Quebec Law 25: Everything You Must Know
If you are processing Canadians' personal data, you are by now well-acquainted and hopefully compliant with the Personal Information Protection and Electronic Documents Act (PIPEDA).
However, did you know that PIPEDA isn’t the only privacy law in Canada and that certain provinces have their own that you must follow? One such province is Quebec.
In this article, we’ll introduce and explain Quebec Law 25 so you can better understand how to be compliant with it.
- Quebec Law 25 is a privacy law that aims to bolster the privacy rights of consumers in Quebec,
- The law applies to any business that processes data of Quebec residents, whether they operate from Quebec or not,
- It was introduced in 2020 as Bill 64 and made into an official law in September 2021 to be implemented in three phases (September 2022, September 2023, and September 2024), gradually introducing its key requirements.
What is Quebec Law 25?
Quebec Law 25, formerly Bill 64, was introduced by Quebec’s provincial government in June 2020 and officially adopted into law in September 2021 to strengthen and protect Quebec residents' privacy rights and introduce new rules for businesses in Quebec to follow.
The Law requires private sector organizations to, among other things:
- Designate a Data Privacy Officer (DPO) in charge of the protection of personal information
- Establish and implement governance policies and practices regarding personal information
- Perform a privacy impact assessment (PIA): (1) when transferring personal data outside of Quebec; (2) for projects that acquire, develop, or overhaul an information system that handles personal information; and (3) when using a service provider for the purposes above
Quebec Law 25 applies to businesses that collect, store, use, or share personal information of Quebec residents.
The Law is enforced by the Commission d’accès à l’information du Québec (CAI), and its key provisions will become effective in phases.
- 1st Phase (September 2022) - Privacy officer appointment and breach notification requirements
- 2nd Phase (September 2023) - Privacy Impact Assessments (PIA), updated privacy policies, right to restrict processing, right to erasure, and enhanced consent requirements
- 3rd Phase (September 2024) - Right to data portability
Scope of the Quebec Law 25
This Act applies to any business that:
- Collects, stores, uses, or shares personal information of Quebec citizens
- Does this in an organized way as part of its economic activities
- And provides services for Quebec residents, whether they are for-profit or not
Quebec Law 25 applies equally to Quebec-based businesses and businesses operating outside of Quebec (or even Canada), as long as they handle the personal information of Quebec residents.
The law only applies to the private sector and not public bodies such as the Federal government, provincial, territorial, and municipal governments, crown corporations, or independent agencies and commissions.
Rights Provided Under Quebec Law 25
The subject rights that Quebec Law 25 provides are very similar to what the EU GDPR and similar privacy laws have. These are rights given to all Quebec residents and should be given in most circumstances with few exceptions. These rights must be easy to exercise and, ideally, free to exercise.
Right to be Informed
This right allows consumers to know how their personal information is processed, why, and of any third parties involved.
Right to Access
Under this right, individuals can request to access the personal data an organization is holding and obtain a copy of it.
Right to Rectify
The right to rectify allows users to request correction of incomplete, outdated, or wrong information in their personal data held by a business.
Right to Erasure
According to the right to erasure, subjects can request their data to be deleted when it’s no longer required for processing purposes.
Right to Withdraw Consent
Consumers also have the right to withdraw consent for their data to be used that they have previously given.
Right to be Informed about Data Processing
Finally, data subjects have the right to be informed if their personal data is being used for automated decisions by a business.
Also, as of September this year (2024), the right to data portability will also be effective. This allows individuals to request to have their personal data in a readable format or have it sent to another organization.
Quebec Law 25 Checklist for Compliance
Since Quebec Law 25 is still a relatively new privacy law, businesses have not had the time to get to know it. This compliance checklist can prove very handy for your business to follow:
1. Appoint a Privacy Officer
To achieve Quebec Law 25 compliance, businesses must first appoint a privacy officer responsible for overseeing data protection programs and policies, in charge of conducting PIAs, leading the organization’s data breach incident efforts, and being the biggest privacy advocate in the company.
This privacy officer can be a Privacy Officer independent from the company that is outsourced or someone in-house.
2. Conduct a Privacy Impact Assessment
For projects involving the use of information systems or electronic service delivery systems for collection, use, sharing, retention, or destruction of personal data, businesses must conduct a Privacy Impact Assessment or PIA.
The purpose of a PIA (also known as a Data Protection Impact Assessment or DPIA) is to understand the intended purpose of data processing for the project, the quantity of the data being used, data sensitivity, storage mediums, and distribution methods.
3. Obtain Valid Consent
One of the key prerequisites for compliance with any privacy regulation is to obtain valid consent from data subjects whose personal information your business intends to process.
This consent must be freely given, informed, clear, and specific and can be used until the stated purpose is completed.
4. Establish a Governance Framework
Businesses involved in the processing of personal information of their customer must ensure these are protected by establishing and following different policies and practices.
Such policies should indicate the roles and responsibilities of different individuals within the organization who will have access to the users’ data, how long the business can keep the data, how it will handle complaints, and more.
5. Build a Privacy Incident Log and Management Plan
In the event of privacy incidents, such as a cybersecurity attack or a data breach, these must be immediately logged and reported to the CAI if they have the potential to cause significant harm.
The log or copy of this incident should also be provided to the relevant regulatory authority upon their request.
6. Ensure DSARs are Resolved
Data Subject Access Requests (DSARs), which allow consumers to ask for their personal information from a business and help develop a good relationship between the consumers and the businesses.
If a consumer exercised any of the rights mentioned above, it is considered a DSAR and should be responded to within 30 days.
Ensure these are promptly and accurately answered, and your users will greatly appreciate it. You can even help your customers by providing them with a DSAR template they can use.
Penalties for Non-Compliance
Penalties and fines for non-compliance with Quebec Law 25 vary depending on the level of the violation and whether it is a first or repeated offense.
For a natural person (individual), the minimum fine for non-compliance is CAD$5,000, and the maximum fine is CAD$100,000
The fine for less severe violations for businesses is either 2% of the global turnover for the last fiscal year or up to CAD$10 million (whichever is higher).
For more severe violations, the fine can be up to CAD$25 million or 4% of the global for the last fiscal year (whichever is higher).
In case the violation is repeated, the fine may be doubled.
These fines are enforced by the Commission d’accès à l’information du Québec (CAI).
Understanding different privacy laws that may apply to your business is the first step to ensuring and later maintaining compliance, avoiding fines, and establishing consumers’s trust.
Unfortunately, this often means sifting through different boring regulations, and who wants to do that?
Don’t worry. Instead, you can work with Captain Compliance to ensure your organization is on top of corporate compliance at all times. Get in touch today to discuss your compliance with Quebec Law 25 and other big laws!
What is the new law 25 in Quebec?
The new “Law 25” in Quebec is a legislative act previously called Bill 64 that aims to improve data privacy protection for Quebec residents whose personal data is being handled and processed by businesses.
Although Quebec Law 25 applies in a Canadian province (Quebec), it should not be confused with PIPEDA. Learn what is PIPEDA in this informative article.
What is the rule 25 in Quebec?
Rule 25, better known as Law 25 is a data privacy law introduced in 2020 by the provincial government of Quebec as Bill 64 and made into an official law in September 2021 to establish how businesses should process consumers’ personal data they are holding and to strengthen consumers’ data protection rights.
Quebec Law 25, just like PIPEDA, applies to businesses in or outside Quebec or Canada. Read about PIPEDA cross-border transfers and its rules.
What are the consent guidelines for Quebec Law 25?
Under this law, consent is considered “valid” if it is:
- Free and informed
- Given for a specific purpose(s)
- Clear and in simple language (no legal or technical jargon)
- Requested individually and separate from other information
- Expressly given for sensitive personal information (SPI)
Is PIPEDA the same as Quebec Law 25?
While PIPEDA and Quebec Law 25 both apply in Canada and are very similar in their purpose, they’re not the same. The biggest difference between the two acts is in their scope of territory. While PIPEDA applies to most of Canada and its territories, Law 25 applies only to businesses that process Quebec residents' personal data.
What is Quebec Law 25's automated decision-making?
According to Quebec Law 25, if an organization is using personal information to make a decision based solely on automated processing, it must inform the individual to whom the personal information belongs and the reasons, factors, and parameters that led to this decision.