Since September 22, 2022, Law 25, also known as An Act to modernize legislative provisions as regards the protection of personal information, has been in effect in Quebec. The main objective of this law is to strengthen the accountability of businesses, including non-profit organizations (NPOs), regarding the personal data of Quebec residents.
All businesses, without exception, must comply with this new regulation. Specifically, Bill 25 requires businesses to justify their methods of collecting, using, and managing personal data. This applies to any business processing the personal data of Quebec citizens.
The implementation of this law was carried out in several stages. The first set of legislative provisions came into force on September 22, 2022. More recently, on September 23, 2023, new provisions were added, including the obligation to implement a personal information governance policy. Further obligations are planned for September 2024.
The Quebec Commission d’accès à l’information (CAI) is responsible for overseeing compliance with Law 25. In the event of non-compliance with this law, the Commission is authorized to impose significant sanctions.
To help you understand this law and its nuances, we have produced a reminder of the obligations as well as a list of practical tools that we are making available to you below.
Requirements effective September 22, 2022
1. Designate a person responsible for the protection of personal information and publish the title and contact details of the person responsible on the company’s website or, if it does not have a website, make them accessible by any other appropriate means.
2. In the event of a confidentiality incident involving personal information:
a. take reasonable steps to reduce the risk of harm to the persons concerned and prevent further incidents of the same nature from occurring;
b. notify the Commission and the person concerned if the incident presents a risk of serious harm;
c. keep a record of incidents, a copy of which must be sent to the Commission upon request;
3. Respect the new framework for the communication of personal information without the consent of the person concerned for the purposes of study, research or the production of statistics and in the context of a commercial transaction;
4. Conduct a Privacy Impact Assessment (PIA) before disclosing personal information without the consent of the individuals concerned for the purposes of study, research or the production of statistics;
5. Disclose to the Commission in advance the verification or confirmation of identity made by means of biometric characteristics or measures.
Requirements effective September 22, 2023
1. Have established policies and practices governing the governance of personal information and publish detailed information on these in simple and clear terms on the company’s website or, if it does not have a website, by any other appropriate means;
2. Carry out a Privacy Impact Assessment (PIA) when required by law, for example before communicating personal information outside Quebec;
3. Comply with the new rules surrounding consent to the collection, communication or use of personal information;
4. Destroy personal information when the purpose for which it was collected has been fulfilled, or anonymize it to use it for serious and legitimate purposes, subject to the conditions and a retention period provided for by law;
5. Respect your new information and transparency obligations towards citizens;
6. Comply with the new rules for communicating personal information without the consent of the person concerned (exercising a mandate or performing a service or business contract);
7. Respect the new rules for communicating personal information outside Quebec;
8. Respect the new rules for the use of personal information;
9. Provide, by default, the parameters ensuring the highest level of confidentiality of the technological product or service offered to the public;
10. Respect the new rules surrounding the collection of personal information concerning a minor;
11. Respect the right to cease dissemination, re-indexing or de-indexing (or right to be forgotten);
12. Respect the new rules for communicating personal information to facilitate the grieving process.
Requirements effective September 22, 2024
Respond to requests for portability of personal information.
Resource List
Informations
- Government of Quebec. “Protection of Personal Information.” Quebec Information Commissioner,
www.cai.gouv.qc.ca/entreprises/protection-des-renseignements-personnels-1/ - Government of Quebec. “Bill 64: Modernization of the Protection of Personal Information.”
www.quebec.ca/gouvernement/ministeres-et-organismes/institutions-democratique-acces-information-laicite/acces-documents-protection-renseignements-personnels/pl64-modernisation-de-la-protection-des-renseignements-personnels - National Assembly of Quebec. “Bill 64 – An Act to modernize legislative provisions relating to the protection of personal information.”
www.assnat.qc.ca/fr/travaux-parlementaires/projets-loi/projet-loi-64-42-1.html?appellant=MC
Toolboxes
- MyProcedures.ca. “MyProcedures.ca.”
www.myprocedures.ca - Digital Brigade. “Cybersecurity and Law 25.” Digital Brigade,
www.brigade-numerique.ca/cybersecurite-et-loi-25 - Web Collective. “Bill 25: Quebec’s Compliance Guide.” Web Collective,
collectif-web.ca/loi-25-quebec-se-conformer-le-guide - Cybereco. “Discover the Cybereco practical guide on the application of Bill 25.” Cybereco,
cybereco.ca/decouvrez-le-guide-pratique-cybereco-sur-lapplication-de-la-loi-25 - Synapsec. “Data Governance and Management.” Synapsec,
synapsec.ca/tools/data-governance-and-management
Privacy Policy Generator
- Tuxedo Solution. “Privacy Policy Generator.” Tuxedo Solution FAQ,
faq.tuxedosolution.com/en/knowledge/privacy-policy-generator