Quebec’s Act to Modernize Legislative Provisions respecting the Protection of Personal Information (“Bill 64”) is set to bring important changes to the province’s privacy frameworks. Chief among these changes are new requirements for cross-border transfers of personal information. As of September 22, 2023, businesses will need to complete the following steps before they transfer personal information outside of Quebec:

  1. Conduct a privacy impact assessment
  2. Confirm that the personal information will receive adequate protection in the target jurisdiction, and
  3. Enter into a written agreement that takes into account the results of the assessment and establishes terms to mitigate any risks that were identified.

Bill 64 is an important step in modernizing Quebec’s privacy regime, but the provisions related to data transfers have caused concern within the business community. This is because a significant amount of the personal information transferred out of Quebec goes to the US, and business leaders are worried that these transfers will no longer be allowed once the law comes into force.

For those seeking to predict how Quebec courts might apply the new requirements under Bill 64, recent developments within the European Union offer some food for thought.

For those seeking to predict how Quebec courts might apply the new requirements, recent developments within the European Union (“EU”) offer some food for thought. Europe’s General Data Protection Regulation (“GDPR”) remains the gold star for privacy legislation worldwide and likely inspired certain of Bill 64’s provisions. For example, under the GDPR, companies that transfer personal data outside of the European Economic Area (“EEA”) must ensure that the data continues to enjoy the same level of protection in the target jurisdiction.

Unlike Bill 64, the GDPR contains a number of mechanisms to facilitate data transfers to other jurisdictions. Among these are Adequacy Decisions by which the EU Commission declares that a certain country offers a comparable level of data protection to those required by the GDPR. This allows companies to easily transfer EU personal data to that country and can be critical for ensuring smooth commerce between major trading partners. The US, for instance, benefitted from one such Adequacy Decision known as the Privacy Shield up until July 2020 when the Court of Justice of the European Union (“CJEU”) invalidated the Adequacy Decision in the Shrems II decision. Since then, officials in the EU and US have been intently negotiating a new deal.

Although Bill 64 does not have a similar mechanism to facilitate international data transfers, these developments are still relevant because each Quebec-based business must determine for itself whether another jurisdiction offers adequate protections. If EU courts were to continue to find that the US did not offer adequate legislative safeguards for personal information, then it would seem likely that Quebec courts would follow suit, with important consequences for businesses using American data processing or storage services.

Indeed, the past couple weeks have only highlighted the importance of reconciling international data protection laws to allow for smooth cross-border transfers of personal information and facilitate global trade. For example, in January and February 2022, two European data protection authorities found that the use of Google Analytics by companies in the EU violates Article 44 of the GDPR. Given the ubiquity of personal data in modern commerce big and small, decisions like these are enough to give businesses cause for concern.  

However, in exciting news for the business world and privacy buffs on both sides of the Atlantic, the EU Commission and the US Government announced on March 25, 2022, that they have come to an agreement “in principle” on a new Trans-Atlantic Data Privacy Framework. Few precise details of the agreement are yet available, but both parties agree that the new framework will address the concerns raised by the CJEU in the Schrems II decision. These new changes make it more likely that businesses transferring personal information from Quebec to organizations certified under the new Privacy Shield will be compliant with Quebec law requirements. News of the agreement should, therefore, be happily received by Quebec businesses of all sizes.