Stay ahead in the ever-evolving landscape of data privacy in Canada with our in-depth guide to Quebec's Law 25. Understand its key provisions, compliance measures, and the impact on businesses operating in the province.
Staying informed about legal frameworks and best practices is crucial for businesses operating in Canada. Quebec's Law 25, officially known as the "Act to modernize legislative provisions as regards the protection of personal information," stands as a significant step towards strengthening data protection rights within the province.
This comprehensive guide dives deep into the key aspects of Law 25, offering an updated understanding of its provisions as of 2024. Whether you're a Quebec-based business or an organization interacting with residents of the province, this guide equips you with the knowledge necessary to navigate the evolving landscape of data privacy in Canada.
Explore more privacy compliance insights and best practices
Get ready to explore the core principles of Law 25, its impact on individuals and organizations, and essential steps towards achieving compliance. We'll delve into key areas like user consent, data breach notification, and data minimization, ensuring you stay informed and empowered in the face of this transformative legislation.
Law 25, also known as the "Act to modernize legislative provisions as regards the protection of personal information" or simply Bill 64, is a comprehensive piece of legislation enacted in Quebec, Canada, that significantly strengthens data protection rights for individuals and imposes new responsibilities on organizations that handle personal information. It was adopted in September 2021 and came into effect in phases, with some key provisions fully implemented as of September 2023.
The law aims to modernize Quebec's existing data privacy framework, aligning it with more stringent global standards like the General Data Protection Regulation (GDPR) in the European Union. It introduces several key changes, including:
Law 25 has significant implications for businesses operating in Quebec or collecting data from individuals residing in the province. Understanding its provisions and implementing appropriate compliance measures is crucial for businesses to avoid potential legal ramifications and protect user trust.
Quebec's Bill 64 is the same piece of legislation as Law 25. While both names are used interchangeably, Law 25 is the official name given to the legislation once enacted, while Bill 64 refers to it during its proposal and pre-enactment stage.
Therefore, Bill 64 and Law 25 refer to the same comprehensive data protection legislation in Quebec, Canada, aimed at strengthening individual privacy rights and imposing stricter regulations on organizations handling personal information.
Quebec's Law 25, also known as Bill 64, was enacted in September 2021. However, its various provisions came into effect in a phased approach:
- Appoint a privacy officer. The CEO is in charge of protecting personal information by default, but they may delegate these tasks in writing to someone else in the organization. The Privacy Officer’s job is to ensure that the organization implements the legal requirements. Their contact information needs to be published on the company website.
- Breach reporting. Businesses will have to inform the Commission d’accès à l’information (CAI) and affected individuals about any data breach that poses a serious risk to the individuals. Businesses currently have this obligation under PIPEDA, but the Quebec Privacy Law imposes a similar requirement.
In addition, businesses have to keep a register of all breaches.
- Policies and practices about data processing. Businesses will have to establish and implement policies and practices regarding collecting and processing personal data. These policies will provide a framework for the processing, determine the roles of the personnel involved in the processing, and establish a process of dealing with complaints.
It also needs to establish a confidentiality policy to share personal data with third parties.
- Increased transparency. Businesses have to be transparent to users about how they use their data. This includes providing information about the categories of data processed, the processing purposes, the third parties involved in the processing, the data subject rights, etc. In general, this information needs to be included in a privacy policy.
In addition to this information, businesses will have to meet increased requirements about the use of profiling, geolocation, and identification technologies.
- Privacy impact assessments (PIA). Businesses will have to do a privacy impact assessment for any information system project or electronic service delivery project involving the collection, use, communication, keeping, or destruction of personal information and communicating personal information outside Quebec. The PIA should be proportionate with the sensitivity of the data, the purpose of processing, the amount of data, etc.
- Automated processing notice. Businesses will have to inform users if their personal data is processed automatically. The processing results affect their rights (for example, an insurance company processes personal data automatically to determine the premium).
- Cross-border transfers. In general, cross-border transfers are allowed, but they must be subject to a privacy impact assessment. This assessment should determine whether the transfer is safe. If it is safe, businesses can transfer data across Quebec borders.
- Written agreements with service providers. Service providers are the data processors. According to Bill 64, service providers can process data only based on a written agreement, similar to the GDPR requirement. The written agreement must contain information about the purpose of processing, data security measures, etc.
- Consent. Businesses will have to obtain explicit, free, informed, and specific consent for each processing purpose, which stretches out the standards set by PIPEDA. In addition, businesses have to obtain express consent for the secondary use of sensitive personal data.
- Privacy by default. The widely-known privacy concept will become part of Quebec law in 2023. It requires businesses to embed privacy on their products and services. This won’t apply to cookies, in any case.
- De-indexation rights. In addition to other data subject rights, including the right to be forgotten, Quebec Privacy Law will enable data subjects to request de-indexation of their personal information, which in practice would mean that the business has to cease disseminating the personal information or to de-index any link attached to their name.
- Retention and destruction. Organizations will have to destroy the personal data they do not need anymore or anonymize it and use it for a legitimate purpose.
- Data portability right. Users will have the right to obtain their personal information from your records and move it to another data controller.
Therefore, as of today, most of Law 25's provisions are already in effect, with the final phase coming into effect on September 22nd, 2024. Businesses operating in Quebec, or handling data from individuals residing there, are required to comply with the currently mandated requirements and prepare for the upcoming implementation of the right to data portability.
Quebec's Law 25, also known as Bill 64, casts a wide net when it comes to its scope of application. Unlike some data privacy regulations that may focus on specific industries or organizational sizes, Law 25 applies to a diverse range of entities:
It is important to note that the scope of application is based on the location of the individual, not the organization. This means that even organizations located outside of Quebec, but collecting, using, or disclosing personal information of individuals residing in Quebec, are subject to Law 25. This emphasizes the territorial nature of the law and its intention to protect the privacy rights of Quebec residents, regardless of the organization's physical location.
Learn about the Bristish Columbia Personal Information Privacy Act.
Under Quebec's Law 25, personal information is defined as [anything that] "concerns a physical person and allows that person to be identified. It is confidential. Barring exceptions, it cannot be communicated without the consent of the person concerned.”
This means that personal information does not apply to information relating to a legal person (for example information concerning a business).
Law 25 recognizes a category of "sensitive personal information" that deserves heightened protection. This includes data directly related to an individual's health, biometrics, or other details inherently private in nature, where individuals have a strong expectation of privacy.
Although Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) has already been effect, Law 25 is stricter and more comprehensive.
While Law 25 shares similarities with prominent data privacy regulations like GDPR and CCPA/CPRA, it also diverges notably from the typical framework of North American data privacy laws. This can be particularly evident for organizations accustomed to the general format of U.S. privacy regulations.
Quebec's Law 25 stands out in North America as the only legislation requiring explicit opt-in consent for tracking technologies like cookies. This contrasts with the more prevalent opt-out approach common in the region, including the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).
Similar to the General Data Protection Regulation (GDPR) in Europe, Law 25 mandates that businesses:
- The purpose of data collection
- The methods employed for collection
- Individual rights regarding their data
Organizations already navigating the GDPR's consent management protocols will find Law 25's approach familiar. However, businesses accustomed to the opt-out framework of CCPA/CPRA require a significant shift in their approach. Under Law 25, automatic loading of cookies or deploying any tracking technology without explicit user consent is prohibited.
Quebec's Law 25 offers flexibility regarding its privacy officer role, which shares some similarities with but also differs from the General Data Protection Regulation's (GDPR) requirement for a data protection officer (DPO).
Responsibilities:
- Fulfilling data subject access requests (DSARs)
- Reporting data breaches
- Conducting privacy impact assessments (PIAs)
Appointment:
Key Points:
Unlike many global data privacy laws, including PIPEDA and GDPR, Quebec's Law 25 empowers individuals with a private right of action. This allows citizens to take legal action, including collective action, against businesses that violate their privacy rights under the law, whether through intentional misconduct or gross negligence. Individuals can seek damages starting at a minimum of CAD 1,000.
Inspired by the principle of privacy by design, Law 25 mandates confidentiality by default. This means that any public-facing system collecting personal information must automatically use the highest privacy settings, requiring no action by the consumer. Crucially, this approach extends to consent: organizations cannot collect personal information without first obtaining the consumer's explicit and affirmative opt-in consent.
Quebec's Law 25, like many privacy laws, mandates the conduct of a Privacy Impact Assessment (PIA) in specific situations. These include:
Beyond these examples, the law might require a PIA in other scenarios.
Similar to other prominent data privacy laws, Law 25 empowers individuals with various data subject rights, granting them control over their personal information. These rights include:
By recognizing these rights, Law 25 emphasizes individual control over personal information and aligns with the broader data privacy landscape observed in other major regulatory frameworks.
Law 25 requires businesses to go beyond simply informing individuals about data transfers to third parties. Organizations must also implement robust contractual safeguards to ensure those third parties provide an appropriate level of protection for the transferred personal information. These safeguards typically address:
Additionally, Law 25 grants organizations the right to:
These comprehensive requirements ensure that personal information transferred outside an organization remains protected throughout its lifecycle, aligning with the core principles of Law 25.
Quebec's Law 25 mandates that organizations transmitting personal data outside the province must:
Complying with data privacy regulations like Law 25 necessitates a comprehensive approach to personal information protection. This includes:
Law 25 is enforced by the Commission for the Protection of Personal Information of Quebec (CPQPI), also known as the Commission d'accès à l'information du Québec (CAI) in French.
The CPQPI is an independent public body established under Quebec law responsible for:
Individuals who believe their privacy rights have been violated under Law 25 can file a complaint with the CPQPI. Additionally, the CPQPI has the authority to conduct inspections and audits of organizations to ensure compliance with the law.
Quebec's Law 25 empowers various entities to enforce the law and hold violators accountable. This ensures comprehensive protection for individual privacy:
While the majority of Law 25's provisions have already come into effect as of September 22nd, 2023, with the final phase coming soon in September 2024, businesses can still benefit from taking proactive steps for compliance. Here's a breakdown of some crucial steps businesses can take to prepare for Law 25:
While both Quebec's Law 25 and Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) aim to protect individuals' privacy regarding personal information, they differ in several key aspects:
- Right to data portability: The ability to request their data in a structured format and transmit it to another organization (coming soon in September 2024).
- Right to object to automated decision-making: The right to challenge decisions made solely based on automated processing.
Overall, Law 25 is considered to be more comprehensive and stringent than PIPEDA in its approach to data privacy protection. It offers stronger safeguards, clearer consent requirements, and broader individual rights compared to the federal law. Organizations operating in Quebec, or handling data from individuals residing there, must comply with both Law 25 and PIPEDA where applicable.
A confidentiality incident under Law 25 refers to any unauthorized event that compromises the security of personal information. This includes:
Quebec's Law 25 emphasizes user control and informed consent regarding the collection, use, and disclosure of personal information, including biometric data. Biometric data, broadly encompassing:
Crucially, Law 25 prohibits the disclosure of biometric data for the purpose of verifying an individual's identity without their explicit consent. This emphasizes the importance of obtaining clear and unambiguous authorization from individuals before using their biometric information for any purpose, including verification.
Under Law 25, organizations generally require parental consent before collecting any personal information from individuals under 14 years old. However, exceptions may exist if the collection presents a clear benefit to the child, such as in emergency situations where immediate action is necessary for their safety and well-being.
