This guide offers an updated overview of Law 25, essential for businesses based in Quebec or those interacting with its residents. Our article explores the principles of Law 25, its impact, and what steps businesses must take for compliance with the law, covering areas like user consent and data breach notification.

TABLE OF CONTENTS

What is Quebec’s Law 25?

Law 25 is a significant data protection law enacted in Quebec, Canada. Adopted in September 2021 and fully implemented in September 2023, it strengthens data protection rights and imposes new responsibilities on organizations handling personal information. Law 25 is also known as the “Act to modernize legislative provisions as regards the protection of personal information”.

What is Quebec’s Bill 64?

Quebec’s Bill 64 and Law 25 are the same legislation. Bill 64 refers to the law before it was enacted in the proposal and pre-enactment stage, while Law 25 is the official name of the law after enactment. Both names refer to the comprehensive new data protection law enacted in Quebec. The law is designed to strengthen individual privacy rights and impose stricter regulations on organizations and how they handle personal information.

Key changes brought by Law 25

Law 25 modernizes Quebec’s data privacy framework, aligning it with global standards like the EU’s GDPR.

Key changes include:

  • Enhanced user consent: Explicit and informed consent is required before collecting, using, or disclosing personal information.
  • Increased transparency: Businesses must provide clear information about their data practices.
  • Stronger enforcement: A new data protection authority can impose significant penalties for non-compliance.
  • Data breach notification: Organizations must notify individuals and authorities of breaches likely to cause serious harm.

Law 25 has significant implications for businesses in Quebec or those collecting data from Quebec residents. Understanding its provisions and implementing compliance measures is crucial to avoid legal issues and maintain user trust.

When does Law 25 come into effect?

Quebec’s Law 25 was enacted in September 2021, but its various provisions came into effect in a phased approach.

  • Phase 1 (September 22, 2022) The initial phase implemented some key requirements, like the opportunity to appoint a privacy officer, the need to report breaches of data privacy law, and the requirement to keep a registry of breaches.
  • Phase 2 (September 22, 2023) Major provisions took effect, such as establishing data processing policies, increasing transparency, conducting privacy impact assessments, and obtaining explicit consent.
  • Phase 3 (September 22, 2024) The final phase, currently underway, focuses on implementing the right to data portability.

Most provisions are now in effect, with the last phase ending on September 22, 2024. Businesses in Quebec or handling Quebec residents’ data must comply with these regulations.

Law 25 Key Requirements

Though Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) is in effect, Law 25 is stricter and more comprehensive. While it aligns with GDPR and CCPA/CPRA in some aspects, it diverges from typical North American data privacy laws, potentially surprising organizations familiar with U.S. regulations.

  • Stricter Consent Standards: Law 25 mandates explicit opt-in consent for tracking technologies, differing from the opt-out approach of many North American laws like CCPA/CPRA.
  • Privacy Officer Flexibility: The law offers flexibility in appointing a privacy officer, emphasizing transparency about their role.
  • Private Right of Action: Individuals have the right to legal action against violators, with damages starting at CAD 1,000.
  • Confidentiality by Default: Public-facing systems must prioritize privacy settings without consumer action, and data collection requires explicit consent.
  • Privacy Impact Assessments: Mandated in various scenarios, including data transfers and system developments.
  • Data Subject Rights: Individuals have rights like access, rectification, portability (coming in 2024), erasure, information, and objection to automated decision-making.
  • Third-Party Data Protection: Businesses must ensure third parties protect transferred personal data with contractual safeguards and may audit compliance.
  • International Data Transfer: Organizations must assess destination jurisdiction protections, conduct Privacy Impact Assessments, establish formal contracts, and inform individuals about data transfers.
  • Security Measures: Compliance necessitates data mapping, cybersecurity implementation, and incident response planning.

Related: The USA Federal Employment Laws You Can’t Overlook

List of all provisions contained in the law

Quebec’s Law 25, also known as Bill 64, was enacted in September 2021 and its provisions were phased in:

Phase 1 (22 September 2022)

  • Appoint a Privacy Officer: The CEO is the default privacy officer but can delegate this task in writing. The officer’s contact info must be on the company website.
  • Breach Reporting: Inform the Commission d’accès à l’information (CAI) and affected individuals of data breaches posing serious risks. Maintain a breach register.

Phase 2 (22 September 2023)

  • Data Processing Policies: Implement policies on data collection and processing, and a confidentiality policy for third-party data sharing.
  • Increased Transparency: Clearly inform users about data use, processing purposes, third parties, and data subject rights.
  • Privacy Impact Assessments (PIAs): Conduct PIAs for projects involving personal information.
  • Automated Processing Notice: Inform users if their data is processed automatically, affecting their rights.
  • Cross-Border Transfers: Allow transfers subject to a privacy impact assessment.
  • Service Provider Agreements: Ensure written agreements with service providers regarding data processing.
  • Consent: Obtain explicit, informed consent for each processing purpose and secondary use of sensitive data.
  • Privacy by Default: Implement privacy features in products and services.
  • De-indexation Rights: Enable data subjects to request de-indexation of their personal information.
  • Retention and Destruction: Destroy or anonymize unneeded personal data.

Phase 3 (22 September 2024)

  • Data Portability Right: Users can transfer their personal information to another data controller.

Most provisions of Law 25 are now in effect, with the final phase starting on September 22, 2024. Businesses in Quebec or handling data from Quebec residents must comply with current requirements and prepare for data portability.

Who does Law 25 apply to?

Quebec’s Law 25 applies to a wide range of various entities.

  • Businesses: Whether small local shops or large corporations, all for-profit businesses operating in Quebec must comply with Law 25.
  • Public institutions: government agencies, schools, and other public bodies in Quebec are also subject to the law to ensure consistent data protection standards.
  • Non-profit organizations: As long as they handle the personal information of Quebec residents, charities and other non-profit organizations must also adhere to Law 25.
  • Individuals acting in professional capacity: doctors, lawyers, and other professional service providers are also subject to Law 25 when it comes to handling personal information in Quebec.

It is important to note that the law applies based on the location of the individual, and not the organization. This means that anyone outside of Quebec who is handling the personal information of Quebec residents must comply with Law 25.

What is personal information under Law 25?

Personal information as defined under Law 25 is any information that serves to identify the individual and is kept confidential. This information cannot be shared without the consent of the individual, except for certain exempt situations. This definition excludes information related to businesses and legal entities.

What is sensitive information under Law 25?

Law defines “sensitive personal information” separately, which deserves special attention when it comes to protection. This category of personal information includes data on health, biometrics, and other inherently private details where individuals expect greater privacy.

Who enforces Law 25?

Law 25 is enforced by the Commission for the Protection of Personal Information of Quebec (CPQPI), or Commission d’accès à l’information du Québec (CAI) in French. It’s an independent public body tasked with promoting and protecting privacy rights in Quebec. The CPQPI oversees Law 25’s application, provides guidance, investigates complaints, and can impose fines from $5,000 to $25 million CAD for non-compliance. Individuals can file complaints with the CPQPI for alleged violations, and the commission conducts inspections and audits to ensure compliance.

Penalties for non-compliance with Law 25

Non-compliance with Law 25 incurs penalties to safeguard individual privacy:

  • The Commission for the Protection of Personal Information of Quebec (CPQPI) can levy fines from $5,000 to $25 million CAD, or up to 4% of global revenue, for minor to moderate violations.
  • Severe offenses, causing significant harm, may face higher fines imposed by the Court of Quebec, up to $25 million CAD or 4% of global revenue.
  • Individuals can seek damages of at least $1,000 and join collective actions against violators, ensuring accountability for privacy breaches.

How businesses can prepare for compliance with Law 25

Businesses should get ready as soon as possible for the implementation of the final phase of Law 25 by conducting a privacy audit to identify any non-compliant data security practices. In fact, this is something businesses should conduct regularly to ensure compliance not only with Law 25, but to maintain good cybersecurity practices in general.

Once you’ve made an audit of your company’s data practices, it’s time to create a privacy policy that aligns with Law 25’s requirements. If your business also operates in the U.S., make sure to take into account the requirements for compliance in any states you may do business in. A good place to start would be reading our articles on data security laws and data privacy in the US.

It’s always a good idea to audit your business at least once a year in order to avoid legal issues and ensure that your company complies with labor and employment laws. While this may sound like a big and difficult task to take on, remember that auditing is a valuable tool that will help facilitate your business’s development and protect your business in the long run.

 

Share.
Exit mobile version