On September 22, 2021, the Canadian province of Quebec enacted a new privacy law, which will impose obligations beyond what is currently required under Canada’s federal privacy law. Most of the new law’s requirements will take effect in September 2023, but some will take effect earlier (in 2022) or later (2024).
The law will apply to organizations based in Quebec, as well as to any collection of personal information that takes place in Quebec regardless of whether the organization is established in Quebec. Requirements under the law include new transparency and consent requirements, a requirement to appoint a privacy officer, data breach notification obligations, strict data deletion requirements, data access rights and rules regarding data portability and automated decision-making.
Quebec’s new law also will require privacy impact assessments for certain data processing. Notably, a privacy impact assessment will be required before transferring personal information outside of Quebec, including transfers to another Canadian province. These data transfer restrictions will further complicate an already challenging landscape for cross-border transfers.
Violation of the law could be costly because the law gives Quebec’s privacy regulator the ability to issue fines and penalties up to CA$10 million or 2% of the entity’s worldwide annual turnover for certain offenses and up to CA$25 million or 4% of worldwide annual turnover for other offenses. In addition, the law provides a private right of action, which could have a significant impact on consumer-driven litigation.
Quebec’s privacy regulator is expected to release information and tools to help organizations comply with the new law.