Bill on the Protection of Personal Information 64 passed by the National Assembly this week should act as an electric shock to foreign companies collecting such data on Quebec and Quebec soils. Quebec gives their management two years to make sure they are not sinned, otherwise the penalties they face could suffer.
Companies that are considered guilty of misrepresenting the personal information of their customers or employees will soon be charged. The bill imposes a minimum fine of $ 1,000 on the victim in the event of a civil lawsuit, and a fine of up to $ 25 million or the equivalent of 4% of their global annual income – whichever is higher. This last penalty is double if the company repeats the offense. The maximum fine so far is $ 20,000.
“This is a law with teeth,” promises Me Caroline Deschênes, a partner at law firm Langlois. Mee Langlois followed its evolution from the inception of the bill. “I do not know of any precedent for such a minimum sentence. Quebec already welcomes class action, and this law makes it even more attractive.”
The burden on businesses
In addition to Quebec companies and organizations, foreign companies doing business in Quebec will be subject to the new law, said Eric Kair, Minister of Information Access and Protection of Personal Information in Quebec.
For example, the new Quebec law applies if a new data breach occurs within a foreign company, similar to the one that occurred in 2019 on the US Bank Capital One page. The same goes for cases like Clearview AI, an American company that has no official presence in Quebec, but it experienced data breaches in 2020 that included the personal information of Quebecs.
Small businesses may find this increased responsibility somewhat difficult, the minister agrees. Among the highlights of the new law is the obligation to appoint the person responsible for the protection of this information for themselves and for public organizations that collect personal information. This role can be outsourced, but otherwise the top manager gets it by default.
“Actually, the responsibility and accountability of companies has greatly increased, but it is desirable,” Le Devir ric Caire said. “Imagine wanting to open a bank. Digital offers a lot of possibilities, but it comes with its challenges and data security is one of them.”
Bill 64 is unclear on the transfer of personal information about Quebec’s customers outside of Quebec by the company. The legislation structure recognizes relocation as “sufficient”, but does not cite an example. This is a compromise, Eric Cairo agrees to prevent the law from being too restrictive. “We need to have limited transfers only to countries in Europe,” he said. The final words will help transfer data to sites in the United States, for example, the service agreement for hosting this data overseas contains clauses confirming this agreement to Quebec law.
An example of a standard contract to facilitate the work of the companies involved is Mr. Khair promises soon.
The Quebec Act 2016 was inspired by the GDPR adopted by the European Union. This includes the need to consult or destroy information about a person if the collection is not authorized or if it meets the requirements required. Once companies have played their part in the service provided, they reserve the right to delete or anonymize their personal data in addition to their obligations to do so.
Companies are also obliged to immediately report to the Information Commission Access (CAI) and any leaks of data held by those individuals may be affected. Quebec and British Columbia are the only two regions in North America so far that have not forced such a mechanism.
However, Quebec stands apart from Europe, and individuals can collect information about them by insisting on the express consent of individuals, even if these individuals are employees of the company. Bill 64, however, introduces some flexibility. In some transactions, for example, if the customer decides to do business with the company again, or if the company is subject to acquisition by another company, the consent of the individual is granted.
Finally, the information access committee will have to monitor the new arrangements. Quebec promises to have increased resources that will allow it to accomplish this task adequately.