Data Subject Protections Continue to Drive New Privacy Laws

October 13, 2021

Quebec’s Bill 64 was passed unanimously becoming the most recent example of the continued conveyor belt of regulations inspired by the EU General Data Protection Directive that focuses on new Data Subject protections.

Titled, “An Act to modernize legislative provisions as regards the protection of personal information”, the regulation was adopted unanimously, on the 21 September, 2021, and applies to all public and private organizations covered by Canada’s primary data protection law the Personal Information Protection and Electronic Document Act (PIPIEDA). The effective date is on the same date in 2022.

Among the Data Subject (individual) provisions included are:

• Enhanced consent and transparency obligations, requiring that individuals request a copy of any information in an organizations possession and that they be made aware of and be provided the right to opt-in to all uses of their information at their sole discretion.
• Introducing the “right to be forgotten,” which means individuals have the right to request their information be permanently deleted by an organization if there is no legal reason to retain it.

The new regulation also has teeth, moving away from an Ombudsman model where the regulator makes recommendations to organizations, it calls for the imposition of fines that include CA$50,000 for individuals and the greater of CA$10 million or 2% of the global turnover from the previous year for organizations. Where a violation constitutes an offence under the Act, fines may be imposed of up to CA$100,000 for an individual and $25 million or 4% for an organization global turnover of the previous year.