Table of Contents
What is Quebec Law 25?
Quebec Law 25 is the most recent and notable advancement in Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) privacy legislation. This legal milestone comes in the wake of the adoption of Bill 64 in 2021, known as "An Act to modernize legislative provisions as regards the protection of personal information." Bill 64 brought about substantial changes to the rules governing the gathering, utilization, and disclosure of personal data.
What does Law 25 require from businesses?
Law 25's reach is extensive, covering public and private entities in Quebec, including businesses, nonprofits, and government bodies. The mandate applies regardless of entity size, and notably, applies to any company that collects, uses, or retains the personal information of Quebec citizens as part of their operations. This includes businesses located in Quebec as well as those that serve Quebec residents.
However, obligations differ based on business type, data handled, and processing context. Generally, if an organization deals with personal information of Quebec residents, Law 25 likely applies.
Specifically, Law 25 introduces several new obligations for organizations:
- Breach notifications
- Designated privacy officer appointments
- Privacy impact assessments
- Privacy notices
- Subject rights
- Upgraded consent
Should a breach occur, Law 25 requires organizations to promptly notify the Commission d’accès à l’information du Québec (CAI), the primary privacy enforcement agency in Quebec. In addition, a disclosure must be made to any customers or parties with exposed personal information that could potentially result in a "risk of serious injury" to the individual. These determinations will rely on existing PIPEDA's definitions to determine the severity and will encompass incidents that involve sensitive personal data. As part of this, companies are obligated to maintain a comprehensive record of all security incidents as part of their regulatory responsibilities.
Privacy officer appointments
Entities subject to Law 25 are obligated to appoint an employee who will ensure that business’s compliance with the regulations. These employees are also known as Designated Privacy Officers (DPO). Although any qualified individual can take up the role of DPO, it defaults to the highest senior employee within the organization. In most cases, this is the CEO or equivalent top-level executive. However, the law allows for flexibility in who becomes the privacy officer, as long as that person possesses the necessary qualifications and knowledge to carry out the compliance duties.
Privacy impact assessments
Under Law 25, businesses must conduct a Privacy Impact Assessment (PIA) under specific circumstances. These situations include instances in which an information system or electronic service delivery system is acquired, developed, or overhauled, and it involves the collection, use, release, retention, or deletion of personal information. The content of the PIA will vary depending on various factors, such as the type of information involved and the scope of the activity. A thorough assessment should encompass information related to:
- Data sensitivity
- The purpose of the data
- Any protection measures that would apply
- The legal framework applicable in the jurisdiction where the information is shared
Businesses are obligated to provide disclosures to consumers on how the organization’s technology practices may affect their privacy. This requirement comes into play when companies collect personal information using technology that identifies, locates, or profiles the individual or when they use personal information to make decisions based on automated processing. The company must inform users of which technologies are being used, as well as the means available to activate the tools that allow users to be identified or profiled.
When providing privacy notices, businesses must be transparent and offer clear and comprehensive details to the individuals whose information is being used. This information may include:
- The purpose of data collection
- The types of data being collected
- The methods of data processing
- The potential consequences of automated decisions
- Any other relevant information pertaining to the individual's privacy rights
The subject rights in Quebec have been updated and now better resemble the privacy mandates in the EU’s General Data Protection Regulation (GDPR). Prior to Law 25, individuals had limited control over their personal information and had fewer protections in place for data handling requests, such as consent withdrawals or data portability requests.
Thanks to Law 25, residents now benefit from codified rights to be informed, access, rectification, erasure, withdraw consent, restrict processing, and data portability:
- Right to be informed: Individuals have the right to be informed about how their personal data will be collected, processed, and used. This includes being aware of the purpose of processing and any third parties involved.
- Right to access: Individuals can request access to the personal data held by an organization. They have the right to know what data is being processed and obtain a copy of it.
- Right to rectification: Individuals can request corrections to their personal data if they find inaccuracies or incomplete information.
- Right to erasure: Also known as the "right to be forgotten," users can request the deletion of their personal data under certain circumstances, such as when the data is no longer necessary for the purpose it was collected.
- Right to withdraw consent: Individuals have the right to withdraw their consent for the processing of their personal data at any time.
- Right to restrict processing: Individuals can request limitations on the processing of their personal data in certain situations. This might apply when they contest the accuracy of the data or when the processing is unlawful.
- Right to data portability: Individuals can request their personal data to be provided to them in a structured, commonly used, and machine-readable format. They can also request the data to be transmitted directly to another organization, if feasible, when the processing is based on consent or a contract.
Privacy officers are expected to address requests within 30 days of receiving them, with the possibility of requesting an extension if necessary.
Law 25 introduces specific and enhanced rules related to individuals' consent before a business collects, uses, or distributes the individual’s personal information. When requesting consent in writing, a public body or organization must do so independently, separate from any other information provided to the individual.
Express consent is required for certain uses or disclosures of sensitive personal information. Additionally, if the individual is a minor under the age of 14, consent must be obtained from the minor’s parent or legal guardian before the business collects, uses, or discloses the minor’s personal information. For consent to be considered valid under Law 25, it must meet several criteria:
- It must be freely and fully informed and given for specific purposes
- It must be requested separately for each purpose
- It should be presented in clear and simple language
- It must be expressly provided for sensitive personal information
Furthermore, individuals must be informed of their right to withdraw consent (for the private sector), the names of third parties outside Quebec with whom their personal information is shared, and the categories of people within the organization who have access to their data.
It’s also the business’s responsibility to provide details on the retention period for their information, the contact information of the responsible individual or entity, and whether the information request is mandatory or optional (for the public sector).
When does the Quebec Law 25 go into effect?
Quebec’s Law 25 is being phased in over a three-year period to allow businesses enough time to learn the new requirements and apply appropriate changes to their data handling procedures. The first phase of Québec's Law 25 came into effect on September 22, 2022. Its key provisions took or take effect as follows:
- September 2022: Breach notification requirements
- September 2022: Privacy officer appointment
- September 2023: Privacy impact assessments
- September 2023: Updated privacy policies
- September 2023: Offer a right to restrict processing
- September 2023: Offer a right to erasure
- September 2023: Enhanced consent requirements
- September 2024: Right to data portability
Note the distinctions among these dates and how they might affect your compliance strategy. For example, Quebec’s Law 25 allows new subject privacy rights to take effect in September 2023, though the right to data portability won’t take effect until September 2024.
Companies hoping to achieve compliance with these mandates will need a structured approach that addresses complexities and mitigates challenges posed by phased rollouts.
Who is required to comply with Law 25?
Law 25 encompasses a wide scope, and it applies to both private and public sector entities in Quebec, regardless of their size or organizational type. This includes businesses, non-profit organizations, and government bodies. The law is especially relevant to enterprises that collect, use, disclose, retain, or dispose of personal information of Quebec citizens as part of their commercial activities, irrespective of their geographical location.
It's crucial that businesses take charge of these issues as soon as possible. In a recent PwC survey, only 35% of businesses expected to be fully ready for Law 25 compliance, and nearly 4 in 10 say they did not understand the full scope of Law 25 on their activities.
Nevertheless, the specific obligations under Law 25 vary depending on the nature of the business, the type of personal information handled, and the context of its processing. In essence, if an organization deals with the personal information of Quebec residents, it is likely subject to Law 25 and its compliance requirements.
Note that this includes scenarios in which a Quebec-based customer seeks goods and services from a foreign website, which encompasses most international ecommerce situations. As a result, foreign companies may need to ensure compliance with the new legislation to align with the regulatory requirements.
Quebec Law 25 penalties for non-compliance
Law 25 enforces stricter penalties for non-compliance with privacy legislation. Private sector entities may face fines up to $25,000,000 CAD, or an amount equivalent to four percent of their worldwide turnover from the preceding fiscal year, whichever is greater.
To avoid penalties, businesses will need to proactively adhere to the proposed changes in Quebec's privacy laws. They will need to conduct a comprehensive privacy audit to assess their current practices, update privacy policies and procedures to align with the new requirements, and implement robust security measures to safeguard personal information.
Furthermore, businesses must be sure that their staff members receive appropriate training to handle personal data responsibly. Additionally, organizations should review and update contracts with service providers to ensure that data processing agreements are in line with the revised privacy regulations. These are just a few simple ways businesses can mitigate the risk of a compliance violation, but they’re only the beginning.
Start preparing for compliance now
It’s important to emphasize that failure to comply with Law 25 may lead to severe penalties. However, it's not too late to initiate your compliance process. The bulk of Law 25 regulations come into effect in September 2023, so if your company hasn’t begun its transition toward Law 25 compliance, now is the perfect time to begin.
No matter where you are in this compliance journey, Enzuzo can help. Our dedicated team is ready to help evaluate your practices and procedures to make sure they align with both the Quebec legislation and other relevant laws in Canada and the European Union. Visit us to learn how we can help your organization stay up to date on your compliance goals.
Osman is the content lead at Enzuzo. He has a background in data privacy management via a two-year role at ExpressVPN and extensive freelance work with cybersecurity and blockchain companies. Osman also holds an MBA from the Toronto Metropolitan University.