Online privacy and data protection have become pressing issues in recent years that many governments have decided to legislate. The Legault CAQ government has been behind many digital-related innovations, so it’s not surprising to see legislation like this.
This law is a legislative update since existing laws inadequately address digital data. It should be noted that Law 25 has teeth and isn’t merely a preparatory law. The legal penalties for a violation range from $5,000 to $100,000 for individuals (natural person) who break the law.
For more severe violations, the penalties vary between $15,000 and $25 million, or 4% of the global revenue from the previous financial year, whichever is higher.
In addition, this law is considered evolving; new obligations will be added over the years to keep the law’s demands current. This article provides an update on the law’s provisions, your organization’s compliance obligations, and ways to ensure current and future alignment.
Overview of the Law 25
Often compared to the European Union’s GDPR, Law 25, also known as Bill 64, puts forth several measures to get public bodies and private organizations to modernize their data privacy practices. The law does not enforce specific technology use but encourages the use of sophisticated and multiple tools and outlines various criminal and monetary penalties if a solution isn’t implemented.
For example, with this law, multi-factor authentication becomes necessary for all organizations, as it will effectively avoid the hefty fines associated with a data breach. Data encryption would also be a good practice to adopt. Another important provision of this law is citizens’ right to data erasure and dereferencing. Therefore, companies will need to have a good data handling policy in place to avoid making this process more complicated.
This law also creates a right to data portability. This right is similar to the one mentioned in the previous paragraph. Still, it obliges public bodies and companies to provide, upon request, all personal information taken from a person so that they can access it.
Who does Law 25 Quebec apply to?
Law 25 applies to businesses in Quebec that are involved in organized economic activities, including collecting, storing, utilizing, or sharing personal information of residents of Quebec with third parties or providing services to Quebec residents regardless of whether they operate for profit or not.
The Old Law 25
Law 25 was initially implemented on September 22, 2021, laying down guidelines on new requirements that businesses in Quebec needed to adopt until September 22, 2022. These controller requirements, including privacy policies, risk assessments, and data breach notification, were geared at strengthening individual privacy rights in Quebec. The initial implementation required Quebec businesses to do the following:
- Designate a person to be in charge of the protection of personal information.
- In case of a confidentiality incident involving personal information:
- Take measures to reduce the risk of injury to the persons concerned and prevent new incidents from occurring
- Fill out a form to notify the Commission d’accès à l’information du Québec (CAI) and the person concerned.
- Keep a register of confidentiality incidents and send a copy to the Commission at its request
- Respect the new rules for communicating personal information without the consent of the person concerned for the purposes of study, research, or statistics and in the context of a commercial transaction.
- Conduct a Privacy Impact Assessment before communicating personal information without the consent of the person concerned for the purposes of study, research, or statistics.
- Fill out a form to notify the Commission before carrying out an identity verification or confirmation using biometric characteristics or measurements.
Changes to Law 25 Implemented in 2023
After September 22, 2023, changes to Law 25 have been made to further advance the requirements for individual privacy rights. Along with the controller requirements in the initial implementation, Quebec businesses needed to abide by the following:
- Develop a policy regulating the business governance on protecting personal information. The policy must include:
- Rules applicable to the retention and destruction of personal information
- Staff roles and responsibilities throughout the life cycle of personal information
- Privacy complaints process
- Respect new transparency obligations.
- Obtain a person’s free and informed consent to collect, communicate, and use their personal information and comply with new consent rules.
- Destroy personal information after the purpose of its collection is accomplished. Or otherwise, make it anonymous for serious and legitimate purposes subject to the conditions and retention period provided by Law 25.
- Conduct a privacy impact assessment when required by law.
- Respect the right to de-indexation and the cessation of dissemination. Individuals can now ask companies to stop disseminating their personal information or de-index any hyperlink attached to their name that provides access to their data if the dissemination causes them injury or contravenes the law or court order.
- Comply with new rules for communicating personal information and facilitating the grieving process. Organizations may release personal information concerning a deceased person to the spouse or close relative if knowledge of the data will help the person in their grieving process unless the deceased has recorded, in writing, his refusal to grant such right of access.
- Respect the new rules on the collection of personal information concerning a minor under the age of 14, which states that personal data concerning a minor under the age of 14 can no longer be collected without the consent of the person who has parental authority over them.
- Obligation to provide the parameters ensuring the highest level of confidentiality of a technological product or service offered to the public.
Implications of the New Law 25 Amendments
The amendments to Quebec’s Law 25 bring significant changes that affect various stakeholders, such as businesses and individuals. For businesses, the new amendments come with new obligations, including:
- Privacy impact assessments
- Incident management
- Consent framework
- Automated decisions transparency
- Fines for non-compliance
However, the amendments provide individuals with increased data protection and more rights over their personal data.
While Law 25 is necessary to strengthen individual data protection, implementing its requirements can be complex and resource-intensive. Aligning stakeholders for privacy impact assessments, ensuring data protection agreements, and revising consent mechanisms are the most challenging.
However, the amendments also offer opportunities for businesses to enhance their data protection practices, thereby building greater trust with customers and leveraging their data management for competitive advantage. As a result, this can lead to better customer relationships and facilitate the development of new business models that prioritize data security.
What is the difference between Law 25 and PIPEDA?
Quebec's Law 25 is a stringent privacy regulation, whereas Canada’s PIPEDA is a broader federal law. Specifically, Quebec’s Law 25 gives users rights over personal information that PIPEDA does not provide. These include the right to request data deletion and receive personal data in a portable format.
Law 25 also has more rigorous consent requirements, mandating that tracking technologies cannot be used without explicit consumer consent. It also has an explicit opt-in consent requirement. In contrast, PIPEDA allows data collection practices to adhere to opt-out consent standards.
Requirements of Law 25
For businesses in Quebec, the main requirements of Law 25 include:
Appointment of a privacy officer
They must meet the requirements of Law 25 for protecting personal information. These responsibilities are given to the highest authority within the business but can be delegated to another person.
Transparency
The contact information of the person in charge of personal information protection must be publicly available on the business’s website or by other appropriate means.
Governance policies
Policies for keeping personal information safe must be created and followed. These policies must include:
- How long the data is kept
- Roles and responsibilities of different members working on the personal information
- How the business handles complaints about data protection.
The policies should match the size of the organization and must be approved by the person responsible for data protection. The details of these policies should also be published on the business’s website or made available through other means.
Privacy Impact Assessment
Businesses in Quebec must conduct a privacy impact assessment for any project involving collecting, using, sharing, retaining, or destroying personal information. The assessment must consider the sensitivity of the data and its intended use, quantity, distribution, and storage medium.
Protection measures
The person in charge of personal information protection can recommend specific protection measures, such as:
- Appointing a responsible person
- Safeguarding documents
- Defining project participants’ responsibilities regarding data protection
- Providing training on data protection
Breach notification
In case of a confidentiality incident involving personal information, businesses must take measures to reduce the risk of harm and prevent further incidents. If the incident poses a risk of serious harm, the beach must be reported to the CAI and affected individuals. This disclosure and notification may be withheld if they impede a criminal investigation. Under Law 25, businesses must also maintain a register of the confidentiality incident and provide a copy to the relevant regulatory authority upon request.
Risk assessment
When assessing a confidentiality incident’s risk of harm to individuals, businesses in Quebec should consider factors like:
- Sensitivity of the information
- Anticipated consequences of its misuse
- Likelihood of injurious use
They must also consult with the person in charge of personal information.
Privacy policy
Any business that collects personal information must inform users of the following:
- Purpose of collecting the information
- How the information will be used
- Who in the organization can access the information
- Where the information will be kept
- Rights that users have to access and correct the information
- Right to withdraw consent for using the information
- Name and details of the third party with whom the information will be shared
- Whether the information may be sent outside of Quebec.
- The technology used to identify, locate, or profile users and how to deactivate them.
Communicating this should be done using a privacy policy, which must be easily accessible to users.
International data transfer
When businesses transmit personal data from Quebec to locations outside the province, they must carefully check if the data will be safe. As such, they must conduct a Privacy Impact Assessment, set up a contract with the recipient, and notify the people whose data is being sent.
Measures for organizations
Since September 22, 2022, Quebec businesses have implemented several measures to comply with Bill 25. Some of these measures should already be in place to comply with the GDPR if the organization is required to, but revising these requirements under this new Quebec law is still a good idea.
Privacy Officer
Every organization will be required to appoint a Privacy Officer. If a company does not make a formal appointment for this role, the most senior officer of the company is appointed and will be held accountable for implementing these programs and breaches. It was already a good idea to have a person dedicated to this type of role to ensure the cyber security of corporate data. However, Act 25 now makes this practice a requirement.
Management plan and incident log
This measure is relatively simple. It requires Quebec companies to have a predetermined plan in case of incidents and to keep a log of any incident during their operations. The plan and the logbook can be straightforward, and the law does not introduce any specific framework concerning this measure. However, involving all departments in your organization in this process is a good idea. This way, everyone knows what constitutes a violation and how to report it.
Duty to Disclose
In the event of a data breach, Quebec companies are legally obliged to notify anyone affected by the incident. Fines are attached to breaches of this directive. This practice is now relatively common within organizations that handle customer data. It is considered an excellent way to counter the impact of data breaches by getting users to change their passwords.
What does the new Law 25 mean for your organization?
The new Law 25 amendments oblige organizations to adopt measures to enhance user’s data protection. This means that you should do the following for compliance:
- Inform users through a privacy policy
- Ensure all data collection, use, and sharing is based on explicit and informed consent.
- Develop and publish data protection policies
- Make provisions for users to exercise their data rights
- Appoint a privacy officer and make their contact information accessible to the public
- Conduct Privacy Impact Assessments
- Implement recommended protection measures
- Notify the enforcing commission and affected users in case of a data breach
- Ensure compliance with Law 25 by training employees on data protection measures, such as cyber security awareness training.
What is personal information under Quebec Law 25?
Quebec Law 25 considers any information about a natural person that will lead to their identification as personal information. These include their full name, address, email address, phone number, financial records, and health records, among others. Information excluded as “personal information” is public records or information pertaining to journalistic, historical, or genealogical material that is held, used, or communicated in the public interest.
A culture of cyber security that complies with Law 25
Law 25 is an essential update to Quebec’s legislative framework by putting clear privacy and cyber security measures in place. It requires businesses to adopt more stringent measures to protect their users’ data, including appointing a privacy protection officer, gaining explicit and informed consent, increasing user transparency, conducting privacy impact assessments, and more. While the indications mentioned in this text are essential, the best way to prevent these breaches is through a corporate culture focused on cyber security awareness. The problems framed by Act 25 are preventable by giving your employees access to robust cyber security training.
