Québec's Bill 64Québec’s Bill 64 – What Businesses Need to Know Now

Québec’s Bill 64 – What Businesses Need to Know Now

In Canada, the main laws governing personal data protection and privacy at the federal level are the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Privacy Act. On November 17, 2020, the former Minister of Innovation, Science and Industry, Navdeep Bains, introduced An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts (Bill C-11, or the Digital Charter Implementation Act) for consideration in the House of Commons. Bill C-11 was slated to update Canada’s private-sector data privacy laws. However, it died on the Order Paper in August.

While efforts to enact reforms at the federal level have been halted for the moment, businesses should still be keeping a close eye on what is happening at the provincial level.

On September 22, 2021, Québec’s An Act to modernize legislative provisions as regards the protection of personal information (Bill 64) received royal assent in the National Assembly of Québec. Octillo will continue to monitor these provisions to Québec’s new privacy law and will provide updates prior to the effective date. With broad implications and with substantive provisions becoming effective in 2022, 2023, and 2024, private-sector businesses should take proactive steps to prepare for Québec’s new privacy law starting now.

Here are some of the important changes to be aware of:

Provisions effective starting September 22, 2022:

Designation of the Person in Charge of the Protection of Personal Information

Section 95 of Bill 64 adds Section 3.1 to Québec’s Private Sector Act.

By default, the person exercising the highest authority in a business, such as the chief executive officer, will be the person in charge of the protection of personal information. This responsibility may be delegated to another person, and that person’s title and contact information must be posted on the website of the business.

Confidentiality Incident Notifications to the Commission d’accès à l’information (CAI).

Section 95 of Bill 64 adds Sections 3.5-3.8 to Québec’s Private Sector Act.

Bill 64 defines a “confidentiality incident” as: (1) access not authorized by law to personal information; (2) use not authorized by law of personal information; (3) communication not authorized by law of personal information; or (4) loss of personal information or any other breach in the protection of such information.

Businesses must promptly notify the CAI about confidentiality incidents that “present a risk of serious injury” and must also notify any person whose personal information is concerned in such an incident.

The determination of a “risk of serious injury” depends on certain factors, such as “the sensitivity of the information concerned, the anticipated consequences of its use and the likelihood that such information will be used for injurious purposes.”

Businesses must also keep a register of all confidentiality incidents for the CAI upon request.

Changes Concerning Personal Information in Commercial Transactions

Section 107 of Bill 64 adds Sections 18.3-18.4 to Québec’s Private Sector Act.

Bill 64 defines a “commercial transaction” as involving:

  • the alienation or leasing of all or part of an enterprise or its assets;
  • a modification of its legal structure by merger or otherwise;
  • the obtaining of a loan or any other form of financing by the enterprise; or
  • the obtaining of a security taken to guarantee any of its obligations.

When necessary for concluding a commercial transaction, businesses may communicate personal information without the consent of the person concerned. However, prior to such transactions, businesses must enter into an agreement ensuring that the other party will only use the information for concluding the commercial transaction, will not communicate the information without consent, will take measures required to protect the confidentiality of the information, and will destroy the information if the transaction does not go through or if the information is no longer necessary.

Please note that the new Section 18.4 on entering into an agreement prior to such transactions becomes effective in 2022, while the new Section 18.3 becomes effective in 2023.

Changes Concerning Personal Information in Research Studies

Section 110 of Bill 64 amends Section 21 of Québec’s Private Sector Act.

When using the information for study or research purposes or to produce statistics, businesses may communicate personal information without the consent of the person if a privacy assessment concludes that:

  • the objective can only be achieved if the information is communicated in a form allowing the persons concerned to be identified;
  • it is unreasonable to require obtaining consent;
  • the objective outweighs with regard to the public interest;
  • the personal information is used in such a way to ensure confidentiality; and
  • only necessary information will be communicated.

Businesses wishing to use personal information in studies and research must request in writing and enclose several other pieces of required materials/information. If applicable, businesses must also describe the different technologies to be used. If applicable, businesses must also send documented decisions of a research ethics committee.

Bill 64 also lists several requirements that businesses must work into an agreement with the persons or entities receiving the personal information.

Provisions effective starting September 22, 2023:

Governance Policies and Practices Regarding Personal Information

Section 95 of Bill 64 adds Section 3.2 to Québec’s Private Sector Act.

Businesses must establish and implement governance policies and practices regarding personal information. Such policies must provide a framework for the keeping and destruction of the information, define the roles and responsibilities of the members of its personnel throughout the life cycle of the information, provide a process for dealing with complaints, be proportionate to the nature and scope of the business, and be approved by the person in charge of the protection of personal information.

Businesses must publish detailed information about these policies on their websites in simple and clear language.

Privacy Assessments

Section 95 of Bill 64 adds Sections 3.3-3.4 to Québec’s Private Sector Act.

Businesses must conduct privacy assessments for the acquisition, development, or overhaul of information or electronic service delivery systems involving the collection, use, communication, keeping, or destruction of personal information.

The person in charge of the protection of personal information may suggest measures such as:

  • the appointment of a person to be responsible for implementing the personal information protection measures;
  • measures to protect the personal information in any document relating to the project;
  • descriptions of the project participants’ responsibilities regarding the protection of personal information; or
  • training activities for project participants on the protection of personal information.

Privacy assessments must be conducted proportionately to the sensitivity of the information concerned, the purposes for which  the information will be used, the quantity and distribution of the information, and the medium on which it is stored.

Personal Information Concerning Minors Under 14 Years of Age

Section 96 of Bill 64 replaces Section 4 of Québec’s Private Sector Act.

Businesses may not collect personal information concerning a minor under 14 years of age without parental or tutor consent unless collecting the information is clearly for the minor’s benefit.

Necessary Purposes

Section 97 of Bill 64 amends Section 5 of Québec’s Private Sector Act.

Any person collecting personal information on another person may collect only the information necessary for the purposes determined before collecting it.

Source of the Personal Information

Section 98 of Bill 64 amends Section 7 of Québec’s Private Sector Act.

Any person collecting personal information from another person carrying on an enterprise must, at the request of the person concerned, inform the latter of the source of the information.


Section 99 of Bill 64 replaces Section 8 of Québec’s Private Sector Act.

When collecting information and upon request, businesses must provide, in clear and simple language, the purposes of collection, the means of collection, the rights of access and rectification under law, and the right to withdraw consent.

Persons concerned may also request the categories of persons who have access to the information within the business, the duration of time the information will be kept, and the contact information of the person in charge of the protection of personal information.

Businesses must also inform individuals of any collection of personal information using a technology that includes functions allowing the individual to be identified, located, or profiled and the means available to deactivate such functions.

Businesses collecting personal information through technological means must publish on their websites a confidentiality policy in clear and simple language.

Any person who provides his or her personal information in accordance with this new Section 8 of Québec’s Private Sector Act consents to its use for the stated purposes.

Section 102 of Bill 64 replaces Sections 12-14 of Québec’s Private Sector Act.

Unless the person concerned gives his or her consent, personal information may not be used within the business except for the purposes for which it was collected. Such consent must be given expressly when it concerns sensitive personal information.

Personal information may, however, be used for another purpose without consent, but only if:

  • its use is necessary for preventing and detecting fraud or assessing and improving protection and security measures;
  • its use is necessary for providing or delivering a product or providing a service requested by the person concerned;
  • its use is necessary for study or research purposes or to produce statistics and if the information is de-identified.

Privacy by Default

Section 100 of Bill 64 adds Section 9.1 to Québec’s Private Sector Act.

Businesses that collect personal information when offering a technological product or service must ensure that the parameters of the product or service provide the highest level of confidentiality by default, without any intervention by the person concerned.

Automated Decision-Making

Section 102 of Bill 64 replaces Sections 12-14 of Québec’s Private Sector Act.

Businesses that use personal information to render a decision based exclusively on automated processing of such information must inform the person concerned accordingly and not later than at the time it informs the person of the decision.”

The person concerned must be given the opportunity to submit observations to a member of the business who is in a position to review the decision.

Third Parties

Section 102 of Bill 64 replaces Section 12-14 of Québec’s Private Sector Act.

No person may communicate to a third person the personal information he holds on another person, unless the person concerned consents to, or this Act provides for, such communication. Such consent must be given expressly when it concerns sensitive personal information.

Cross-Border Data Transfers

Section 103 of Bill 64 replaces Section 17 of Québec’s Private Sector Act.

Before communicating personal information outside Québec, businesses must assess privacy-related factors. They must consider:

  • the sensitivity of the information;
  • the purposes for which it is to be used;
  • the protection measures, including those that are contractual, that would apply to it; and
  • the legal framework applicable in the State in which the information would be communicated, including the personal information protection principles, apply in that State.

The information may be communicated if the assessment establishes that it would receive adequate protection, in light of generally recognized principles regarding the protection of personal information.

Destruction of Personal Information

Section 111 of Bill 64 replaces Section 23 of Québec’s Private Sector Act.

Where the purposes for which personal information was collected or used are achieved, businesses must destroy or anonymize the information, subject to any preservation period provided for by an Act.


Section 113 of Bill 64 replaces Section 28 of Québec’s Private Sector Act.

The person to whom the personal information relates may require a business to cease disseminating that information or to de-index any hyperlink attached to his name that provides access to the information by a technological means if the dissemination of the information contravenes the law or court order.

This new section lists several situations in which hyperlinks may be re-indexed.

Provisions effective starting September 22, 2024

Copies of Personal Information Upon Request

Section 112 of Bill 64 amends Section 27 of Québec’s Private Sector Act.

Businesses must, upon request, confirm the existence of personal information, communicate it in a structured and commonly used technological format, and allow people to obtain copies of their personal information.


Many of the provisions of Québec’s new privacy law do not become effective until 2023 and 2024. However, there are a few notable provisions that become effective starting on September 22, 2022. Octillo continues to monitor this area and will provide updates as the effective date approaches. Our Compliance Team recommends that businesses both within and outside Québec’s, take proactive steps to prepare for the full implementation of Bill 64 starting now, especially now that there will be new enforcement and penalties regime.

*Attorney advertising: prior results do not guarantee similar outcomes.

Subscribe to our newsletter.


Data Security and Privacy Due DiligenceData Security and Privacy Must Play a Part in M&A Due Diligence

Data Security and Privacy Must Play a Part in M&A Due Diligence

In the past, acquiring companies engaged in M&A activity paid little attention to a target company’s data security & privacy (DSP) posture during due diligence. The acquiring companies learned that their failure to fully evaluate the target company’s DSP posture led to the target company inheriting more work than ever anticipated. These risks manifested in two costly areas: undisclosed cybersecurity incidents (which could lead to costly litigation and negative publicity), and poor cybersecurity and privacy infrastructure (which would delay integration).

These negatives are well documented. A 2019 Forescout report found that, “[j]ust under half (49%)” of the transactions analyzed “encountered unknown or undisclosed cybersecurity incidents, issues, or risks when integrating the acquired company’s information and technology that delayed the integration timeline.” Another well-known example was Verizon’s $350 million purchase price reduction of Yahoo!’s to cover costs of ongoing government investigations and private litigation for historic cybersecurity incidents that were not fully disclosed or evaluated in the due diligence phase.

Things have changed. Gartner reported that by 2022 sixty percent of organizations will consider a target company’s cybersecurity posture as a critical factor in their due diligence process. Acquiring companies have made DSP due diligence a priority because they understand the costly risks of inheriting a target company’s DSP liabilities.

Target companies must proactively address and disclose DSP risks to avoid renegotiation of the purchase price, delay the closing date, or at worst, the acquiring company backing out of the deal. M&A parties often retain sophisticated DSP attorneys to assist in all phases of the deal, including conducting DSP posture analyses, evaluating DSP-specific risks, and guiding the company through the diligence process.

This article addresses some of the key privacy and security issues, and strategies target companies should undertake to prepare for privacy reviews in due diligence.


Understand Data Privacy and Cybersecurity Obligations

The acquiring company’s goal during diligence is to understand whether the target company: (a) is in compliance with all applicable privacy and cybersecurity obligations, (b) has controls in place to avoid future regulatory or litigation exposure, and (c) has no undisclosed cybersecurity incidents that could lead to future exposure. Thus, the target company should be prepared to respond to diligence requests that focus on these key areas.

Context Matters. Cyber and privacy due diligence are heavily dependent on the target company’s profit model and industry because those factors heavily drive the evaluation of the transaction’s risk stemming from the target company’s cybersecurity posture. A purely regional business-to-business (B2B) company will generally have lower obligations than a company that handles personal health information (PHI), does significant business in California, or has international operations. A seller should focus on the following core area and consider whether it is in compliance with all standards-based on its position in that core area:

  • Profit-Model. Understand how the target company’s profit model subjects it to privacy and cybersecurity obligations. Consumer-facing companies are likely to have higher privacy obligations than those with an exclusively B2B model.  Additionally, companies who collect or trade consumer information will have higher privacy obligations, particularly when that information includes financial or health information.
  • Location. Understand the obligations imposed on the target company based on where it conducts business. Businesses in Europe or California may subject the business to specific obligations under the General Data Privacy Regulation (GRPR) or California Consumer Privacy Act (CCPA). Each has a specific requirement and harsh penalties for non-compliance. It is equally important to know if the target company is not subject to the CCPA and GRPR so that the target company does not unnecessarily expend resources to comply with those laws, and to adequately respond to misdirected diligence inquiries about GRPR and CCPA compliance.
    Cybersecurity incident notification laws also vary by state, so the company should understand could create obligations for historic cybersecurity incidents.
  • Industry. Understand whether the target company’s industry creates unique security obligations. Broadly, a company that operates in: (a) financial services, (b) healthcare, (c) government contracting, (c) consumer data collection, and (d) consumer credit card transactions. State laws may also impose industry-specific obligations.

Understand the impact of historic cybersecurity incidents. Any historic cybersecurity incidents will very likely be the subject of the acquiring company’s diligence inquiry. The target company should consider the root cause of the incident (i.e. system vulnerabilities or policy gaps).


Strategies to Maximize Price and Avoid Concerns During Diligence

Again, acquiring companies are evaluating potential transaction risk based on the target companies’ compliance obligations and cybersecurity risks. Strong documentation reflecting a target company’s understanding of its obligations and implementation of necessary policies and programs is a target company’s strongest asset in alleviating an acquiring company’s concerns (and in turn maximizing the purchase price).

Implement Privacy Policies. Implement compliance privacy policies to the extent necessary based on the target business’ profit model, location, and industry (as discussed above). If the target company determines its business does not require implementation of a specific policy, demand the rationale for that decision, and maintain a policy that requires a review of the target company’s privacy compliance requirements: (a) periodically, (b) based on material changes in the company’s business, and (c) based on material changes in the law.

Implement Data Governance Programs. Even if the target company has determined that specific privacy laws do not apply to the company, many acquiring companies will require that the target company understands the data it collects. Understanding the collected data allows the target company to show that: (a) it has analyzed potential risks of a cybersecurity incident, and (b) is well-positioned to comply with future privacy requirements following the acquisition (or based on future changes in the laws).

Implement Cybersecurity Policies. Maintain a cybersecurity and compliance infrastructure that require conducting penetration testing, vulnerability assessments, and corrective follow-up. An acquiring company is likely to be skeptical about a target company’s representations about a lack of prior incidents because a company that does not conduct regular testing and assessments may not even be aware of prior intrusions.

Analyze Contracts and Maintain Insurance. The target company should analyze vendor and customer contracts relating to indemnification for cyber or privacy incidents.  As the acquiring company may be inheriting these contracts, they will want to ensure that these contracts don’t create unnecessary risk. Maintaining cybersecurity insurance covering past incidents will further alleviate concerns.

Analyze Past Incidents. Analyze past incidents to determine what system vulnerabilities, policy or training gaps led to the incident, and document the steps taken to correct those issues.

Partner with Technologists Who Understand the Legal Requirements. There is no need to reinvent the wheel.  Work with experienced partners who can help assess the need for privacy and cybersecurity programs, and help you navigate due diligence requests from an acquiring company.  Octillo retains privacy attorneys and security professionals with a deep understanding of the technology in the law.

For more information on this topic, contact Octillo attorney Chirag H. Patel.

Subscribe to our newsletter.

*Attorney Advertising.  Prior results do not guarantee future outcomes.

CaliforniaCalifornia Privacy Protection Agency: Updates on Rulemaking Timeline, Agency Staffing, and What Privacy Practitioners Can Expect in the Months to Come

California Privacy Protection Agency: Updates on Rulemaking Timeline, Agency Staffing, and What Privacy Practitioners Can Expect in the Months to Come

On Tuesday, October 5th, Jennifer M. Urban, Board Chair of the newly formed California Privacy Protection Agency (CPPA), joined the Privacy Law Section of the California Lawyers Association for a fireside chat about CPRA rulemaking, agency staffing, and what privacy practitioners can expect in the months to come.


Approved through ballot proposition back in November 2020, the California Privacy Rights Act (CPRA) created the CPPA, which is the first state-level agency dedicated to consumer privacy regulation. With the CPPA having full administrative power, authority, and jurisdiction to implement and enforce the CCPA and CPRA, privacy practitioners and businesses are keeping a close eye on the new agency’s rulemaking timeline as the July 1st deadline to adopt final regulations quickly approaches.


The CPPA had its first public board meeting on June 14th (agenda and meeting materials available here). The agency then followed up with a two-day, public virtual meeting on September 7th and September 8th (agenda and meeting materials available here) as well as a closed session regarding hiring matters on September 24th (agenda available here).


Some of the topics discussed by the CPPA Board during its September 7th and 8th public meetings include: (1) the Bagley-Keene Open Meeting Act; (2) the Administrative Procedures Act; (3) other administrative updates; (4) initial hiring strategy, timelines, and duties; (5) delegations of authority for limited administrative functions; (6) the agency’s conflict of interest code; (7) member handbook drafts; (8) subcommittee assignments; (9) board office location; (10) notice to the Attorney General to assume rulemaking authority; (11) future meeting schedule; and (12) public comments.


In continuing with some of the above-mentioned topics, the fireside chat primarily covered the agency’s proposed rulemaking timeline, agency staffing needs, and subcommittee assignments.


With preliminary public comments on proposed rulemaking due by November 8th, the CPPA is looking to publish notice of proposed rulemaking, an initial statement of reasons, and text of regulations sometime in Winter 2021-2022 (aiming potentially for January 2022). In Winter/Spring 2021-2022, the CPPA is planning to hold public hearings. Furthermore, the CPPA is planning to submit draft regulations to the Office of Administrative Law by May 2022.


The CPPA proposes to form three new subcommittees to divide up the work: (1) New CPRA Rules Subcommittee; (2) Update of CCPA Rules Subcommittee, and (3) Rulemaking Process Subcommittee.


The New CPRA Rules Subcommittee will cover topics such as cybersecurity audits, risk assessments, automated decision-making, and agency audit authority. The suggested members for this subcommittee are Vinhcent Le and Lydia de la Torre.


The Update CCPA Rules Subcommittee will cover opt-out requests (including preference signals), accessibility, rights to erase/correct/know (look-back period, definition of “specific pieces of information obtained from the consumer, etc.), and use of PI by contractors/service providers. The suggested members for this subcommittee are Jennifer Urban and Angela Sierra.


The Rulemaking Process Subcommittee will coordinate pre-rulemaking and rulemaking activities (e.g., informational hearings, collection of comments, etc.), make recommendations as to whether rules are needed for certain topics, coordinate reports on the scope of privacy rules that currently apply to insurance corporations, and suggest additional topics for rulemaking and secure resources. The suggested members for this subcommittee are John Christopher Thompson and Lydia de la Torre.


Please see additional information regarding the agency’s proposed course of action here.


Economic considerations regarding the operational cost of compliance are also likely to be considered during the rulemaking process.


What’s next? The deadline for the adoption of final regulations is July 1, 2022. The CPRA becomes effective on January 1, 2023. The CPPA will also continue to hold meetings as the rulemaking process continues.


Octillo’s California Privacy Team continues to actively monitor updates to the privacy landscape as well as the impacts that new CPRA regulations will have on businesses. To learn more about the impact the CCPA and the CPRA may have on your business, reach out to our team of highly skilled attorneys.


*Attorney advertising: prior results do not guarantee similar outcomes.

Subscribe to our newsletter.


Cybersecurity AwarenessCybersecurity Awareness Month – 10 Tips for Improving Your Organization’s Cyber Hygiene

Cybersecurity Awareness Month – 10 Tips for Improving Your Organization’s Cyber Hygiene

October is Cybersecurity Awareness Month – a month-long event with the goal of raising awareness of good cybersecurity practices.

As a law firm focused only on technology, data security, and privacy, Octillo is dedicated to helping organizations create robust cybersecurity programs that help prevent or lessen the impact of potential cyber attacks. This starts with helping organizations, and their employees understand the important role they play in protecting their systems and safeguarding data.

In recognition of this important educational opportunity, we have compiled some of our top cybersecurity tips to help your organization improve your cyber hygiene. Do your part, #BeCyberSmart!

1. Use Multi-Factor Identification  

Add multi-factor authentication to your accounts. These tools require you to grant access to your accounts every time someone tries to log in.   


2. Update your Systems  

Updates may be a pain, but they are important. Updates often include patches for recently identified security issues. Neglecting updates may leave you vulnerable to threat actors exploiting these vulnerabilities.  


3. Emphasize Employee Education  

Human error is one of the most commonly cited causes of cyber incidents. Conduct regular cybersecurity trainings, including tabletop exercises testing your incident response plan, to help employees understand their role in incident response and prevention.  


4. Use Strong Passwords  

Choose unique passphrases as an alternative to passwords (ie. Myd0g1sth3b3st! vs. Fido123). Use a different password for each account. To help keep your credentials straight, consider using a password manager.   


5. Examine Emails Carefully  

Scammers often mimic a legitimate site or email address by using a slight variation in spelling. Pay attention to email and website addresses and independently verify links and attachments before clicking. Know where/how to report any suspect emails because you may not be the only one who received it.  Sharing is caring! 


6. Avoid Public or Unsecure Wi-Fi Networks  

Do not connect to a public or unsecure Wi-Fi network, such as at a coffee shop or hotel. Any sensitive information transmitted over these unsecure connections can be accessed by other users on the network. When a secure network is not available, opt to use your mobile hotspot.  


7. Create Email Forwarding Alerts  

Set up alerts when forwarding rules are added to your e-mail account and routinely check email forwarding rules. If threat actors gain access to an email account, they may create account rules to hide their activity.      


8. Do Not Use Personal Devices to Access Sensitive Data  

Personal devices, such as your phone or personal computer, are often not as secure as devices in the workplace. Downloading or accessing sensitive information on those devices could lead to the information being compromised. Unless your Security Officer says otherwise, never access sensitive information from personal devices.    


9. Keep Track of your Backups  

Make sure to have backups of important backups in place and these backups are stored separate from your normal environment. Check the integrity of your backups regularly. 


10. Find A Data Security Team  

Creating data security policies, procedures, and plans be daunting. Partnering with a team that understands the legal and threat landscape surrounding data security is a great first step towards improving your cyber preparedness. 



*Attorney advertising – prior results do not guarantee future outcomes.

Subscribe to our newsletter.