October 31, 2022

In this month of cybersecurity, we present to you a summary description of the new law 25 on the Personal Information Protection in Quebec and what you need to know as a company to be compliant. 

What is Quebec Law 25? 

Perhaps you have heard of “Bill 64”. This is the original text proposed for the first time on June 12, 2020, and which was unanimously adopted on September 21, 2021, by the National Assembly. The resulting law is “Law 25”: An Act to modernize legislative provisions as regards the protection of personal information. 

Law 25 introduces a series of changes to the existing legal framework. It grants new data protection rights to individuals and new obligations for public and private organizations that process their personal information. This law is not just about digital information, but about general personal information. 

Law 25 entered into force on September 22, 2022 and is being phased in over the next three years (until 2024). 

Non-compliance with the law will expose your business to significant penalties, up to a maximum of $25 million or 4% of your worldwide revenue 

Why is it important to us as individuals? 

You have all heard of cases of customer data leaks by companies or cities such as the major leak from Caisse Populaire Desjardins (June 2019).  

Law 25 allows for better protection of the rights of the person by giving them more powers over the processing of their personal data and a better understanding of the consequences of their choices. Organizations must therefore take concrete actions to ensure information security. 

What is personal information? 

Personal information is information relating to a natural person and allows him to be identified directly or indirectly. They are confidential. Barring exceptions, they may not be communicated without the consent of the person concerned. 

  • Last name First Name 
  • Birth date 
  • Street address
  • Phone number 
  • Personal email 
  • Social Security number 
  • Driver’s license number 
  • Etc. 

So, you will understand that your company information is not considered private, such as: Company email address, Telephone number and extension number, Company street address, etc. 

Complaint against a public organization or a private company 

It is possible for an individual to file a complaint with the Commission when the Act respecting the protection of personal information has not been respected in his regard. A privacy complaint may relate to the collection, retention, use, disclosure, or destruction of personal information. 

To allow the Commission to investigate, if the circumstances so require, a complaint must be submitted in writing to the “ Commission d’accès à l’information”, taking care to include all the elements that support the complaint as well as the contact details of the parties involved. 

How can my business comply with Law 25? 

While the series of reforms is significant, the bulk of certain provisions have already been fully or partially mandated by other applicable regimes (such as PIPEDA) or have simply become common practice in recent years. 

However, for most provisions that are entirely new, existing systems are likely to be insufficient and require a complete overhaul. Fortunately, the gradual deployment breaks this process. At a minimum, organizations must complete the following within the period below: 

Septembre 22, 2022 

  1. Appoint a person responsible for the protection of personal information and establish his role and responsibilities. This person in charge should know the nature of the personal information that your company holds, processes, and communicates. He should also know who can have access to this personal information and for what reasons. It is also this person in charge who will have to produce and implement policies and practices that govern the governance of personal information, for example, the rules for retention and destruction and the centralization of sensitive data to facilitate its protection and monitoring. You must also publish his title and contact information on the company’s website. 
  1. Put in place an incident management plan and establish the procedure to follow in the event of a breach. 
  1. Maintain a log of all privacy incidents. An incident is the unauthorized access, use or disclosure of personal information, the loss of personal information or any other breach of the protection of such information. 
  1. Properly inform the person(s) concerned in the event of a confidentiality incident that could cause them serious harm and, on the scope and consequences of the incident. In particular, it should describe the personal information concerned, the circumstances of the incident, the measures that your company has taken or will take to reduce the risk of harm or mitigate the harm and the contact information of a person to contact for more information. You should also notify the “Commission d’accès à l’information” of any incident presenting a serious risk of harm. 
  1. Make an inventory of personal information held by the company in order to identify: 
  • The personal information held and its media (paper or digital), the nature of the personal information, its accessibility, its life cycle, etc. 
  • Information that is held by third parties (applications that use this personal information, etc.) 
  1. Protect the information collected during your commercial transactions. Once the commercial transaction is concluded, you will have the additional obligation to destroy or anonymize the personal information collected if you wish to use it for serious and legitimate purposes. 

September 22, 2023 and 2024 

You should know that Bill 25 provides for the integration of new measures for 2023 and 2024, so you must make sure to also respect them when they expire.  

Among the changes to be expected, we note that you must be able to disclose the personal information collected on a person who requests it. It is therefore important to ensure that your software allows you to properly extract the list of information collected. 

It is important to review your data privacy policy and practice as well as your contracts to ensure you are in compliance with the new standards imposed. 

(It might be time to update your employee handbook, especially with remote work becoming omnipresent in companies). 

Note: This article has been published to give you an idea of what you need to put in place to meet the requirements of the law. For further clarification and details please consult the following resources. 

Useful resources: 

New Privacy Obligations for Businesses 

Loi 25 – Nouvelles dispositions protégeant la vie privée des Québécois 

Aide-Mémoire : Résumé des nouvelles obligations des entreprises