Québec's Law 25 represents an overhaul of the province’s previous privacy regime and presents a range of new obligations with which businesses, including those operating in both for-profit and not-for-profit sectors, have to comply.
Law 25 requires businesses to amend their existing privacy programs to account for stricter obligations with respect to privacy incident reporting, privacy governance, and practices surrounding the destruction of personal information, amongst other elements.
What is Law 25
Law 25 – also referred to as An Act to modernize legislative provisions as regards the protection of personal information – was officially adopted on September 21, 2021.
Law 25, previously known as Bill 64, includes a range of new obligations businesses with which businesses have to comply, including the appointment of a privacy officer, establishing easily accessible privacy policies, and performing privacy impact assessments in certain circumstances (“PIAs”), amongst other obligations. These new requirements will come into force over the course of a three-year period, with the majority came into effect on September 23rd, 2023.
Some of the other major updates of Law 25 include stricter privacy requirements such as businesses having to enhance transparency, protection, and consent protocols, assessments for communications of personal information outside of Québec to ensure adequate protection, and new individual rights concerning data portability.
Who Does Law 25 Apply To?
Québec ’s Law 25 applies to Québec-based businesses and external businesses processing, collecting, or communicating the personal information of Québec ’s 8.4 million residents.
What about not-for-profits? Although Law 25 includes exemptions to consent for study and research purposes there is no explicit exemption for not-for-profit organizations in the law. Therefore, if you are operating a not-for-profit organization which collects, processes, or stores the personal information of Québec-based volunteers, donors or team members, Law 25 will likely apply to you, unless you are operating for religious purposes. In any event, a case-by-case analysis will be required before concluding that you are not operating for commercial purposes.
How to Prepare
If you are a for-profit or not-for-profit business, operating in or outside of Québec, that is collecting, processing, or storing the personal information of your clients or volunteers, donors, or team members, who are residents of Québec, there are several steps that you ought to undertake for compliance with Law 25:
1. Appoint a privacy officer
Businesses must designate a person to oversee the protection of personal information, known as a Privacy Officer. The title and contact information for this role must be published on the organizations’ websites or via other appropriate methods so this information can be made accessible.
2. Institute mandatory incident reporting
The law also requires mandatory reporting related to privacy breaches concerning personal information held by the business including unauthorized access to, use or communication of personal information, or the loss of personal information resulting in a risk of serious injury to the individual.
3. Conduct Privacy Impact Assessments (“PIAs”)
Law 25 also requires that organizations conduct a Privacy Impact Assessment (PIA) (called “assessments of privacy-related factors”) in certain circumstances, such as when acquiring, developing, or overhauling an information system or electronic service delivery system that involves the collection, use, release, or destruction of personal information. PIAs conducted under Law 25 are now also mandatory where personal data is being shared across borders. These assessments must also assess the foreign jurisdiction to establish whether it provides adequate protection for the personal information that is being transferred there.
4. Enhance Privacy Policy(s)
Under Law 25, organizations will also be required to have an easily an accessible privacy policy, written in plain language, that is made readily available, which includes their business’ practices related to retaining and destroying personal information, processes’ for managing data protection complaints, and safeguards for protecting personal information, amongst others.
5. Anonymization
Law 25 also requires that personal information be anonymized or destroyed when the purposes for which it is collected or used have been achieved. Noting that the process of anonymization is contentious, business must be certain that their information systems can destroy or “anonymize” personal information they no longer need.
6. Data Portability
One significant addition to Law25 includes additional requirements related to data portability and the right to de-indexation (having some similarities with the right to be forgotten under GDPR). Organizations will have to provide personal information about an individual in a structured, commonly used technological format as per the individual’s request. Thankfully, this new addition will not come into force until September 2024. Organizations will likewise be required to disclose the personal information to another organization authorized to collect personal information at the individual’s request, which will only be permitted with consent.
7. Penalties
Non-compliant businesses will also face hefty fines. In addition to dramatically enhancing the enforcement powers of the privacy commissioner, Law 25 also provides for a private right of action, allowing individuals to sue directly should their rights be violated under the law. Given that potential fines can account for up to 4% of an organization’s worldwide turnover, understanding Law 25’s additional requirements is critical.
Conclusion
In adapting to the rapidly evolving privacy landscape in Québec, organizations should be proactive in concertedly re-evaluating their processes, policies, and operational practices. The three-year window provided for the Law’s entry-into-force was intended to provide businesses with sufficient time to ensure they are amending their privacy protection practices to remain in compliance with these new legislative standards in part through updating their respective policies, training staff, appointing a privacy officer, and reviewing contracts with service providers.
Law 25 signals a stringent new approach to protecting and enhancing the security of personal information of Québec’s residents: is your business ready?
For more information, contact Samara Starkman or Carole Piovesan.
Want to stay ahead of the curve?
Join our Think INQ community to receive updates on upcoming courses & events and valuable information on privacy, health, data & business law - all in one convenient place.