With it being September already, we’ve been busy advising clients on how to best prepare for the new Quebec private sector privacy law. There are lots of issues in the new law that are... well, a little murky. I think it will take some time for clarity to emerge and it will be interesting to see how the regulator approaches some of these issues.

One such provision is the so-called “privacy by default” provision. While we think we understand its purpose, how it may play out is something different. When you start looking at the details of various business practices, at what point are you willing to say you’ve done everything in as privacy-friendly a way of doing something? It’s virtually impossible to figure out the limits to this provision because you might always be able to say there was a more privacy-friendly way to go — and I think that might mean you just never do anything at all because it involves personal information. At least we have until next September 2023 to get a bit more clarity on this one!

Some of the provisions that come into force this month include simpler ones. For example, there’s the obligation to name a privacy officer and to provide their contact information on a public-facing website. And, not to mention, the data breach (or incident) provisions kick in later this month too.

All in all, they’ve given organizations a year to prepare so, hopefully, you’ve been able to do your due diligence and get your organization ready. While we still have a year before some of the murkier provisions come into play, I’ll keep advocating that we get as much clarity as possible from the regulator so that there’s less guesswork.

OK, enough for today. Get out there have a great long weekend.