MONTREAL -- Companies have two years to comply with the provisions of Quebec's Bill 64, which governs the protection of personal information.

By adopting a "law with teeth," Quebec politicians say they are warning that negligence will no longer be tolerated when it comes to personal data management.

"A 'culture of negligence' had developed in some organizations regarding the collection of personal information," said Éric Caire, the government's minister for digital transformation.

The law on access to information, which had not been updated since the 1970s for public bodies and since the early 1990s for the private sector, needed a dusting off, he added.

The massive theft of Desjardins Group's member data, revealed in the spring of 2019, demonstrates the consequences of the shortcomings surrounding the management of personal data, he said.

"Collecting personal information is something extremely serious, which brings a responsibility that must be taken seriously," insists the minister.

The magnitude of the penalties demonstrates this seriousness, said Caire. Administrative sanctions could reach two per cent of the world's turnover or $20 million.

For criminal penalties, which are intended for the most serious cases, it will be up to a judge to determine the amount, but the law provides for up to four per cent of sales or $25 million.

For small business owners, Caire says the Commission d'accès à l'information (CAI), which will be responsible for enforcing Bill 64, will take into account the ability of businesses to pay their penalties.

The administrative sanctions imposed on offending small businesses will not be the same as those imposed on large corporations, he noted; the goal is not to bankrupt a company.

In addition to holding executives accountable, Bill 64 provides for the "express" consent to use Quebecers' personal data.

If a company wants to use data for another purpose, it must seek consent again.

The law also includes a right to erasure or a right to be forgotten, which allows users who see embarrassing personal information circulating on the web to request that it be removed. Information of public interest, however, will not be taken down.

"Bill 64 will not prevent the theft of data by malicious hackers," said Caire. "There is no such thing as zero risk, but it will be more complicated."

Companies that comply with the standards and guidelines issued by the CAI will not be subject to a penalty if they are the victim of an attack and demonstrate that they have managed data collected according to the rules.

Citizens will still have the right to take collective action.


Quebec says it is giving itself two years to implement Bill 64 and allow the CAI time to prepare for the implementation of its new powers and the recruitment of technological experts.

It must also issue standards and guidelines for companies to follow, which are yet to be determined.

"We want to give everyone time to understand the law," said Caire.

While waiting for these standards and guidelines, there is still "uncertainty," said Francis Bérubé, senior analyst at the Fédération des chambres de commerce du Québec (FCCQ), adding a great deal of communication and support will be needed.

Caire insists the CAI will work to "clarify and simplify" things to avoid any ambiguity.

Preparing for the new legislation could be a daunting task for small businesses, adds Charles Milliard, president and CEO of the FCCQ.

A survey conducted by the organization in June shows that four out of 10 businesses do not understand the impact of Bill 64 on their operations.

"We believe that small businesses do not have the legal and technological resources to fully understand all the issues at stake during this period," said Milliard.

CAI and businesses will also find themselves competing to hire data management experts in a labour shortage environment, he continued.

"We're afraid there's not enough expertise on the ground to get this right in the time frame that's available," he said.

Caire acknowledges that Bill 64 may bring some difficulties for businesses, but he feels the need to protect privacy justifies it.

"The burden is proportional to the value of the asset. They have to understand that," he said. "I understand that it's annoying when things change along the way. I tell them to go and ask the citizens who have had their personal information stolen what it means to them."

-- This report by The Canadian Press was first published in French on Sept. 27, 2021.