Understanding the key provisions of Québec’s new Law 25
This article will attempt to explain what you need to know about the new Law, why it applies to your operations, and what you need to do to avoid paying monetary penalties that could be damaging for your business.
This document is Tink's interpretation of An act to modernize legislative provisions as regards the protection of personal information, also known as Law 25. It is not a substitute for proper legal advice.
The origins of Law 25
Québec's Law 25 is inspired by the European Union's General Data Protection Regulation (GDPR), which entered into force in 2016 to improve the protection of personal data by establishing a framework and imposing obligations on organizations that collect such data.
September 22, 2021
of the Law
September 22, 2022
Implementation of the initial measures
September 22, 2023
Enactment of penalties
September 22, 2024
Application of all sections of the Law
Why enact this Law?
The new Law provides individuals with greater control over their data by tightening consent rules and requiring businesses to implement specific policies and practices to improve the protection of personal information.
Law 25 modernizes the framework applicable to the protection of personal information under various laws, including the Act respecting access to documents held by public bodies and the protection of personal information, and the Act respecting the protection of personal information in the private sector.
What is personal information?
Here is the official definition from the Commission d'accès à l'information:
Personal information is any information about a physical person that makes it possible to identify them, either directly or indirectly.
In the digital world, this last nuance could be associated with certain tools that allow non-personal data (such as a unique identifier) to be linked to a set of personal information, and therefore to an individual.
What falls under the umbrella of personal information?
Canada's privacy laws provide a little more detail on what is considered personal information.
Generally, it includes the following:
- Name, ethnicity, religion, marital status, and education level
- Email addresses, email messages, and IP addresses
- Age (or date of birth), height, weight, medical records, blood type, DNA, fingerprints, and voice signature
- Income, purchases, spending habits, banking information, credit or debit card data, loan or credit reports, and tax returns
- Social Insurance Number (SIN) or other identification numbers.
How will Law 25 impact businesses?
Many websites collect personal data about their visitors. For example, personal information is collected when a customer places an order, when a candidate applies for a job on your website, or when a secure profile is created.
For many businesses, personal information is collected for marketing communication purposes. Many businesses have implemented mechanisms that gather personal information from various sources in order to refine and personalize communications.
That information is obtained in a variety of contexts (e.g., an email address is collected for newsletters and then merged with user profile information), and the combined use of this data may not have been specifically consented to (e.g., if a user wasn't notified that their street address would be used to create a new segment in a newsletter list).
Regulations surrounding consent
Law 25 states that consent must be obtained, and therefore businesses will have to implement mechanisms to ensure such permission is granted.
Obtaining consent and the duty of transparency
Law 25 states that only the collection of "sensitive personal information" requires express consent. This refers to personal information of a medical, biometric, or otherwise intimate nature, or information where the context of its use or communication entails a high level of privacy protection.
More broadly, Law 25 states that consent is required before personal information can be used. The request for consent must be made in clear and simple language and must be repeated for any new use of the information collected.
Exceptions and subtleties
Law 25 provides for certain exceptions to the requirement to obtain consent, such as the following:
- When the data is used for research purposes and is de-identified
- When the personal information is used for purposes consistent with those for which it was collected or when its use is clearly for the benefit of the person concerned
- When the use of the information is necessary for the purpose of preventing and detecting fraud or the assessing and improving protection and security measures
- When the use of the information is necessary for the purpose of providing a service requested by the person concerned
In addition, the obligation to obtain consent extends beyond the collection of data where the user enters their own personal information.
Note that Law 25 requires certain forms of express consent in specific contexts.
During a parliamentary session, Éric Caire, the Minister responsible for Access to Information and Privacy, indicated that as a result of this legislation (Law 25), express consent (opt-in) regarding the collection of personal information by way of technologies that use identification, location, or profiling functions must be obtained.
In addition, the following statement can be found on the Commission d'accès à l’information's website:
These technologies cannot be activated by default; it will be up to the person concerned to activate them if they wish to do so.
Law 25 therefore requires that all settings provide the highest level of confidentiality by default.
Businesses will not only have to manage mobile applications that track individuals, but they will also have to implement cookie consent management tools on their website to ensure they meet the requirements of Law 25 while maintaining some level of behaviour tracking on their website (they need to have a tool that "explains" the benefits of cookies to the user).
Amendments to privacy policies
In general, businesses will need to make certain changes to their websites, while ensuring that they are undertaking the activities described in these policies.
1 - Duty to disclose exchanges with third parties
For many businesses, the responsibility for collecting, processing, or using personal information is outsourced to a third party. Law 25 requires businesses to disclose the names of the third parties or categories of third parties with whom the personal information is shared. This information must be included in privacy policies.
2 - Duty to disclose the exportation of personal data outside Québec
Businesses must inform users of the possibility that their information may be transmitted outside Québec, whether to another province or another country. In addition, they will be required to ensure that the personal protection principles of the legal framework applicable in the State where the information would be transmitted are equivalent to those applicable in Québec.
3 - Duty to designate a person responsible for personal data
As of September 22, 2022, businesses are required to designate a person responsible for the protection of personal information within their company. This person's title and contact information must be displayed on the company's website.
4 - Duty to implement a data protection process
Law 25 aims to educate businesses and hold them accountable for how they collect and store personal information. Accordingly, it requires businesses to implement a governance plan that describes their various processes, activities, and managers, as well as how they ensure the protection of personal information in their environment.
Managers must be designated and a monitoring and incident detection plan must be put in place, and any incidents involving the privacy of personal information must be reported to the Commission d'accès à l'information.
Privacy Impact Assessment (PIA)
Businesses must create a validation mechanism with partners who use, consume, and handle personal information in order to protect themselves and demonstrate that they have appropriate security mechanisms in place to prevent potential incidents.
Businesses must conduct a PIA with all of their partners; the parties must demonstrate that they are able to protect personal information in accordance with government standards.
Penalties: What happens if you don't comply with Law 25?
The new Law introduces mechanisms to put some teeth into the Act, administrative monetary penalties and new criminal offences, as well as a private right of action (i.e., individuals will be able to sue businesses).
Businesses that fail to comply with the terms and regulations set forth in Law 25 will face more severe penalties than under the current plan. Such penalties may vary depending on the size of the business, but will generally resemble the following:
- $20,000,000 or an amount equal to 2% of worldwide sales for the previous fiscal year for private-sector entities that fail to comply with the regulations.
- 4% of the entity's sales—or an amount ranging from $15,000 to $25,000,000—for private-sector entities that have committed violations.
- In the event of a subsequent offence, the fines under this division shall be doubled.
How to meet the requirements of Law 25
To be done as soon as possible
While most penalties will come into force in September 2023, business should take the following steps without delay to ensure they are in compliance with the Law:
- Review current policies and practices to ensure they meet the requirements of the new Law.
- Review contracts with service providers to ensure current and future compliance.
- Develop new privacy procedures, including a policy that will make it possible to conduct PIAs as required by the Law.
- Implement processes to enable individuals to exercise the following new rights:
- The right to be forgotten
- The right to data portability
- The right to be informed of a decision based exclusively on automated processing, where applicable
- Update privacy policies to comply with the new privacy plan and reflect the company's new practices.
What to do by September 22, 2022
- Designate a person responsible for the protection of personal information within their company. Note that by default, Law 25 designates the person with the highest authority (CEO, owner, president) as the person responsible (this role can also be officially delegated).
- Publish this person's title and contact information on the company's website.
- Report any incidents involving the privacy of personal information to the Commission d'accès à l’information at https://www.cai.gouv.qc.ca/english/.
- Implement a governance and alert escalation process.
What to do by September 22, 2023
From this date forward, penalties will be in effect.
- Conduct PIAs prior to undertaking any information system project involving the collection, use, release, keeping, or destruction of personal information.
- Inform individuals of the purposes of collection, the means of collection, the rights of access and rectification, and the right to withdraw consent on the website.
- Faciliate the right to be forgotten (i.e., an individual's right to limit the public release of their personal information, under certain conditions).
- Provide the highest level of privacy by default, without any involvement by the person concerned, for entities offering a technology product or service to the public with privacy settings.
What to do by September 22, 2024
- Facilitate the right to data portability (i.e., the right to have personal information communicated in a structured, commonly used technological format).
- Facilitate the right to be informed of a decision based exclusively on automated processing of personal information (i.e., without any human intervention).
- Confirm to anyone who requests it the source of their personal information and whether that source is another person or entity.
Please note: The Commission d’accès à l’information regularly updates its standards and guidelines to help businesses comply with their new obligations. To view them, please visit: https://www.cai.gouv.qc.ca/english/.