As data privacy becomes a global concern, Quebec has taken steps to modernize its legislation and protect the rights of its residents.What is Law 25?
Quebec’s Law 25, or the Privacy Legislation Modernization Act, aims to refresh privacy laws and offer better safeguards and protection for the personal information of Quebec’s citizens. The Quebec Access to Information Commission, or Commission d'accès à l'information du Québec (CAI), which is the data protection authority of Quebec, now makes sure that entities that handle the personal identifying data of its residents and citizens meet the updated data privacy standards.
Law 25 is not the first privacy legislation in Quebec. For example, the Act Respecting the Protection of Personal Information in the Private Sector (CQLR P-39.1) is also provincial legislation. It controls how public bodies collect, use, and share personal information and gives individuals a right to access personal information.
Is there a difference between Law 25 and Bill 64?
Quebec’s Law 25 was formerly Bill 64 before it was approved by the Quebec National Assembly, or Assemblée nationale du Québec, and assented to by the Lieutenant-Governor on Sept. 22, 2021. This process turned Bill 64 into Law 25. They are essentially one and the same thing.
To whom does Law 25 apply?
Similar to the European Union’s General Data Protection Regulation (GDPR), Quebec’s Law 25 covers all Quebec-based businesses and all businesses outside of Quebec that handle personal information or data of any Quebec residents. There is no threshold of data records or personal information of any certain number of Quebec residents required to be subject to Law 25. Therefore, even handling the data of one Quebec resident means compliance is necessary.
What is Law 25’s scope?
Canada already has the Personal Information Protection and Electronic Documents Act (PIPEDA), but Quebec’s Law 25 goes further and is stricter in how it protects data privacy rights for individuals. It resembles the GDPR and the California Privacy Rights Act (CPRA), but it has some different regulatory features from these models.
Requirements under Law 25 include, but aren’t limited to, the following actions:
- Breach notification—Organizations must notify the CAI and any impacted individuals as soon as possible after an incident. A record of all security incidents must be maintained.
- Data protection officer appointment—Organizations must appoint or designate a data protection officer (DPO) who is responsible for upholding Law 25 compliance. Contact information must be made accessible on the organization’s website.
- Privacy Impact Assessments—Depending on the data-processing activities, Privacy Impact Assessments (PIAs) may be required in certain situations. The content of the PIAs will vary depending on the activity, the kind of organization, and the information involved.
- Privacy notices—When technologies that can recognize, track, or profile people based on their data are used to collect their personal information, individuals must be given detailed information about it. Privacy notices are also needed if personal information is used for automated decision making.
What are Law 25’s subject rights?
Law 25 establishes the following subject rights:
- Right to be informed
- Right to access
- Right to rectification
- Right to erasure
- Right to withdraw consent
- Right to restrict processing
- Right to data portability
The right to data portability will not apply until September 2024. These rights are comparable to those in the GDPR.
What is Law 25’s enhanced consent?
Law 25 sets more rigorous requirements around getting consent before gathering, using, or sharing personal data. Any written request for consent by a public entity or organization must be distinct from any other information given to the individual. Explicit consent is mandatory for certain uses or disclosures of sensitive personal details. Additional consent must be obtained by a parent or guardian prior to collecting or using information about minors younger than 14.
What is Law 25’s timeline?
Law 25 implemented a gradual 3-year process that allowed it to be enacted in phases. The first batch of requirements became effective on Sept. 22, 2022, and the second batch on Sept. 22, 2023. The final requirement will follow this year, with a deadline of Sept. 22, 2024.
By September 2022, Quebec entities had to:
- Assign someone who is responsible for safeguarding personal information.
- If personal data is exposed in a privacy breach:
- Take reasonable steps to reduce harm to affected individuals and stop future incidents.
- Inform the CAI and impacted individuals.
- Keep a record of breaches and provide it to the CAI if requested to do so.
- Follow new rules about disclosing personal information without consent for research, statistical or commercial purposes.
- Conduct a PIA before sharing personal data without consent for research or statistical purposes.
- Tell the CAI before using any biometric information to verify identity.
By September 2023, they had to:
- Create and apply a policy that regulates how personal information is protected, including guidelines for keeping and destroying personal information, staff duties and obligations, and a procedure for dealing with privacy complaints.
- Follow the new disclosure requirements for data practices.
- Obtain consent from people before collecting, using, and disclosing their personal information according to the new consent laws.
- Destroy personal data when no longer required or anonymize it for further lawful uses, following legal retention periods.
- Perform PIAs when required, such as before sharing personal information outside Quebec, to ensure proper protection.
- Honor the right of individuals to request removal/de-indexation and cease in the dissemination of their personal information if it can be shown to cause material harm or violates laws or court directives.
- Comply with new rules allowing spouses or close relatives of deceased individuals to access their personal information for grieving purposes, unless the deceased explicitly refused beforehand.
- Abide by the new regulations prohibiting collection of personal data on minors (younger than age 14) without consent from a parent or guardian.
- Enable, by default, the strictest privacy settings on any technological product or service offered publicly, excluding browser cookies.
By September 2024, they will have to:
- Comply with requests from individuals to transfer their personal data, also known as the right to data portability.
What will enforcement look like?
After the 3-year transition period, organizations must be fully compliant with Law 25. The CAI is responsible for making sure the new law is followed. Fines for not complying vary from CA$5,000 to CA$50,000 (about $3,700–$36,700) for a “natural person.” For other cases, the fines are between CA$15,000 and CA$25,000,000 (about $11,000–$18,000,000) or 4% of global revenue from the previous year (whichever amount is higher).
What will happen moving forward?
The Quebec government’s update of its province’s privacy law marks a huge step in defending its people from improper use of their personal data. It also enhances the individual’s rights and control over their data collection and use. Worldwide, organizations should be ready—or finishing their readiness—to comply with data regulation as it pertains to residents in Canada’s Quebec province.