Bill 25 - Law modernizing legislative provisions on the protection of personal information.
Since September 22, 2022, Bill 25, also known as the Law modernizing legislative provisions on the protection of personal information, has been in effect. The main objective of this law is to strengthen the accountability of businesses, including non-profit organizations (NPOs), with regard to the personal data of Quebec residents.
All companies, without exception, must comply with these new regulations. In practical terms, Bill 25 mandates that companies justify their methods of collecting, using and managing personal data. This applies to any company that processes personal data of Quebec citizens.
This law was introduced in several stages. The initial set of legislative provisions came into effect on September 22, 2022. More recently, on September 23, 2023, new provisions took effect, including the obligation to establish a personal information governance policy. Further obligations are scheduled for September 2024.
The Commission d’accès à l’information du Québec (CAI) is responsible for overseeing compliance with Bill 25. In the event of non-compliance, the Commission is authorized to impose significant sanctions.
To help you understand this law and its intricacies, we have prepared a summary of the obligations and a list of practical tools, which you’ll find below.
1. Designate a person responsible for the protection of personal information and publish the person's title and contact details on the company's website or, if you do not have a website, make them available by any other appropriate means.
2. In the event of a privacy incident involving Personal Information:
a. take reasonable steps to minimize the risk of harm to the persons concerned and to prevent further incidents of the same nature;
b. notify the Commission and the person concerned if the incident presents a risk of serious harm;
c. keep a register of incidents, a copy of which must be forwarded to the Commission at its request;
3. Respect the new framework for disclosing personal information
without the consent of the person concerned for the purposes of a study, research or production of statistics, in the context of commercial transactions;
4. Conduct an "évaluation des facteurs relatifs à la vie privée (ÉFVP)" prior to disclosing personal information without consent for the purposes of a study, research or production of statistics;
5. Notify the Commission in advance of any verification or identity confirmation through biometric characteristics or measurements.
1. Having established policies and practices governing the management of personal information and publishing detailed information about them in simple and clear terms on the company's website. If the company does not have a website, these details should be made available through any other appropriate means;
2. Conducting an "évaluation des facteurs relatifs à la vie privée (ÉFVP)" when required by law, for example, before disclosing personal information outside of Quebec;
3. Adhering to the new rules regarding consent for the collection, communication, or use of personal information;
4. Destroying personal information when the purpose of its collection is achieved, or anonymizing it for use in serious and legitimate purposes, subject to the conditions and retention period specified by law;
5. Complying with new obligations to provide information and transparency to citizens;
6. Adhering to the new rules for disclosing personal information without the consent of the individual (exercising a mandate or fulfilling a service or business contract);
7. Complying with the new rules for disclosing personal information outside of Quebec;
8. Adhering to the new rules for the use of personal information;
9. By default, providing settings that ensure the highest level of product or technological service privacy offered to the public;
10. Complying with the new rules regarding the collection of personal information concerning minors;
11. Respecting the right to cease dissemination, reindexing, or delisting (or the right to be forgotten);
12. Complying with the new rules for disclosing personal information to facilitate the grieving process.
Respond to requests for portability of personal information.
- Gouvernement du Québec. "Protection des renseignements personnels." Commissaire à l'accès à l'information du Québec, www.cai.gouv.qc.ca/entreprises/protection-des-renseignements-personnels-1/.
- Gouvernement du Québec. "Projet de loi 64 : Modernisation de la protection des renseignements personnels." www.quebec.ca/gouvernement/ministeres-et-organismes/institutions-democratique-acces-information-laicite/acces-documents-protection-renseignements-personnels/pl64-modernisation-de-la-protection-des-renseignements-personnels.
- Assemblée nationale du Québec. "Projet de loi 64 - Loi modernisant des dispositions législatives en matière de protection des renseignements personnels." www.assnat.qc.ca/fr/travaux-parlementaires/projets-loi/projet-loi-64-42-1.html?appelant=MC.
- MesProcédures.ca. "MesProcédures.ca." www.mesprocedures.ca.
- Brigade Numérique. "Cybersécurité et Loi 25." Brigade Numérique, www.brigade-numerique.ca/cybersecurite-et-loi-25.
- Collectif Web. "Loi 25 : Québec se conformer, le guide." Collectif Web, collectif-web.ca/loi-25-quebec-se-conformer-le-guide.
- Cybereco. "Découvrez le guide pratique Cybereco sur l'application de la Loi 25." Cybereco, cybereco.ca/decouvrez-le-guide-pratique-cybereco-sur-lapplication-de-la-loi-25.
- Synapsec. "Gouvernance et gestion de données." Synapsec, synapsec.ca/outils/gouvernance-et-gestion-de-donnees.
- Tuxedo Solution. "Générateur de politique de confidentialité." FAQ Tuxedo Solution, faq.tuxedosolution.com/fr/knowledge/generateur-de-politique-de-confidentialite.