in Canada will at minimum be compliant with these new laws.
But we had to sort out the mess.
We started by taking a blank Excel spreadsheet – one for each law. In the first column we tracked the Chapter, then the Division and Category as well as the Sub-category. We then, section by section, cut and pasted the 2007 versions posted on LegisQuebec. In the next column we added the changes required from Bill 64. Following the detailed instructions of each change from Bill 64 the next column has the “new” up to date language of both Acts. This version is how the law should read today, with all changes from Bill 64 incorporated. In the final column we created tags and keywords for every section so we could search by a variety of subject matter, i.e. consent or accountability or cross-border transfers, etc.
We then contributed these files to the Data Collaborative Alliance to post so anyone can access the new language easily. We are almost ready to launch the tool and will provide links when they are ready. As the final step, we cut and pasted each Act, section by section (new language from the column in the Excel spreadsheet) into a Word document and created PDF versions.
If you would like a document of the updated version of either of these two key privacy and data protection Acts, please email us at info@newportthomson.com, with the name of the Act you are looking for and we can send you the final PDF or even copies of the raw Excel files if you wish.
The Bill comes into force in three stages, one year apart. The first elements come into force in September 2022 – THIS YEAR! Quebec has prioritized accountability and transparency so appointing a Privacy Manager and implementing a Confidentiality Incident Reporting Plan are the the first elements coming into force. We are working with one of our trusted Automation providers to develop a Breach Registry so you can log all data breaches, large and small, which is one of the new requirements. You have 9 months. We have solutions. The clock is ticking…