Here are some of the most significant impacts Bill 64 will have on your business:

• Data Protection Officer Appointment (entry into effect: September 22, 2022): businesses will be required to comply with certain administrative controls, which include naming a designated employee responsible for complying with the Private Sector Act. The Privacy Officer is tasked with ensuring that the organization complies with the obligations imposed by the Act and will be responsible for addressing access to information requests, requests for the correction of personal information, and questions or complaints concerning the handling of personal data (similar to article 39 to the GDPR).

• Data Breach Reporting (entry into effect: September 22, 2022): As soon as businesses have reason to believe a data breach occurred, it must notify CAI and individuals regarding any breaches to compromised personal information that present a “risk of serious injury” to the affected individuals (similar to articles 33 & 34 to the GDPR).

• Disclosures to Third Parties (Vendors): Similar to the GDPR, a business must disclose any information about personal (consumer) data transfer to a third party (Vendor). Bill 64 adds that a business will also be required to inform the individual of the names of the third parties to whom the information collected will have to be communicated to fulfill the purposes for which it was collected.

• Exceptions to Consent Requirement (entry into force: September 2022): Québec will be aligned with other private sector laws in Canada permitting disclosure of personal information for a “business transaction” such as a merger, acquisition, or sale of a substantial aspect of the business.

• Consent Mechanism Requirement (entry into force: September 2023): Quebec’s consent rules closely align with similar requirements under the EU GDPR. When collecting personal information (and subsequently upon request), businesses must inform individuals about the purpose for which the information is collected, how the data is collected, and individuals’ right to access and rectify the information, and notify users of the possibility of the information being transferred out of Quebec.

• Collecting Sensitive Data (entry into force: September 2023): businesses must obtain express consent before using sensitive personal information.

• Minors’ Data (entry into force: September 2023): Consent from minors under 14 must be obtained through a parent or legal guardian.

• Website Privacy Policy (entry into force: September 2023): Like the GDPR and CCPA, businesses under Bill 64 must establish, implement, and publish policies and practices that describe how organizations govern the use of personal information. Organizations must publish these policies on their website.

• Privacy by Design (entry into force: September 2023): Bill 64 requires a Privacy by Design implementation (similar to article 25 of GDPR) that businesses configure individuals’ privacy settings for products or services to offer the highest level of confidentiality and privacy.

• Data Privacy Impact Assessment (entry into force: September 2023): businesses will have to conduct DPIAs regarding any upgrades, acquisitions, or developments of the company’s IT infrastructure or digital products.

• The Right to be Forgotten entry into force: (September 2023): Individuals have the right to be forgotten. An enterprise must cease disseminating information or de-indexing any hyperlinks about a person if requested.

• Automated Decision Making (entry into force: September 2023): Individuals must be informed when an automated decision has been made about them and their rights to access or rectify the underlying personal information.

• Individual’s Data Protection Rights (entry into force: September 2024): Bill 64 expressly codifies rights similar to those offered under GDPR, including the rights to erasure (otherwise known as deindexation) and portability.