Information Today, Inc. Corporate Site KMWorld CRM Media Streaming Media Faulkner Speech Technology Unisphere/DBTA
Other ITI Websites
American Library Directory Boardwalk Empire Database Trends and Applications DestinationCRM Faulkner Information Services Fulltext Sources Online InfoToday Europe KMWorld Literary Market Place Plexus Publishing Smart Customer Service Speech Technology Streaming Media Streaming Media Europe Streaming Media Producer Unisphere Research

News & Events > NewsBreaks
Back Index Forward
Threads bluesky LinkedIn FaceBook RSS Feed

Modernizing Privacy: A Look at Quebec's Law 25
Posted On June 11, 2024
As data privacy becomes a global concern, Quebec has taken steps to modernize its legislation and protect the rights of its residents.

What is Law 25?

Quebec’s Law 25, or the Privacy Legislation Modernization Act, aims to refresh privacy laws and offer better safeguards and protection for the personal information of Quebec’s citizens. The Quebec Access to Information Commission, or Commission d'accès à l'information du Québec (CAI), which is the data protection authority of Quebec, now makes sure that entities that handle the personal identifying data of its residents and citizens meet the updated data privacy standards.

Law 25 is not the first privacy legislation in Quebec. For example, the Act Respecting the Protection of Personal Information in the Private Sector (CQLR P-39.1) is also provincial legislation. It controls how public bodies collect, use, and share personal information and gives individuals a right to access personal information.

Is there a difference between Law 25 and Bill 64?

Quebec’s Law 25 was formerly Bill 64 before it was approved by the Quebec National Assembly, or Assemblée nationale du Québec, and assented to by the Lieutenant-Governor on Sept. 22, 2021. This process turned Bill 64 into Law 25. They are essentially one and the same thing.

To whom does Law 25 apply?

Similar to the European Union’s General Data Protection Regulation (GDPR), Quebec’s Law 25 covers all Quebec-based businesses and all businesses outside of Quebec that handle personal information or data of any Quebec residents. There is no threshold of data records or personal information of any certain number of Quebec residents required to be subject to Law 25. Therefore, even handling the data of one Quebec resident means compliance is necessary.

What is Law 25’s scope?

Canada already has the Personal Information Protection and Electronic Documents Act (PIPEDA), but Quebec’s Law 25 goes further and is stricter in how it protects data privacy rights for individuals. It resembles the GDPR and the California Privacy Rights Act (CPRA), but it has some different regulatory features from these models.

Requirements under Law 25 include, but aren’t limited to, the following actions:

  • Breach notification—Organizations must notify the CAI and any impacted individuals as soon as possible after an incident. A record of all security incidents must be maintained.
  • Data protection officer appointment—Organizations must appoint or designate a data protection officer (DPO) who is responsible for upholding Law 25 compliance. Contact information must be made accessible on the organization’s website.
  • Privacy Impact Assessments—Depending on the data-processing activities, Privacy Impact Assessments (PIAs) may be required in certain situations. The content of the PIAs will vary depending on the activity, the kind of organization, and the information involved.
  • Privacy notices—When technologies that can recognize, track, or profile people based on their data are used to collect their personal information, individuals must be given detailed information about it. Privacy notices are also needed if personal information is used for automated decision making.

What are Law 25’s subject rights?

Law 25 establishes the following subject rights:

  • Right to be informed
  • Right to access
  • Right to rectification
  • Right to erasure
  • Right to withdraw consent
  • Right to restrict processing
  • Right to data portability

The right to data portability will not apply until September 2024. These rights are comparable to those in the GDPR.

What is Law 25’s enhanced consent?

Law 25 sets more rigorous requirements around getting consent before gathering, using, or sharing personal data. Any written request for consent by a public entity or organization must be distinct from any other information given to the individual. Explicit consent is mandatory for certain uses or disclosures of sensitive personal details. Additional consent must be obtained by a parent or guardian prior to collecting or using information about minors younger than 14.

What is Law 25’s timeline?

Law 25 implemented a gradual 3-year process that allowed it to be enacted in phases. The first batch of requirements became effective on Sept. 22, 2022, and the second batch on Sept. 22, 2023. The final requirement will follow this year, with a deadline of Sept. 22, 2024.

By September 2022, Quebec entities had to:

  • Assign someone who is responsible for safeguarding personal information.
  • If personal data is exposed in a privacy breach:
    • Take reasonable steps to reduce harm to affected individuals and stop future incidents.
    • Inform the CAI and impacted individuals.
    • Keep a record of breaches and provide it to the CAI if requested to do so.
  • Follow new rules about disclosing personal information without consent for research, statistical or commercial purposes.
  • Conduct a PIA before sharing personal data without consent for research or statistical purposes.
  • Tell the CAI before using any biometric information to verify identity.

By September 2023, they had to:

  • Create and apply a policy that regulates how personal information is protected, including guidelines for keeping and destroying personal information, staff duties and obligations, and a procedure for dealing with privacy complaints.
  • Follow the new disclosure requirements for data practices.
  • Obtain consent from people before collecting, using, and disclosing their personal information according to the new consent laws.
  • Destroy personal data when no longer required or anonymize it for further lawful uses, following legal retention periods.
  • Perform PIAs when required, such as before sharing personal information outside Quebec, to ensure proper protection.
  • Honor the right of individuals to request removal/de-indexation and cease in the dissemination of their personal information if it can be shown to cause material harm or violates laws or court directives.
  • Comply with new rules allowing spouses or close relatives of deceased individuals to access their personal information for grieving purposes, unless the deceased explicitly refused beforehand.
  • Abide by the new regulations prohibiting collection of personal data on minors (younger than age 14) without consent from a parent or guardian.
  • Enable, by default, the strictest privacy settings on any technological product or service offered publicly, excluding browser cookies.

By September 2024, they will have to:

  • Comply with requests from individuals to transfer their personal data, also known as the right to data portability.

What will enforcement look like?

After the 3-year transition period, organizations must be fully compliant with Law 25. The CAI is responsible for making sure the new law is followed. Fines for not complying vary from CA$5,000 to CA$50,000 (about $3,700–$36,700) for a “natural person.” For other cases, the fines are between CA$15,000 and CA$25,000,000 (about $11,000–$18,000,000) or 4% of global revenue from the previous year (whichever amount is higher).

What will happen moving forward?

The Quebec government’s update of its province’s privacy law marks a huge step in defending its people from improper use of their personal data. It also enhances the individual’s rights and control over their data collection and use. Worldwide, organizations should be ready—or finishing their readiness—to comply with data regulation as it pertains to residents in Canada’s Quebec province.  

Kelly LeBlanc is a knowledge management specialist at FireOak Strategies, where she specializes in OA, open data, data management, geographic information systems (GISs), and data/information governance issues. Prior to joining FireOak, LeBlanc was with the Digital Initiatives Unit at the University of Alberta, where she worked with GISs, metadata, and spatial and research data. She served in various municipal planning and development capacities working with GISs, municipal law, planning/zoning regulations, and resource management. LeBlanc holds an M.L.I.S. from the University of Alberta and a master of letters from the University of Glasgow.

Related Articles

11/21/2023The National Freedom of Information Summit 2023: A Gathering of Open Government Advocates and Innovators
9/12/2023What to Expect From the Newly Enforced California Privacy Rights Act
8/8/2023Lifehacker Looks at How Phones Seem to Read Our Minds
11/29/2022Meta Runs Into Trouble From the GDPR
8/23/2022FTC Proposes New Rules for Consumer Data and Privacy Protection
8/10/2021Big Data Clashes With Patron Privacy: OverDrive's Digipalooza 2021
9/29/2020Ex Libris Is Now Certified for an ISO Data Privacy Standard
8/11/2020GDPR 2020: Where Compliance Lands Now
6/25/2019The First Anniversary of the GDPR: Reflections on the Past Year

Comments Add A Comment

              Back to top