January 19, 2023
Law 25 is Québec’s strict new privacy legislation that came into effect in September 2022. Many requirements of Law 25 vary greatly and are much stricter than the federal Personal Information Protection and Electronic Documents Act — and will impact both Québec-based organizations as well as those who do business with people who live in Québec or operate in the province.
Law 25 (o/a The Act to modernize legislative provisions as regards the protection of personal information) governs the protection of personal information in Québec and introduces significant updates to the province’s privacy legislation. As a “law with teeth” (Canadian Press, 2021, para. 2), it moves Québec in line with European-style privacy requirements such as the General Data Protection Regulation (GDPR) in both private and public jurisdictions.
Initially introduced as Bill 64, Law 25 was adopted by the National Assembly of Québec in September 2021 and its new provisions came into effect in September 2022.
Changes introduced by Law 25 include several significant and noteworthy variances from current Canadian federal privacy legislation. However, a June 2022 survey conducted by the Fédération des chambres de commerce du Québec (FCCQ) indicated almost 40 percent of businesses were unsure how it will impact their activities and processes.
Is your business prepared? Read on below to understand some of the changes introduced by Law 25.
Some high-level changes introduced through Law 25 which have the largest impact on organizations include:
Law 25 also introduces some unique requirements regarding biometric data (voiceprints, fingerprints, DNA, etc.). Businesses must provide notice to the Commission d’accès à l’information (CAI) du Québec at least 60 days in advance of creating a biometric database.
More details related to these changes and their projected timelines are explained below.
Organizations that fail to comply with Law 25 and its related regulations will face more severe penalties than under the current regime. These will vary based on the size of the business, but generally include:
Law 25 allows organizations that would otherwise be subject to an administrative monetary penalty to instead enter into an agreement with the CAI where action can be taken to remedy the contravention or mitigate its consequences.
Under Law 25, citizens also maintain the right to take private action (including collective action) where their privacy is breached or infringed upon intentionally, or from gross fault — with damages of at least $1,000 per individual in place (this penalty does not exist under PIPEDA). Organizations may also face liability from the Civil code of Québec.
Law 25 is enforced by the Commission d’accès à l’information (CAI) du Québec, the provincial organization responsible for access to information in Québec.
Law 25 was officially adopted in September 2022. However, it is being gradually rolled out over the course of three years. Year 1 (2022) requirements are currently in effect. Year 2 and Year 3 requirements will take effect in September of 2023 and 2024.
Over the course of the three-year rollout, CAI is expected to recruit technological experts to help support Law 25 and to create and issue relevant standards and guidelines for businesses. For example, it is expected that a list of states with an equivalent legal framework to Law 25 will be published in the Gazette officielle du Québec to aid organizations in assessing disclosures of information outside of Québec.
Law 25 may still affect you, even if your organization is not based in Québec. Businesses that deal with personal information disclosed by Québec organizations must ensure their practices align with Law 25 and pass any Privacy Impact Assessments carried out by Québec organizations.
Law 25 and similar emerging legislation may also increase the need for data and privacy experts in Québec organizations and those organizations with interprovincial and national operations. Certain elements of Law 25 may also surface in federal legislation in the future.
MNP’s Cyber Security and Privacy Services can help you conduct an internal analysis of current processes and technological solutions to see if you meet the requirements of Law 25.
Our team can also help you proactively refine your privacy and data practices in anticipation of future privacy regulations. We’re here to keep you onside with regulators and your stakeholders now — and in the face of ever-changing expectations.
Disclaimer: This article is not intended to provide legal services to clients or act as an offering of legal interpretation services to clients. All legal decisions within an organization should be made with the endorsement of their legal counsel. While we do not offer legal services at MNP Digital, we do provide digital advisory and cyber security & privacy services.
To learn more about how you can get support throughout the cyber insurance process, contact our team of experts today.