New Quebec legislation on the protection of personal information comes into force
In September 2024, a new data probability right will come into effect. This right allows an individual to request that his personal information “collected from them be communicated to him (or to another organization designated by the individual) in a structured and commonly used technological format”, that is to say shared with another supplier; “This way, consumers can easily retrieve their data and do business with someone else,” Gratton explains.
Penalties and rigors
The penalties for infractions are high and among the most severe in the world. Administrative penalties for violations would be $ 50,000 per person, Bernier says, and for businesses up to $ 10 million, or 2% of global revenues, whichever is greater. Criminal penalties are even heavier: 4% of an organization’s overall gross revenue in the fiscal year preceding the one in which the organization is convicted, or $ 25 million, whichever is greater. , and $ 100,000 per individual.
The sanctions were “inspired by the GDPR,” or the EU’s general data protection regulation, explains Bernier.
But some of the requirements are more stringent than those required by the GDPR, Gratton says. For example, for cross-border transfers of information: under the new law “there is an obligation to systematically carry out an assessment of factors related to privacy each time personal information is communicated outside Quebec” . However, “the nature, scope and content of this assessment lacks certainty and predictability, as it would require companies to systematically assess broad and open concepts such as the ‘legal framework’ of a foreign jurisdiction and the ‘principles’. generally accepted data protection policies ”. “These can have a broad meaning that can change over time,” she says.
“It also raises concerns about whether there is a need to regularly monitor developments in a foreign jurisdiction to ensure that [personal] information continues to benefit from adequate protection. It would have been better to have had a regime limiting cross-border transfer requirements to high-risk transfers, she said, involving particularly sensitive information.