Bill 64 (Law 25): Are You Ready For The New Requirements Coming Into Force On September 22, 2022?

• Published date: 30 September 2022
• Subject Matter: Privacy, Privacy Protection
• Law Firm: Lapointe Rosenstein Marchand Melancon
• Author: Ms Nancy Cleman and Roxana Crihan

On September 22, 2022, several provisions of the Act to Modernize Legislative Provisions as Regards the Protection of Personal Information (hereinafter "Bill 64" or "Law 25"), which amends the Act Respecting the Protection of Personal Information in the Private Sector ("Quebec Privacy Law") will come into force.

New obligations include the requirement to have a Privacy Officer and to establish an incident response plan.

1. THE PRIVACY OFFICER

Any person carrying on an enterprise must designate in writing a person in charge of the protection of personal information (the "Privacy Officer"). If not designated, the position defaults to the person with the highest authority in the organization.

The Privacy Officer will be responsible for ensuring compliance with and implementation of the Amended Quebec Privacy Law. The Privacy Officer will be responsible for, among other things of : (1) managing personal information data; (2) establishing policies and practices governing the protection of personal information; and (3) enforcing these policies and practices within the organization; (4) establishing the roles and responsibilities of his or her team members; (5) implementing a privacy complaint process; (6) assessing privacy factors and risks for any proposed transmission or mailing of information; and (7) participating in the development of a privacy incident response plan. In short, it will coordinate the transition of the enterprise's internal practices to the new requirements of Bill 64.

The title and contact information of the Privacy Officer must be published on the Website or any other publicly accessible platform used by the enterprise, so that users can easily contact the Privacy Officer in case of any questions regarding the protection of their personal information.

2. PRIVACY INCIDENT RESPONSE PLAN

As of September 22, 2022, enterprises will have to update their privacy incident response plan and have an obligation to keep a register of confidentiality incidents.

Henceforth, the response plan will have to be applied when a confidentiality incident occurs, which is defined as one of the following four (4) situations:

"1' access not authorized by law to personal information;

2' use not authorized by law of personal information;

3' communication not authorized by law of personal information ; or

4' loss of personal information or any other breach of the protection of such information.¹"

All such confidentiality incidents must be recorded in the...