Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, came into force on September 22nd, 2022, and sets out new requirements for private sector organizations that operate in Québec or have Québec consumers. This is particularly important for online gaming companies which operate solely in Québec or across Canada. This article will outline a summary of notable changes in force as of September 2022 and the implications for companies that may be affected.
Notable New Requirements as of September 2022
Organizations that have access to and process Québec residents’ personal information are now required to:
- Appoint a privacy officer;1
- “Promptly”2 inform Québec’s privacy authority, the Commission d’acces a l’information (“CAI”), and an affected individual of any security breach (referred to as a “Confidentiality Incident” in the legislation) that presents a “serious risk of harm” to the individual;3
- Maintain a ledger of all Confidentiality Incidents for 5 years after becoming aware of a Confidentiality Incident4; and,
- Notify the CAI of any biometric systems that it uses or may use at least 60 days before they are put into place.5
Moreover, organizations no longer need an individual’s consent to disclose their personal information in the context of a commercial transaction. However, a written agreement must take place between the two organizations. This agreement has to outline that the receiving organization must:
- use the personal information only for the purposes connected to the commercial transaction;
- ensure protection of the personal information;
- destroy the information if the personal information is no longer necessary, including if the commercial transaction is not completed; and
- not communicate the information to other parties without the consent of the individual.6
Analysis
The requirement for organizations to appoint a privacy officer is an important step for accountability. Companies that have Québec customers now must publish on their websites the title and contact information of the person in charge of protecting customers’ personal information.7 Companies can no longer have general portals for Québec users to address their privacy concerns. This change brings Québec’s privacy legislation in line with the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”), which requires companies to clearly delineate who is responsible for the organization’s privacy compliance.8
Québec’s new requirements for reporting Confidentiality Incidents now makes Québec the most stringent across Canada’s various privacy statutes. Federally and in Alberta, organizations must maintain records for security breaches for 2 years after the occurrence of a Confidentiality Incident9, while Québec currently requires organizations to maintain such records for 5 years. Currently, if an organization has customers across the country, that organization needs to be aware of the different standards for security breaches depending on where an affected individual resides in Canada.
Given the rise of mobile gambling apps, the new requirement for biometric systems is significant and valuable. As more gaming companies are trying to make their services more accessible to consumers, companies will need to be cognizant of their use of biometric information, such as facial recognition, that may be utilized on customers’ smartphones. If these companies collect, process and use such facial recognition technology for Québec customers, they will need to be aware of the requirements in order to inform the CAI of their use of the biometric system at least 60 days before its implementation.
Lastly, consent of Québec residents is no longer required if their personal information will be disclosed as part of a commercial transaction (subject to the contractual requirements outlined above). Since the gaming industry will likely continue to see sales, mergers and acquisitions, and consolidations between companies, this new requirement reduces a barrier for companies that may want to transact with companies that operate in Québec or have Québec customers.
It is expected for more changes to come into force in 2023 and 2024 such as disclosure10 and consent11 requirements when disclosing an individual’s personal information to third parties, collecting personal information through automatic processing,12 and data portability.13 Companies operating in Québec should note that the Québec privacy regime will continue to change over the next two years and plan their privacy management systems accordingly.
If you would like to discuss your company’s privacy management systems or privacy policy, contact us HERE or reach out directly to zack@gmelawyers.com or jack@gmelawyers.com.
1 Bill 64, Section 103 (Page 35)
2 Regulation respecting Confidentiality incidents (“the Regulation”) at Section 4 – (Page 2)
3 See Bill 64, Section 103 (page 35-36)
4 The Regulation Section 8 (page 3)
5 Bill 64 at Section 81, Page 30
6 See Bill 64 at Section 115 (Page 42)
7 See note 1
8 See Personal Information Protection and Electronic Documents Act (“PIPEDA”), SC 2000, c5 at Schedule 1, section 4.1
9 See PIPEDA at section 10.1(1) and section 10.1(3); and Personal Information Protection Act, SA 2003, c P-6.5 at section 34.1
10 Bill 64 at Section 107, page 37
11 Bill 64 at Section 110, page 39
12 Bill 64 at Section 109, Page 39
13 Bill 64 at Section 120, Page 46
