Québec’s Law 25: Is your organization prepared?

January 19, 2023

Quebec flag

Law 25 is Québec’s strict new privacy legislation that came into effect in September 2022. Many requirements of Law 25 vary greatly and are much stricter than the federal Personal Information Protection and Electronic Documents Act — and will impact both Québec-based organizations as well as those who do business with people who live in Québec or operate in the province.

[Lire l’article en français]

Author
Adriana Gliga-Belavic

Adriana Gliga-Belavic, CISSP, CIPM, PCIP, is a Partner, member of the Firm’s Cyber Security team and Privacy Leader with MNP in Toronto. Passionate about security and privacy, Adriana helps public and private clients build pragmatic strategies and privacy programs to maintain customer trust and find the right balance between business results, proactive cyber resiliency and enhanced privacy.

What is Law 25?

Law 25 (o/a The Act to modernize legislative provisions as regards the protection of personal information) governs the protection of personal information in Québec and introduces significant updates to the province’s privacy legislation. As a “law with teeth” (Canadian Press, 2021, para. 2), it moves Québec in line with European-style privacy requirements such as the General Data Protection Regulation (GDPR) in both private and public jurisdictions.

Initially introduced as Bill 64, Law 25 was adopted by the National Assembly of Québec in September 2021 and its new provisions came into effect in September 2022.

Changes introduced by Law 25 include several significant and noteworthy variances from current Canadian federal privacy legislation. However, a June 2022 survey conducted by the Fédération des chambres de commerce du Québec (FCCQ) indicated almost 40 percent of businesses were unsure how it will impact their activities and processes.

Is your business prepared? Read on below to understand some of the changes introduced by Law 25.

What do you need to know?

Legislative requirements

Some high-level changes introduced through Law 25 which have the largest impact on organizations include:

  • All organizations must have a Privacy Officer or equivalent position
  • Specific measures around the use of Privacy Impact Assessment
  • Publicly available privacy policies and requirements for internal privacy practices
  • Mandatory privacy breach notifications, in line with existing federal requirements
  • Increased transparency for consent and collection of personal information
  • Implementation of privacy by design principles in technology and systems
  • New data rights for individuals whose personal information is collected, such as
    • data portability rights
    • rights related to automated decision making
    • data profiling rights
    • the right to be forgotten (with exception of information of public interest)

Law 25 also introduces some unique requirements regarding biometric data (voiceprints, fingerprints, DNA, etc.). Businesses must provide notice to the Commission d’accès à l’information (CAI) du Québec at least 60 days in advance of creating a biometric database.

More details related to these changes and their projected timelines are explained below.

Penalties

Organizations that fail to comply with Law 25 and its related regulations will face more severe penalties than under the current regime. These will vary based on the size of the business, but generally include:

  • $10 million, or two percent of the organization’s worldwide turnover for the preceding fiscal year for private organizations which fail to administer regulations
  • Four percent of the organization’s sales — or between $15,000 and $25 million — for private organizations facing criminal penalties
  • Two tiers for public institutions that fail to meet regulations:
    • $3,000 and $30,000
    • $15,000 and $150,000
  • Between $5,000 and $100,000 for violations made by a natural person

Law 25 allows organizations that would otherwise be subject to an administrative monetary penalty to instead enter into an agreement with the CAI where action can be taken to remedy the contravention or mitigate its consequences.

Under Law 25, citizens also maintain the right to take private action (including collective action) where their privacy is breached or infringed upon intentionally, or from gross fault — with damages of at least $1,000 per individual in place (this penalty does not exist under PIPEDA). Organizations may also face liability from the Civil code of Québec.

Who enforces Law 25?

Law 25 is enforced by the Commission d’accès à l’information (CAI) du Québec, the provincial organization responsible for access to information in Québec.

When does Law 25 take effect?

Law 25 was officially adopted in September 2022. However, it is being gradually rolled out over the course of three years. Year 1 (2022) requirements are currently in effect. Year 2 and Year 3 requirements will take effect in September of 2023 and 2024.

Over the course of the three-year rollout, CAI is expected to recruit technological experts to help support Law 25 and to create and issue relevant standards and guidelines for businesses. For example, it is expected that a list of states with an equivalent legal framework to Law 25 will be published in the Gazette officielle du Québec to aid organizations in assessing disclosures of information outside of Québec.

Year 1 (2022)

Privacy Officer

Law 25 requires organizations to appoint a Privacy Officer or equivalent position. The title and contact information for this role must be published on organizations’ websites or via other appropriate methods so it is easily accessible to the public.

Additional details were provided in Law 25 which permits the Privacy Officer position to be delegated to any individual, internal or external to the organization.

Establishment of a Committee for Public Bodies

Public sector organizations must establish a committee overseeing access to information and the protection of personal information. This committee will support the organization in exercising its responsibilities and performing its obligations under Law 25’s amended Québec Public Sector Privacy Act.

Mandatory privacy incident reporting

Any privacy incidents or breaches to personal information within an organization’s possession — including unauthorized access to, use or communication of personal information, or the loss of personal information resulting in a risk of serious harm — must be reported to both CAI and the affected individuals.

Organizations must also maintain a log of confidentiality incidents and demonstrate measures taken to prevent new incidents of a similar nature. Directors of organizations are now at risk of substantially increased financial penalties if an incident or breach is not reported.

Exceptions to Consent

Law 25 outlines two rights to disclose personal information without consent in Year 1:

  • Where personal information is necessary for concluding a commercial transaction
  • Where personal information is to be used for research or statistical purposes

Further consent exceptions come into effect in Year 2.

Year 2 (2023)

Privacy policy

Organizations must have an easily accessible privacy policy, written in plain language, available on the company website or via other appropriate methods. Law 25 specifically requires this policy to include:

  • Practices for retaining and destroying personal information
  • Employee roles and responsibilities throughout the information lifecycle
  • Processes for managing data protection complaints
  • Safeguards to protect personal information

Privacy governance and program development

Organizations must develop and implement internal privacy policies to manage and appropriately protect personal information throughout organizational activities. Moreover, organizations should seek to develop comprehensive programs to apply these policies in business practice. A program roadmap and maturity assessment could be extremely beneficial for organizations seeking to implement their policies.

Privacy program development may include, but is not limited to:

  • Clearly defined employee roles and responsibilities throughout the private information lifecycle
  • Processes for managing data protection complaints
  • Review and compliance assessment of third parties with access to personal information
  • Appropriate safeguards on personal information
  • Retention and disposal practices for personal information
  • Development of a privacy framework and compliance monitoring

Privacy impact assessments

Privacy Impact Assessments (PIA) must be conducted in the following scenarios to ensure that personal information will be protected to the standards set out in Law 25:

  1. When an information system is being acquired, developed, or redesigned
  2. Before the execution of an electronic service that will involve personal information
  3. Before information can be disclosed outside of Québec

Law 25 requires that PIAs consider the sensitivity of the information involved, its intended uses, and the amount, distribution, and format of the information. In addition, organizations must secure written agreements with third parties which capture the accountabilities and responsibilities of each party to protect personal information.

Purpose, collection, and consent

Purposes for collecting personal information must be clearly defined and understood to enhance transparency — both at the time of collection and when individuals request information about the organization’s purpose and collection practices.

When personal information is collected:

  • Consent for each purpose must be obtained in clear and simple language
  • Written consent must be collected separately from other information provided to the individual — a significant departure from current PIPEDA regulations
  • The means by which personal information will be collected must be clearly outlined
  • Individuals must be made aware of their right to access their personal information and how they can correct personal information
  • The right to withdraw consent must be clearly outlined
  • The names of any third persons or parties whom information is being collected for must be clearly stated
  • The names of any third persons or parties to whom it is necessary to communicate the information for the purposes set out must be clearly stated
  • Possibilities of information leaving Québec must be clearly indicated

As with PIPEDA, Law 25 requires that consent be re-obtained if personal information is to be used for any other purpose. However, Law 25 diverges from PIPEDA by requiring consent to be express, and not implicit, for the collection of sensitive personal information (i.e., information that is sensitive due to its nature or the context of its use or disclosure, requiring high levels of protection under reasonable expectations).

Children under the age of 14 need a parent, guardian authority, or tutor* to provide valid consent under Law 25.

*Tutor: Tutorship, as described by the Government of Québec, can be appointed to someone if the minor’s parents have passed or are unable to care for the minor. The tutor will have responsibility for ensuring the minor’s well-being and/or managing the minor’s inheritance. 

Exceptions to consent

Where personal information is business contact information, Law 25 does not require organizations to obtain consent for its use. This includes name, title, duties, business address, business email, and business telephone number.

When an additional purpose is identified for the use of personal information, Law 25 outlines the following rights to use personal information without consent (many of which are not covered under PIPEDA):

  • Where personal information will be used for a secondary purpose consistent with its collection, and which benefits the individual in question
  • Where the use is necessary for the prevention and detection of fraud or the evaluation and improvement of protection and security measures
  • Where the use is necessary for the supply or delivery of a product, or the provision of a requested service

Another exception is where personal information is necessary to carry out a mandate or perform a contract for services conducted by a third party. Caveats to this exception include:

  • The third party must have a written mandate that outlines accountabilities and safeguards for personal information
  • There must be a written agreement for third parties to provide notification of actual or attempted confidentiality violations to the collecting organization’s Privacy Officer
  • The third party must allow for auditing of their safeguards

Privacy by design

Law  25 requires that any technology or technology solution employed by an organization have privacy settings defaulted to the highest level for personal information. This requirement is restricted to:

  • Products and services offered to the public (as opposed to internal business technologies)
  • Products and services that already have privacy settings

Cookies are also excluded from this requirement as cookies themselves do not have customizable privacy settings.

Under Law 25, functions that allow a technology to identify, locate, or profile an individual whose personal information is used by the technology must be deactivated by default. The organization must inform the individual and provide means for activating these functions, if possible.

Destruction of personal information

Personal information must be destroyed once the purposes for its collection are met. If a legitimate reason to keep the personal information exists, the information should be anonymized.

Right to be forgotten

Organizations must make accommodations to fulfill requests from individuals who wish to stop their personal information from being disseminated. That includes de-indexing hyperlinks attached to the individual’s name that provide access to personal information, or re-indexing personal information.

Note: The following two items have been moved from Year 3 requirements in Bill 64 to Year 2 requirements under Law 25.

Automated processing of personal information

Organizations must inform individuals if their personal information will be used to make a decision based solely on the automated processing of that information. Individuals must be informed at the time of collection or before automated processing of their personal information occurs.

In addition, organizations should tell individuals what personal information will be to inform the decision, the reasons for the decision, and any other major factor that led to the decision.

Individuals should continue to be made aware of their right to correct any personal information. Individuals must also be allowed to provide observations in reviews of any automated decision based on their personal information.

Source of personal information

Should an individual request it, organizations must disclose the source used to obtain their personal information and if it was collected from another person or organization.

Year 3 (2024)

Data portability

Organizations will be required to provide personal information about an individual in a structured, commonly used technological format to that individual upon request. Organizations will also be required to disclose the information to another organization authorized to collect personal information at the individual’s request (for example, if an individual seeks to change service providers).

The right to data portability is limited under Law 25 in two ways:

  • It does not cover information created or derived about the individual
  • It does not extend to instances that raise serious practical difficulties

What does Law 25 mean for other provinces interacting with Québec?

Law 25 may still affect you, even if your organization is not based in Québec. Businesses that deal with personal information disclosed by Québec organizations must ensure their practices align with Law 25 and pass any Privacy Impact Assessments carried out by Québec organizations.

Law 25 and similar emerging legislation may also increase the need for data and privacy experts in Québec organizations and those organizations with interprovincial and national operations. Certain elements of Law 25 may also surface in federal legislation in the future.

Is your organization prepared for these new changes?

MNP’s Cyber Security and Privacy Services can help you conduct an internal analysis of current processes and technological solutions to see if you meet the requirements of Law 25.

Our team can also help you proactively refine your privacy and data practices in anticipation of future privacy regulations. We’re here to keep you onside with regulators and your stakeholders now — and in the face of ever-changing expectations.

Disclaimer: This article is not intended to provide legal services to clients or act as an offering of legal interpretation services to clients. All legal decisions within an organization should be made with the endorsement of their legal counsel. While we do not offer legal services at MNP Digital, we do provide digital advisory and cyber security & privacy services.

Take the next steps

For more information about how an MSP can help support your business needs, contact a member of MNP Digital’s Managed IT Services team. Whether your goals are growth, diversification, efficiency, restructuring, or impact mitigation, our team has the experience to provide the ongoing support you need.