Intellectual Property, Litigation

Major upgrade and toughening of Quebec Personal Privacy Law

Jul 15th, 2020

By Frank M. Schlesinger

The Civil Code of Québec, in a chapter titled “Respect of reputation and privacy” (Articles 35-40) sets forth the basic provisions protecting the right to the respect of a person’s reputation and privacy and prohibiting invasions thereof other than accordance with the law.

To support these few articles, Quebec enacted the Act Respecting the Protection of Personal Information in the Private Sector and other laws.

On June 12, 2020 the Government of Quebec tabled Bill 64, entitled Act to modernize legislative provisions as regards the protection of personal information which significantly amends the Act and other laws.

The purpose of this article is to discuss only the bill as it affects the private sector.

It is important for any enterprise which handles and deals with personal information, to be aware of the toughening up of the Act, particularly in terms of the addition of the right to sue for damages and the huge increase in possible fines and penalties as set forth below.

It is noteworthy that the responsibility of an enterprise is expanded to provide that the conditions and responsibilities apply “whether the enterprise keeps the information itself of through the agency of a third person”. Therefore, simply farming out the protection of personal information to a third party will probably not relieve the enterprise of responsibility.

Many of the provisions appear to be an attempt to bring Québec’s personal information protection into line with GDPR (“General Data Protection Rules’’ of the European Union) and the California Consumer Privacy Act (‘’CCPA’’) and other statutes.  An example of this is the provision that “the person exercising the highest authority” in the enterprise is responsible to ensure that the Act is complied with.  He may delegate the function of protection to a l member of the enterprise’s personnel, who, in effect becomes the personal information protection officer or Data Protection Officer for the enterprise. The name and title of this person and his contact information must be made public.


Enterprises are required to assess the privacy-related issues respecting personal information and to “establish and implement governing policies and practices regarding personal information that ensure the protection of such information”.  In opinion of this author we believe that the use of the word “ensure” provides the highest level of responsibility. Only superior force (“force majeure”) seems to be an excuse.  It is to be seen whether due diligence as established in the case of Sault Sainte-Marie, will continue to act as a defence. This appears doubtful.

(R. v. Sault Ste. Marie (City) [1978] 2 S.C.R. 1299 is a leading case of the Supreme Court of Canada which held that, as opposed to criminal cases where criminal intent or mens rea is required for a conviction, statutory liability or strict liability offences do not require such intent.  However, the defendant may, in such cases usually propose a defence of having exercised “due diligence”.)


If an “incident” (breach of personal information) presents a risk of serious injury, the enterprise must notify “La Commission d’Accès à l’Information” as well as any person whose personal information is concerned by the incident.


Unless the collection of personal information of a minor under 14 years of age is for his personal benefit, collection of information with respect to him requires parental consent; and with respect to all persons, information can only be collected for the purposes determined and declared before collecting it.  The person is entitled to be informed of the purposes, how it was collected, the right of access to the information, the right to withdraw his consent and that the information collected may be communicated outside of Québec.

In the event technology is being used which would allow a person to be identified, located or profiled, the person must be informed first and consent.

The enterprise’s website must, if applicable, contain a confidentiality or privacy policy.

Similarly to GDPR, the enterprise must ensure that the product or service provides the highest level of confidentiality.

This will require all enterprises collecting personal information to verify whether they need to upgrade their level of security in keeping with the assessment referred to above.

In the event the enterprise renders decisions based upon the automated processing of personal information, the enterprise must “at the time of or before the decision, inform the person concerned accordingly”.

Note that “No person may communicate to a third person the personal information he holds on another person, unless the person concerned consents to or this Act provides for, such communication., The enterprise may communicate the information to a third party by written mandate where such mandate is required to person the contact or services contracted for”.  It is to be noted that this is a separate consent from the consent to collect the information.

As in GDPR, consent must be in clear and simple language, free and informed and given only for the specific purposes declared.

Note that specific consent is required to permit transfer of personal information outside Québec.

The Bill stipulates that once the purposes for which the information was collected have been achieved, the information must be made anonymous.

A person whose information has been collected is entitled to have the existence of the information confirmed and to receive a copy of it.  If the information is inaccurate, incomplete or equivocal or if it is not authorized by law, he may require that it be rectified.

There are exceptions in the Bilolt which permit dissemination of some personal information under strict circumstances such as for research and similar reasons.


The Bill establishes monstrous administrative penalties for failure to provide the information required by the Act or commits other faults violating the provisions of the Act.

The penalties under the Bill are enormously increased: the Commission may impose administrative penalties of a maximum of $50,000.00 in the case of an individual, and in all other cases the greater of 10 million dollars or an amount corresponding to 2% of worldwide turnover for the proceeding fiscal year.

In the event of a commission of an offense under the Act, the fine will be $5000 to $15000 for an individual and other cases $15000 or the greater of 25 million dollars or 4% of worldwide turnover in the preceding fiscal year.


Finally, and also in keeping with GDPR,  “unless the injury results from superior force, a person carrying in an enterprise who keeps personal information is bound to compensate for the injury resulting from the unlawful of infringement of a right conferred by this Act or by articles 35 to 40 of the Civil Code and in the event of gross fault to an additional award of punitive damage of at least $1000.’’

In view of the severe nature of the offenses and high level of security and diligence required it behooves anyone handling personal information of a third party to take the necessary measures to avoid afoul of the law. It is to be noted that the bill all may well be amended during parliamentary hearings.  Furthermore, the Bill provides that it will come into force for most of its provisions, one year after its coming into force.