Quebec Law 25 Compliance: Everything You Need to Know
Privacy & Compliance | May 18, 2023
Personal data has become the bedrock of digital economies and an integral part of our daily lives. Consequently, the need for comprehensive data protection regulations has never been greater. In 2021, the Canadian province of Quebec made a significant move in this direction with the introduction of Bill 64, now known as Law 25, an omnibus privacy legislation that sought to overhaul Quebec’s data privacy landscape and align it more closely with stringent international standards like the EU’s General Data Protection Regulation (GDPR).
Law 25 imposes new obligations on businesses, expands the digital privacy rights of individuals, and expands the enforcement actions and fines available to authorities. While initially signed into law in September of 2021, Law 25 adopted a phased approach to implementing privacy standards, with the majority of requirements going into effect on September 22, 2023.
In this article, we’ll give a detailed overview of Law 25, its privacy implications, and the steps businesses need to take to ensure compliance. But first, let’s look at the background of the Canadian privacy landscape.
A Crash Course on Quebec Privacy Law
To gain a better understanding of Law 25, we must first look at the existing privacy regime that is being replaced. Privacy requirements in Quebec are governed by a mix of federal and provincial legislation.
On the Federal level, The Personal Information Protection and Electronic Documents Act (PIPEDA), mandates consent requirements for private organizations
PIPEDA requires that consent is obtained whenever personal information is collected, used, or disclosed. Like the GDPR, PIPEDA mandates, that consent should be informed, voluntary, and explicit, and generally takes an opt-in approach to consent, meaning an individual must take affirmative action to give valid consent. However, there are some exceptions under PIPEDA where implied consent, i.e. opt-out consent, is acceptable.
On the provincial level, prior to Law 25, Quebec’s privacy regulation framework consisted of two laws: the Act Respecting the Protection of Personal Information in the Private Sector and the Act Respecting Access to Documents Held by Public Bodies and the Protection of Personal Information.
The former regulated how businesses handle personal data, while the latter governed how public sector entities manage personal information.
But these laws, dating back to 1994 and 1982 respectively, needed to be equipped to address the challenges posed by rapid technological advancements and global data sharing. They lacked comprehensive data subject rights, robust consent requirements, and strong enforcement mechanisms.
Enter Quebec Bill 64, An Act to Modernize Legislative Provisions as Regards the Protection of Personal Information, the bill that would ascend on September 22, 2021, and become The Privacy Legislation Modernization Act, also known as Law 25.
What is Quebec Law 25?
If the name of the law didn’t give it away, Law 25 was enacted to modernize Quebec’s existing privacy landscape by enhancing individuals’ control over their data, and ensuring that businesses and public bodies are held to a higher standard of accountability.
Law 25 is a significant step towards stricter data privacy laws in Canada and aligns the francophone region more closely with European data standard protections like the GDPR.
It introduces sweeping changes to the province’s privacy laws, enhancing individual rights, mandating stricter consent requirements, and establishing stringent data governance frameworks. The law also gives stronger enforcement powers to the Commission d’accès à l’information (CAI), and includes substantial penalties for non-compliance.
The law goes into effect through a phased implementation plan that began in September 2022 and extends until September 2024, with the majority of changes taking effect in September 2023.
In the following sections, we’ll delve into further detail on the scope and applicability of Law 25 as well as the specific rights it grants Quebec citizens and the requirements it imposes on businesses.
What Businesses Must Comply with Law 25?
The language of Law 25 is extremely broad and applies to both private and public sector entities operating in Quebec, including businesses of all sizes, non-profit organizations, and government bodies. Crucially, coverage extends to any enterprise that collects, uses, discloses, retains, or destroys the personal information of citizens of Quebec in the course of their commercial activities, whether they are based in Quebec or not.
However, the specific obligations vary based on the nature of the business, the type of personal information handled, and the context in which it is processed. In essence, if an organization handles the personal information of Quebec residents, Law 25 likely applies to them.
And, unlike many American privacy laws, Law 25 does not establish a minimum threshold for businesses that must comply with the law. For example under the CPRA, businesses must buy, sell, or share the personal information of 100,000 or more California residents to be subject to the law’s requirements. Under Law 25, a single Québecois visitor to a website is enough to bring the website under the jurisdiction of the CAI.
For businesses operating in Quebec, the scope of the law is even broader, due to extensive protections for any individuals whose data is processed under the jurisdiction of the law.
Who is covered under Law 25?
Law 25 offers extensive protections to all individuals, irrespective of their nationality or where they live, as long as their personal data is being managed under the law. This applies to people living in Quebec, Canadians from other provinces, and even individuals from other countries. It has additional safeguards for children under 14, who require more stringent consent rules. It also guards the personal data of individuals who have passed away, for up to 20 years after their death.
However, businesses outside Quebec or outside Canada mainly need to follow Law 25 when dealing with the personal data of people living in Quebec.
How is ‘Personal Information’ Defined Under Law 25?
The purpose of Law 25 is to update the existing privacy framework of Quebec, so to define personal information under Quebec privacy law, we must refer to the Act Respecting the Protection of Personal Information in the Private Sector (The Private Sector Act).
Under the Private Sector Act, ‘personal information’ is defined as “any information which relates to a natural person and allows that person to be identified.” This can include but is not limited to, aspects such as name, address, age, gender, identification numbers, financial information, or even certain types of online identifiers. It’s important to note that the data doesn’t need to be able to identify a person on its own. If it can be used in combination with other data to identify a person, it still falls within the scope of ‘personal information’.
What are the Data Privacy Rights of Consumers under Law 25?
From transparency to data portability, and from the right to be forgotten to privacy by default, Law 25 significantly empowers individuals in managing their personal information. Let’s delve deeper into these rights to understand their implications for businesses, particularly for legal departments, marketers, and CISOs.
Right to Transparency: Law 25 requires that any organization collecting personal data must provide substantial information about the collection and processing of the data, including:
- The purpose of the data collection.
- Details on the method used to collect the information.
- Whether providing this information is mandatory (public sector only) or optional.
- Describing any consequences that may result from either refusing to provide the information or withdrawing consent later on, if the request was optional.
- The names of third parties with whom the information will be shared, or for whom the information is collected on behalf of, as well as notification of the possibility that the information may be shared outside of Quebec.
- The consumer’s right to access this information, and to correct it where necessary.
- The consumer’s right to withdraw consent for this information to be gathered.
Right to be Forgotten: Following in the footsteps of the GDPR, Law 25 also grants individuals the right to be forgotten. In simple terms, this right ensures that individuals can request that their personal information is no shared or circulated, especially online. Furthermore, if there’s a hyperlink that leads to their information, individuals can ask for this link to be de-indexed (removed from search engine results) or re-indexed (reordered in the search results).
Right to Consent: Under Law 25, businesses are required to obtain express consent for the collection, use, or disclosure of personal information. The consent must be informed, specific, and given freely. The age of consent for children is set at 14 years.
Right to Access and Correction: Individuals have the right to access their personal information held by an organization and request correction if it is inaccurate, incomplete, ambiguous, or collected in violation of the law.
Right to Data Portability: Individuals have the right to access a copy of their personal data in a structured, commonly used digital format. This means that individuals can obtain their data in a format that’s easy to understand, and that can be readily used or processed further.
In addition, individuals can also request that this data be directly transferred to a third party, such as a service provider, a new employer, or any other entity the individual chooses.
Rights Regarding Automated Decisions: Individuals are granted several rights regarding automated decision-making, including the right to be informed of automated decision-making at or before the decision, the right to an explanation of the data used to make the decision and the rationale behind it, and the right to correct data used in automated decision-making.
Right to Anonymity: Whenever possible, individuals have the right to require that personal information used by an organization be anonymized.
The Right to Privacy by Default: Starting from September 2023, a new subsection in PPIPS, 9.1, mandates companies that gather personal data through tech products or services to guarantee the maximum level of privacy as the default setting, without needing the user to do anything. This rule doesn’t cover cookies used for connection tracking. In practical terms, this implies that any tracking functionality within a service or product should be activated by the user. By default, companies should have these tracking features turned off, and they cannot be enabled without express consent.
How Does Consent Work Under Law 25?
Law 25 updates the consent framework of both the public and private sector acts to bring them closer in line to the consent requirements of the GDPR, and as such, many of the consent management requirements implemented by law 25 should be familiar to organizations already compliant with the GDPR.
Law 25 requires that consent is expressly given–meaning it must be a clear affirmation of the individual’s agreement to their data being processed (i.e. opt-in consent), that it is informed, meaning that the individual understands what data is collected, how it will be used, and how it will be shared, and specific, meaning that consent is given for a specific purpose, and may not be used to share or collect data beyond that purpose. Consent must also be freely given, and cannot be coerced.
For minors, Law 25 sets the age of consent at 14 years, which means that businesses must obtain the consent of a parent or guardian for children under 14 years of age.
Finally, individuals have the right to withdraw their consent at any time. If consent is withdrawn, the company must cease the processing of the individual’s data. Companies should have systems in place that allow for the easy withdrawal of consent.
Business Obligations and Implementation Timeline
The changes put in place by Law 25 are extensive and can require significant effort to accomplish, but it doesn’t have to happen overnight. When lawmakers initially passed Bill 64 into Law 25 in 2021, they broke business obligations out into three phases, occuring in September of 2022, 2023, and 2024, with the majority of changes being implemented in 2023.
Phase 1 – By 22 September 2022
Appoint a Privacy Officer: Businesses must assign an individual who will ensure compliance with Quebec privacy law. This responsibility defaults to the CEO, but can be delegated. The officer’s title and contact details should be published on the company’s website, and the CAI must be notified.
Mandatory Breach Reporting: Busineses must establish mechanisms to notify the CAI and any affected individuals of data breaches involving personal information that pose a risk of serious harm, and must keep a register of these breaches.
Biometrics Disclosure: Companies that use or plan to use biometric banks must disclose their existence to the CAI at least 60 days before implementation.
Phase 2 – By 22 September 2023
Mandatory Privacy Impact Assessments (PIA): Conduct a PIA when sharing personal information outside Quebec, when creating or acquiring digital systems involving private data, or before disclosing personal information without consent for research purposes.
Establish Transparency and Consent Systems: Update mechanisms for collecting, storing, and sharing consumer information to meet the new consumer rights framework. Deactivate data collection technology by default and provide an explicit “opt-in” mechanism. Update consent forms and information access systems to provide details of who within your company has access to a customer’s personal information.
Anonymization: Implement a system to destroy or anonymize personal data once its collection purpose has been achieved. Anonymization must ensure the person concerned can no longer be identified.
Right to Erasure: Develop guidelines to assess and respond to requests for the removal of personal information.
Phase 3 – By 22 September 2024
Right to Portability: Prepare to produce a digital copy of all personal information you hold concerning an individual upon request
How is Law 25 Enforced?
The enforcement of Law 25 comprises a two-tier monetary penalty model and a civil right of action. The maximum penalty for individuals is $100,000, while private sector companies face fines ranging from CAD $15,000 to CAD $25,000,000 or 4% of their global turnover for the preceding fiscal year, whichever is greater. The Commission d’accès à l’information (CAI) oversees the enforcement of these penalties.
Law 25 also introduces a new private right of action, similar to that of the CPRA, but with a much wider scope. As of September 22, 2023, consumers will be able to bring claims against companies for statutory damages relating to specific breaches of privacy law, including unlawful use of personal information, illegal use of personal information, and inadequate privacy notices.