Organizations that collect, process and store the personal information of Quebec individuals must ensure their existing privacy programs are in line with the provisions of Quebec’s Law 25. This new legislation was adopted in September 2021 and has been implemented in stages, with the final stage coming into effect on September 22, 2024.
Law 25 represents a milestone for provincial privacy legislation. It marks a complete overhaul of Quebec’s privacy regime, strengthening privacy rights for individuals and updating organisational requirements.
In this guide, we provide essential information to help support your journey towards achieving and maintaining compliance. We explain which organizations Law 25 affects and detail what each stage of its provisions include.
What is Quebec’s Law 25?
Law 25 introduces several key concepts to modernize data protection practices in Quebec and strengthen privacy rights for individuals.
The legislation has been brought into effect in stages, over a three-year period, which has allowed organizations to adapt gradually to the new privacy requirements. By September 2024 organizations should ensure all provisions are fully implemented.
Fines for non-compliance can range between CA$15,000 and CA$25,000,000 or 4% of worldwide turnover for the previous year, whichever is greater.
Who does Law 25 apply to?
Law 25 applies to all businesses, including non-profits, operating in Quebec that collect, process, use or disclose the data of Quebec residents, regardless of size, revenue or location of the business.
Quebec’s Law 25: A guide to support privacy compliance
Law 25 imposes a range of obligations on businesses, with the aim of striking a balance between privacy protection, individual rights, and business accountability.
To ensure compliance with the new regulations, you should complete a gap analysis of your current privacy programs. This will identify any required updates that need to be made to policies, procedures and data handling practices.
If you are operating within the province of Quebec and process personal data, these are the important aspects you should already have in place or need to address by September 22, 2024:
Appoint a Data Privacy Officer
The Data Privacy Officer role shares a similarity with the EU’s requirement for a Data Protection Officer (DPO). However, unlike the GDPR, the Privacy Officer role defaults to the highest-ranking individual in an organization, if one is not otherwise appointed.
Many organizations may not be aware of the defaulting nature of the Privacy Officer role. Where a Privacy Officer is not explicitly appointed, the responsibility falls to the CEO or MD.
What you need to do: It is crucial for organizations of any size or industry sector to recognize the importance of this role. A Privacy Officer should have the expertise and specialist knowledge to ensure compliance with privacy laws and understand the complexities of global data protection legislation.
- Appoint an in-house Privacy Officer or outsource to an external professional
For a comparison between in-house and outsourced options, see this link to download our infographic:
The infographic covers these important considerations for choosing between an in-house or outsourced Privacy Officer:
- Speed to hire,
- Scalability
- Experience and expertise
- Risk management
- Annual investment
Breach reporting
Organizations must ensure that breach management processes are in place. Data breaches must be reported to the Commission d’accès à l’information (CAI) and all affected individuals as soon as possible.
What you need to do: Create and test a data breach response protocol. When identifying a potential data breach, you must assess whether an incident poses a “risk of serious injury” based on information sensitivity, anticipated consequences and likelihood of harmful use.
Your data breach response protocol should include:
- Employee roles and responsibilities
- Workflows
- Template breach reporting document
Biometrics disclosure
Biometric data collection includes physical features such as fingerprints, facial features and iris patterns.
What you need to do:
- Express consent requirements – Obtain express consent from individuals and ensure it is specific to the purpose of collecting and using biometrics
- Disclosure requirements – Inform the Commission d’acc`es ““““`a l’information du Québec (CAI) of your intention to use biometric processes at least 60 days before implementing the biometric system
- Privacy by Design – Implement privacy-enhancing measures when handling biometric data and consider Privacy Impact Assessments (PIAs) to mitigate any potential harms
Privacy Policy
All organizations operating in Quebec must have a comprehensive Privacy Policy that outlines data handling practices.
What you need to do: Create a Privacy Policy to include these important details:
- Purpose – Clearly state the purpose of your privacy policy and outline how your organization collects, uses, discloses and protects personal information
- Scope – Specify that the policy applies to all individuals whose data you process
- Type of information – For example names, addresses, credit card numbers
- Security measures – For example, encryption, access controls, regular audits, and employee training
- Third parties and sharing – Explain the purpose of any such sharing and ensure transparency
- Individual rights – Inform individuals of their rights and provide instructions on how they can exercise these rights
- Contact information – For inquiries, requests and complaints related to privacy, include details of the designated Data Privacy Officer
- Updates and accessibility – Commit to keeping the Privacy Policy up to date and ensure it is easily accessible and in a prominent place on your website
Privacy Impact Assessment (PIA)
A PIA is a systematic process to evaluate the impact of data processing activities on individuals’ privacy rights
What you need to do:
Under Law 25, organizations must conduct a Privacy Impact Assessment (PIA) for:
- High risk data processing activities (e.g., large-scale data collection, profiling, biometrics)
- Data transfers to other provinces, third countries, or international organizations
- Implementation of new technologies (e.g., AI, IoT, facial recognition)
Cross-border transfers
These are transfers that involve moving personal data from Quebec to another jurisdiction outside Canada (or to another province).
What you need to do:
- Inform individuals about cross-border transfers in your Privacy Policy
- Undertake a PIA (see details in the section above)
- Enact contractual safeguards to ensure adequate protection in the jurisdiction of transfer
Enhanced Consent
Law 25 sets stricter rules for acquiring permission before using people’s personal information. Organizations must obtain explicit opt-in consent before collecting, storing, processing, and sharing personal information. Additionally, for children under 14, you will need the parent’s permission first.
What you need to do:
- Provide comprehensive information about why and how their data will be used
- Ensure the consent request is prominant and stands out from general terms and conditions
- Use clear and concise language with an opt-in requirement
- Inform individuals of their right to withdraw consent at any time
- List any non-Quebec third parties that you are sharing the personal information with
- Maintain documentation of how and when consent was given
Data minimization
Law 25 emphasises the importance of collecting only the essential data for the intended purpose. Organizations must avoid excessive data collection and retain only relevant information.
What you need to do:
- Clearly define the purpose for which the data will be used in your privacy policy
- Then only collect the minimum amount of data required to achieve that purpose
- Define clear retention periods for different types of data
Subject rights
These rights came into effect September 2023, with the right to data portability effective in September 2024 (see below section).
Subject rights include:
- Right to be informed
- Right to access
- Right to rectification
- Right to erasure
- Right to withdraw consent
- Right to restrict processing
- Right to data portability
What you need to do:
- Ensure individuals are informed about your data practices
- Privacy Officers should respond promptly to any access requests, within 30 days, and provide the relevant details (with redactions, as necessary)
Data portability rights – comes into effect September 2024
With this specific area of Law 25, individuals have the right to have their personal data seamlessly transitioned between service providers.
What this means is that you are obliged to provide the requested information in a specified format.
What you need to do:
- You must provide the individual’s personal data in a structured, commonly used, and machine-readable format
- Share the requested information with any authorized person or organization
Summary
The final stage of Quebec’s Law 25 comes into effect on September 22, 2024.
Organizations operating within the province of Quebec must implement the necessary operational and procedural changes by that date to ensure compliance with the new regulations.
We covered the key aspects of Law 25 in the above sections, but these are the main elements to consider:
- All organizations must have a Privacy Officer in place
- If you don’t specify a Privacy Officer, the CEO/MD will be automatically assigned
- Complete a Privacy Impact Assessment (PIA) for all data transfers and new technologies
- Implement a robust breach notification protocol with workflows and reporting documents
The DPO Centre Canada
From our offices in Toronto, Ontario, The DPO Centre Canada provides outsourced Canadian Privacy Officers to organizations operating across Quebec and other provinces.
If you would like to discuss how our range of specialist services can support your organization’s privacy governance, please contact The DPO Centre Canada.