Quebec CEOs will need to serve as default privacy officers under Bill 64

3 minute read
07 September 2022

As of Sept. 22, 2022, those conducting business in Quebec must comply with the first set of obligations pursuant to the Bill 64 amendments to Quebec's Act respecting the protection of personal information in the private sector ("Quebec Privacy Act" or "Law 25").  This is the first in a series of articles on the forthcoming Sept. 22, 2022 requirements.

Has your CEO been advised that by default, the person with the highest authority within an organization acts as the person in charge of the protection of personal information and is responsible for compliance with the Quebec Privacy Act? It is important for organizations familiar with the federal private sector privacy legislation, PIPEDA, to note that this default to the person with highest authority departs from the existing PIPEDA requirement to designate a person responsible for compliance. Nevertheless, the Quebec Privacy Act provides that this role may be delegated, in whole or in part, in writing to any person. Irrespective of the size of your company, the industry you operate in or the nature and volume of personal data collected, you will want to ensure that formal documentation is in place to effect the appointment of the company's new privacy officer as that person's Contact information will need to be published on the organization's website.

Penalties for non-compliance are both severe and unprecedented in Canada. Companies may be liable for penal fines of up to $25M (or, if greater, the amount corresponding to four percent of worldwide turnover for the preceding fiscal year). The amount of monetary administrative penalties imposed on a company could be up to $10M, or, if greater, two percent of worldwide turnover for the preceding fiscal year. The Quebec Privacy Act also introduces a minimum $1,000 award in punitive damages for infringements that cause harm and are intentional or result from a gross fault.

Should you have any questions on how these changes affect your business, please feel free to contact the authors and members of our Quebec Cyber Security & Data Protection Group.

NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.