Part 1 | Privacy 101 – Obligations Under Québec’s New Act 25: Why your business needs a privacy officer now
Part 1 | Privacy 101 – Obligations Under Québec’s New Act 25: Why your business needs a privacy officer now
This podcast series, intended for private sector companies doing business in Québec, dives into the requirements of Act 25 coming into force on September 22, 2022. Candice Hévin and Marie-Eve Jean, from our Privacy & Data Protection Group, lead the discussions on the changes to the private sector regime, namely the amendments to the Act respecting the protection of personal information.
In this episode, learn why your business needs a privacy officer, how to properly delegate this role, and what can happen if you don’t comply.
Please note that the following provides only an overview and doesn’t constitute legal advice. Listeners are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.
Transcript
Marie-Eve Jean: Hello, and welcome to Privacy 101 – Obligations under Act 25, a series of podcasts designed to assist you in preparing to comply with Québec’s new privacy legislation.
Candice Hévin: I am Candice Hévin.
Marie-Eve Jean: And I am Marie-Eve Jean.
Candice Hévin: We’re both lawyers at McMillan LLP. We work together as a team to help businesses operating in Québec achieve compliance with Québec’s privacy legislation.
Marie-Eve Jean: To give you some context, Québec adopted a new law on September 22, 2021. Bill 64 aims to modernize the privacy framework for both private and public sector regimes. This series focuses on the changes to the private sector regime, namely the amendments to the Act respecting the protection of personal information in the private sector, we will refer to it as Act 25. Act 25 introduces new obligations for organizations doing business in Québec.
Candice, could you give us some more insight on how the Act applies?
Candice Hévin: Yes of course. The legislator has taken an expansive view of how the Act applies. If an organization collects, uses or discloses personal information of individuals located within Québec, the Act likely applies to the organization’s handling of personal information, even if the organization does not have an office, facilities or installations in Québec, as long as it targets Québec.
In terms of timing, requirements will come into effect in three phases throughout the next three years. Although the majority of the new requirements will take effect as of September 22, 2023, some key requirements will take effect this year, as of September 22, 2022. A few requirements will finally also take effect as of September 22, 2024. Before we dive into the first noteworthy requirement as of September 2022, we want to take a moment to address the importance of complying with Act 25. We can see that the Québec legislator has taken privacy rights seriously and wants to ensure compliance. How can we tell?
Marie-Eve Jean: Simply by taking a look at the mechanisms that have been elaborated to ensure compliance with the Act. We’ve got:
- a reformed complaint and investigative procedures, that will largely take effect as of September 2022,
- administrative monetary penalties enforced by the CAI – up to $10 million or 2% of an organization’s worldwide turnover,
- penal offences with significant fines – up to $25 million or 4% of an organization’s worldwide turnover; amounts doubled for subsequent offences,
- private right of action allowing individuals to sue an organization for damages.
All compliance mechanisms will take effect as of 2023, aside from the reformed complaint and investigative procedures that will take effect as of September 2022.
Candice Hévin: So we can see here that the legislator wants to be reasonable and give companies time to adjust and comply with new requirements. That said, companies should ensure compliance by 2023 to avoid any risk of being handed these serious fines.
Marie-Eve Jean: Alright so now that we have laid out the basics, let’s talk about the first important requirement that will take effect as of September 22, 2022, which is your obligation to appoint a Privacy Officer. And again, just to make sure we are all on the same page, when we are talking about you, we mean any companies operating in Québec. So if you operate a company in Québec, you have to appoint a Privacy Officer before September 22, 2022. That’s coming up very quickly. What’s a Privacy Officer?
Candice Hévin: It’s basically a person within the organization that is responsible for the protection of personal information and ultimately, to comply with Québec’s privacy framework under Act 25. Here’s the catch. Under the Act, the person in the organization with the highest authority is de facto the Privacy Officer, or, as stated in the act, the “person in charge of the protection of personal information”. That means that your CEO or President will be the Privacy Officer.
Marie-Eve Jean: Now Candice, are we talking at the provincial, national or international level?
Candice Hévin: There’s no clear guidance on this yet, but based on our interpretation, if a company operates on the national scale or international scale, the person with the highest authority would be the CEO or President of the Canadian entity of the company, except when there is data from Québec is processed and used by the international entity. If your company only operates in Québec, then it is simply the CEO or President of your company.
Marie-Eve Jean: Alright so now we know what a Privacy Officer is and we know that, by default, the CEO or President of the Company must assume this role.
Candice Hévin: There’s another twist. The CEO can delegate the duties associated with this role to any other person. They can delegate all of the duties or only some of them, and they can delegate duties to one or more people internally or externally.
Marie-Eve Jean: Now when we say externally, we’re talking about engaging a qualified external professional advisor specifically for this role. Note that this delegation of duties must be done in writing by the CEO or President. We’ve mentioned the Privacy Officer’s duties a few times now in the last minute. So what are those? The Act provides many duties for the Privacy Officer, but overall, the Privacy Officer has the responsibility to ensure the organization’s compliance with the Act, handle any access and rectification requests and address any questions or complaints concerning the processing of personal information.
Candice Hévin: Last important thing to note, you have to post the Privacy Officer’s title contact information on your website. This doesn’t mean that the company has to publish the Privacy Officer’s work email address for the entire world to see and contact. The best way to avoid a flood of privacy-related emails in your Privacy Officer’s inbox is to create a separate address for privacy-related inquiries and post that email address on the website.
So that concludes our first podcast episode. We have several other tips and tricks relating to appointing your Privacy Officer so don’t hesitate to reach out to us. We also have significant experience in developing and tailoring Privacy Officer delegations to fit companies’ needs, so we would certainly be please to assist your business in developing yours.
Marie-Eve Jean: Make sure to tune in for our next episode, where we’ll dive into your obligations surrounding data breaches, or, confidentiality incidents as they are called under Act 25. This is Marie-Eve Jean.
Candice Hévin: And Candice Hévin.
Marie-Eve Jean: Of McMillan LLP. It’s been a pleasure recording for you!
Insights (3 Posts)View More
Act 25 – First Draft Regulation, On Your Marks, Get Set, Go!
First draft regulation under Act 25 regarding the protection of personal information and confidentiality incidents.
Bill 64: A Checklist to Help Businesses Comply with Modern Privacy Requirements in Québec
The new changes to Quebec's privacy legislation usher in the modern era of privacy laws. This checklist establishes priorities and timelines for companies.
Bill 64 Enacted: Québec’s Modern Privacy Regime
An in-depth analysis of Quebec's 2021 modernization of its private-sector privacy legislation.
Get updates delivered right to your inbox. You can unsubscribe at any time.