Securiti announces a $75M Series C Funding RoundView
Data protection laws have taken center stage in several countries around the world. Governments are responding to the renewed need to keep their citizens' data secure. At the same time, users themselves now expect the organisations collecting their data to be proactive in protecting any collected data.
However, countries are not the only ones legislating to bring in data protection laws of some kind. Most prominently, the United States does not have an overarching federal statute that regulates data privacy for consumers. That is why states like California with the California Consumer Privacy Act (CCPA), New York with The New York Privacy Act, Massachusetts with the Massachusetts Data Privacy Law, and New Jersey with the New Jersey Disclosure and Accountability Transparency Act (NJ DaTA) are passing their own state-level laws to protect their residents.
Quebec, a province of Canada like the states in the US has its own data protection law, known as Act Respecting the Protection of Personal Information in the Private Sector, CQLR P-39.1 (Quebec Private Privacy Act) in place. However, unlike the US, there is a federal law that regulates Canadian residents’ data privacy thanks to the Personal Information Protection and Electronic Documents Act (PIPEDA).
Now, amendments have been introduced in Quebec’s data protection law through Bill 64. What effect do these amendments have on the regulation itself and how can organisations remain compliant with them? Read on below to learn more:
The amended Quebec Private Privacy Act consistently reiterates Personal Information (PI) as one of the essential pieces of data covered by law. The Quebec Private Privacy Act applies to personal information, whether the organization keeps the information itself or through the agency of a third person, whatever the nature of its medium and whatever the form in which it is accessible, whether written, graphic, taped, filmed, computerized, or other. Personal information is any information which relates to a natural person and directly or indirectly allows that person to be identified.
The Quebec Private Privacy Act also covers sensitive personal information. However, it does not apply to journalistic, historical or genealogical material collected, held, used or communicated for the legitimate information of the public.
As far as the Quebec Private Privacy Act territorial scope goes, it applies to the collection, use, or disclosure of personal information within the province by any organization.
Moreover, organisations and websites that offer goods/services online or are accessible by users from Quebec must also comply with this law.
As per the amended Quebec Private Privacy Act, organisations have certain obligations towards their users and customers.. The most important of these obligations include the following:
No matter how safe and secure an organisation claims its data processing activities and measures are, it cannot proceed with the data collection unless it has a lawful basis of processing the personal data of individuals.
Under the amended Quebec Private Privacy Act, personal information may not be used within the enterprise for any other purpose except for which it was initially collected for or if the data subject has consented to an additional purpose. Furthermore, no person may communicate to a third person the personal information of the data subject unless the data subject has consented or or this law provides for such communication.
Consent needs to be:
A data subject may request assistance to help him/her understand the scope of the consent being provided. Consent is also only valid for the time necessary to achieve the purposes for which it was requested. And Consent not given in accordance with this law is of no effect.
Organization collecting personal information from the data subject must, when the information is collected and subsequently on request, inform data subject of the following:
Any person who collects personal information through technological means must publish on the enterprise’s website, if applicable, a confidentiality policy drafted in clear and simple language to disseminate it by any appropriate means to reach the persons concerned. - failure to do so may vitiate consent collected for PI collected through technological means.
Express consent is required for the processing of “sensitive personal information”, which is defined as information that “entails a high level of reasonable expectation of privacy." Organizations must also ensure that consent can be withdrawn by the data subject as easy as giving consent and at any given time.
There are special provisions for minors and people that are differently-abled as Bill 64 reiterates the responsibility of the data handlers to ensure informed consent is elicited from their guardian.
As per the amended Quebec Private Privacy Act, it is up to the organisation or website to ensure it has a framework in place that informs and educate the user about the various practices and policies that reflect proportionate to the nature and scope of the enterprise’s activities and be approved by the person in charge of the protection of personal information. Additionally, the policy must contain ample resources for the user to complain regarding the protection of their information.
An organisation must ensure it regularly assesses the success and effectiveness of its practices in ensuring compliance with the data protection laws. Any policies must be updated and reformed accordingly, while the staff should be promptly informed of these changes.
In the event of a data breach, there are certain requirements in place that the compromised organisation must adhere to. These include the following:
As strange as it may sound, the top official within the organisation, i.e., the CEO is the DPO. However, some provisions allow this role to be delegated to someone within the organisation or hire a third party.
It is strongly recommended that an organisation hire a dedicated DPO for two apparent reasons. The first is that the CEO will almost always have a lot on their plate, and piling on another role would undo the purpose behind having a Privacy Officer role, to begin with. Secondly, a DPO can ensure efforts within the organisation to implement privacy-related governance policies and practices across all teams.
The Privacy Officer, whether it be the CEO or a DPO, must ensure the most robust privacy practices are implemented within the organisation to minimize and ideally eliminate, any chances of future breaches.
This is arguably the most important and core element of the amended Quebec Private Privacy Act. A PIA will be required when personal information on Quebec residents is transferred outside the jurisdiction of Quebec (read Cross border data transfer Requirements section below for more details on this subject).
Other instances that may trigger the need to carry out a PIA includes acquisition, development, and overhaul of an information system or electronic service delivery that involves personal information of Quebec residents.
The amended Quebec Private Privacy Act does allow data transfers across regions. However, there is a catch. The jurisdiction where the data is to be transferred must have an equivalent legislation in place that protects the data in question. The Commission plans on publishing a list of jurisdictions considered equivalent and safe for data to be transferred.
Additionally, a privacy impact assessment must be carried out of the jurisdiction where data is to be transferred. Any such assessment must be based on the following criteria:
Organisations often rely on third parties, or vendors, to assist in their operations. Often to ensure such a collaboration, personal information and data collected on users must be shared with these vendors. However, this data and PI can only be shared once the user has consented to this sharing of data.
Similarly, the vendor is required to:
Any data shared with the vendor must be deleted permanently once the contractual obligation for which the data was required is complete.
However, the second obligation does not apply to public entities or when the data being shared is available on public domain.
If the organisation or website collecting a user’s data employs automated processing based on the data collected on users, it must inform the user of the following information without delay once any data that is to be used in automated processing is collected:
Like all other significant data protection regulations globally, the new Quebec Privacy Act also guarantees all users certain rights, known better as Data Subject rights. Some of the rights covered by the Privacy Act include the following:
The Commission d’accès à l’information, also known as "CAI ," will primarily enforce the Quebec Privacy Act across the jurisdiction. It shall have the power to "take any measure to protect the rights of the persons concerned" while also being authorized to order penalties against organisations for their non-compliance with the new law's provisions.
Using the old "carrot-and-stick" metaphor, this would be the stick that compels organisations to comply with the new law. As many will notice, the monetary penalties for failing to adhere to the new mandates introduced by the Quebec Privacy Act can be overly severe.
CAI can levy an organisation CA$10 million ($8.01 million) for individual breaches. Penalties may reach CA$25 million or, if greater, an amount corresponding to 4% of worldwide turnover for the previous year for organisations found in gross breach or non-compliance with any of the new law's statutes.
While the new amendments promise a heightened level of protection for all users' data, organisations might find it a tall order to operationalize the new legislation within their business practices. While achieving compliance with the new law cannot be achieved within a day, certain practices can ensure the adaptation is made quickly and effectively. Some such practices include:
Users are now becoming increasingly educated and aware of websites' responsibilities online towards the data collected on users. Hence, they expect these websites to take the appropriate measures to ensure this data is protected and maintained as per the laws that they're subject to. With more and more countries enacting their own versions of data protection laws, organisations must consider data compliance and governance as essential parts of their modus operandi.
That is an arduous task. However, AI-driven solutions could hold the key towards striking a balance between efficiency and effectiveness. Securiti is a market leader in offering solutions based on its PrivacyOps framework that can help businesses achieve privacy compliance anywhere in the world at the click of a button.
Request a demo today to learn more about how Securiti can help your business.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
3031 Tisch Way Suite 110 Plaza West, San Jose,