About three weeks ago, the Quebec government signed into law their new private sector privacy legislation. I was waiting for them to publish it before writing about it in any detail, but it’s taking them too long and I’m impatient. It’s actually a pretty big deal in Canada and will probably have a domino effect in terms of seeing other jurisdictions move to update their laws too. Regardless of whether you’re in Quebec, this law will likely impact your work in some way.
Here are a few key elements of the new law that will come into force in stages beginning in September of next year:
- Accountability: Making the person with the highest level of authority in a business (e.g., the CEO) accountable for compliance.
- Privacy management program: Organizations will have to implement and publicize a suite of policies and procedures, and, importantly, will have to demonstrate they are being followed.
- Privacy by default: Setting default privacy settings for technological products or services to the most privacy-preserving level. Specifically, organizations will need to deactivate profiling, tracking or identification technology until individuals expressly opt in.
- PIAs will be mandatory: A report that addresses privacy risks will be necessary for (i) any IT or digital projects businesses upgrade, acquire or develop; (ii) out of Quebec transfers; or (iii) disclosure of personal information for research purposes without consent.
- Data breach notification: Logging breaches that carry a risk of serious harm and reporting them to the Commission d’accès à l’information, Quebec’s data protection authority, and affected individuals or third parties where appropriate “with diligence.”
- New GDPR-like rights: The right to erasure, de-indexing and portability are expressly codified.
- Automated decision-making: Informing individuals when an automated decision has been made about them, and explaining their rights to access or rectify the underlying personal information, get information on how the decision was made, or have the decision reviewed by someone who can change it.
- Biometrics: Notifying the CAI at least 60 days in advance of launching a biometric system or bank (previously there was no deadline) and notifying the CAI before using biometrics to identify or verify individual identities.
- Consent: Obtaining GDPR-level consent, unless an exception applies.
And, of course, with new laws in the land comes more privacy work and we know there’s more than enough of that to go around in this sector! If you’re on LinkedIn, you must be noticing all the super cool privacy jobs being posted every day. I, for one, find it really exciting to see.
One role within Canada I think will be interesting to watch isn’t in Quebec, but in another Canadian province — the Assistant Commissioner, Tribunal and Dispute Resolution position at the Information and Privacy Commissioner of Ontario. They’re actively recruiting right now and, gauging from the title and paycheck that goes with it, whoever takes it on will be in a pretty influential and action-packed role, especially as Ontario moves forward in the private sector.
Anyway, privacy is clearly a pretty great career and one that keeps us all on our toes. For more great privacy jobs, as always, we encourage privacy pros to visit the IAPP’s Job Board. You can also get privacy job postings delivered right to your inbox every weekday by subscribing to the Daily Dashboard.
Bonne fin de semaine tout le monde! Have a great weekend.
If you want to comment on this post, you need to login.