Do you know about the new Law 25, or perhaps Bill 64?
The bill was adopted on September 21, 2021, at the National Assembly of Quebec, fourteen months after its initial presentation. This means that the bill has been officially adopted and is ready to become law. An action plan was then proposed, and the actions to be completed will extend until September 2024. There will be three phases: the first will come into effect on September 22, 2022, the second on September 22, 2023, and the final one on September 22, 2024. The purpose of this law is to provide citizens with better control over their personal information. Therefore, it is now in effect for all companies.
What is Bill 64?
The Bill 64, better known as the Act modernizing legislative provisions relating to the protection of personal information, strongly recommends establishing stricter requirements for the protection of personal information, including increased requirements for protection, transparency, and consent for Quebec businesses.
This means that any company with a computer in its office must now protect all their information, under penalty of hefty fines if theft or other fraud occurs. In fact, Quebec has almost copied our European neighbors. For several years now, the European Union has had a General Data Protection Regulation (GDPR). So many of the proposed changes in Bill 64 have been influenced by this law.
Unfortunately, all small Quebec businesses are more likely to take the bait, as they generally do not have a “budget” for computer security. They will have no choice but to understand the requirements established by Bill 64 and comply with computer security rules. No matter what data your computer has access to, hackers want access, hoping we will take the bait! What they want is to stop your computer system and gain access to everything, even your banking information!
In 2022, all businesses are targeted by cyberattacks. Every year, we have a duty to be concerned. When we talk about anti-spam, antivirus, and firewalls, these are protection solutions that we must integrate into our systems. You can also apply restrictions for each individual on data in the systems to limit access. So, several options are available to you. From now on, we can no longer say that we didn’t know…
Here are the sentences suggested by the National Assembly of Quebec to begin the action plan:
The 3 phases will be divided as follows:
Suggested Action Plan for September 2022:
- Designate a personal information protection officer.
- Create or update policies and practices governing the governance of personal information.
- Implement a privacy incident registry and notification process.
- Maintain an inventory of the company’s personal information.
- Establish a personal information protection training program.
Suggested Action Plan for September 2023:
- Update policies and practices governing the retention, destruction, and anonymization of personal information.
- Implement a process for handling complaints related to personal information protection.
- Publish key elements of governance rules regarding personal information protection on the company’s website.
- Establish a Privacy Impact Assessment (PIA) policy and process for the processing of personal information.
- Implement a consent collection process for collecting, holding, using, or disclosing personal information.
- Implement a de-indexing process.
Suggested Action Plan for September 2024:
- Implement measures facilitating the right to data portability.
Therefore, one of the first important actions to take is to designate a personal information protection officer who will be responsible for compliance. And the employer must inform the Access to Information Commission in the event of a data breach.
By 2024, the Access to Information Commission (CAI) will have the power to impose penalties ranging from $50,000 CAD for individuals to $10,000,000 CAD for companies, or 2% of the worldwide revenue for the previous year, whichever is higher.
Depending on the nature of the offense, the CAI will have the power to initiate criminal proceedings with a maximum fine of $10,000 CAD for individuals and $25,000,000 CAD or 4% of worldwide revenue for corporations. In case of repeat offenses, the penalties will be doubled.
It will be important to know that as of September 2023, there will be changes to consent settings. This means that consent is always required to collect, hold, use, or disclose personal information. It must be explicit, free, informed, and given for specific purposes. The requirement for consent will be reinforced, as it must now be sought for each purpose, in clear and simple terms, and separate from any other information communicated to the data subject. Therefore, when a company wants to use or disclose sensitive personal information, consent must be clearly and precisely expressed. This implies that the individual takes an action to confirm their consent, such as checking a box. Personal information is considered sensitive when it is linked to a high degree of reasonable privacy expectation, such as a social insurance number or medical information.
Hoping that this Bill 64 or Bill 25 project gradually brings positive change to the company, as it is important to be aware of the impact this law will have on all businesses in Quebec. The right time to invest in cybersecurity is now!
But which term to use? There is clearly confusion between the term Bill 25 or Bill 64. But what is the difference? Quebec laws are not assigned numbers when they are adopted. However, they have a chapter number that corresponds to their order of adoption during the current year. Bill projects, on the other hand, are given a number corresponding to their order of presentation during a parliamentary session. Therefore, Bill 64 was the 25th project adopted by the general assembly during the year 2021. That is where the reference to the number 25 in the official compilation of Quebec Laws 2021 comes from. And you know what! To make it even more confusing, it refers to chapter 25. But it is highly likely that this number will refer to a different law in 2022, as a new law has just been adopted by the National Assembly!
That’s why, in my opinion, it is preferable to use the term “Bill 64” in reference to the number of the bill that preceded the adoption of the law. To keep it simple!
PointPub Media can assist you in these important steps. In order to have an outstanding security department, we can start by scheduling a meeting with the team. An action plan needs to be established before disaster strikes!