Quebec’s Law 25: What You Need To Know

Quebec Law 25, officially titled “An Act respecting the protection of personal information in the private sector” (Loi sur la protection des renseignements personnels dans le secteur privé), serves as a data privacy law with the primary objective of safeguarding the personal information privacy of residents in the Canadian Province of Quebec.

Effective date: September 22, 2023

Official text: Bill 64 (Chapter 25)

Quebec Law 25, formerly known as Bill 64, represents a significant update to privacy regulations in Quebec. Proposed by the Quebec government in June 2020, it became law in September 2021. This legislation introduces new rules that businesses in Quebec must adhere to, with changes phased in over three years starting in 2022.

Law 25 strengthens privacy protections for individuals/users (Quebec residents) and imposes responsibilities on organizations that handle data. This includes the creation of privacy policies, risk assessments, and the prompt reporting of data breaches.

On September 22, 2021, Bill 64 officially transitioned into Law 25, marking a pivotal milestone in the modernization of privacy regulations in Quebec. The new requirements are currently in effect, with most starting in September 2023.

The Commission d’accès à l’information du Québec (CAI) is responsible for enforcing the law.

Personal information under Quebec Law 25 includes any information about a natural person that will lead to their identification. Examples include full name, physical address, email address, phone number, financial records, health records, etc. It excludes public records and information pertaining to journalistic, historical, or genealogical material collected, held, used, or communicated in the public interest.

The law applies to personal information regardless of its format or accessibility, including but not limited to written, graphic, taped, filmed, digital, or any other form. 

Personal information also includes information held by a professional to the extent provided by the Professional Code (chapter C-26).

Quebec law 25 includes another category — sensitive personal information.  This category includes data related to an individual’s health, biometrics, or any other information of an intimate nature. The use or disclosure of this information carries a heightened risk and justifiable expectation of privacy.

Law 25 applies to businesses involved in organized economic activities, such as collecting, storing, utilizing, or sharing personal information of Quebec residents with third parties, or providing services to Quebec residents, regardless of whether they operate for profit or not.

Like GDPR, Law 25 also applies to businesses that operate outside of Quebec as long as they process the personal information of Quebec residents.  

The law exempts public bodies or people representing a public body from compliance.

Appointment of a privacy officer

Any person running a business is responsible for safeguarding the personal information they hold. The highest authority within the business must ensure that the legal requirements for protecting personal information are met. However, they can delegate some or all of these responsibilities to another person.

Transparency

The business must make the contact information of the person in charge of personal information protection (privacy officer) publicly available, either on their website or through other appropriate means.

Governance policies

Businesses must create and follow policies and practices for keeping personal information safe. These policies should say how long it keeps the data, the roles and responsibilities of different members working on the personal information, and how it handles complaints about data protection. 

The rules should match the size of the business and be approved by the person responsible for data protection.

Detailed information about these policies, including their content, must be published in a clear and straightforward manner on the business’s website or made available through other means.

Privacy Impact Assessment

Businesses must conduct a privacy impact assessment for any project involving the collection, use, sharing, retention, or destruction of personal information, particularly information systems or electronic service delivery systems. The person in charge of personal information protection should be consulted from the project’s outset. The assessment should consider the sensitivity of the data, its intended use, quantity, distribution, and storage medium.

Protection measures

The person in charge of personal information protection can recommend specific protection measures for projects, such as appointing a responsible person, safeguarding documents, defining project participants’ responsibilities regarding data protection, and providing training on data protection.

Breach notification

If a business suspects a confidentiality incident involving personal information has occurred, it must take reasonable measures to reduce the risk of harm and prevent further incidents. 

The law defines “confidentiality incident” as unauthorized access, use, sharing, and loss of personal information or any other breach of the protection of such information.

If the confidentiality incident poses a risk of serious harm, it must be promptly reported to the CAI and affected individuals. However, notifications may be withheld if they could impede a criminal investigation.

Businesses must maintain a register of the confidentiality incident, the content of which may be determined by government regulation. A copy of this register must be provided to the relevant regulatory authority upon request.

Risk assessment

When assessing the risk of harm to individuals due to a confidentiality incident, businesses should consider factors such as the sensitivity of the information, the anticipated consequences of its misuse, and the likelihood of injurious use. Consultation with the person in charge of personal information protection is required.

Privacy policy

A business that collects personal information, especially for profiling, must inform users:

• The purpose of collecting the information
• How they will use the information
• Who in their organization can access it
• Where they will keep the file
• The rights users have to access and correct the information
• The right to withdraw consent for using the information
• Name and details of the third party with whom the information will be shared
• Whether the information may be sent outside of Quebec

If they’re using technology, such as cookies, that can identify, locate, or profile users they should inform users about the technology in use and how to deactivate it. When collecting personal information through technology, the business’s website should have a simple privacy policy. This policy must be easily accessible to users and should inform them about:

• What personal information does the business collect and why
• Who might access their information and when
• How the business protect the personal information
• If the website uses cookies, and how
• Their rights and how to address any concerns
• Any changes to the policy

The policy should be understandable and tailored to the website’s personal information processing practices.

Internation data transfer

​​The transmission of personal data from within Quebec to locations outside the province requires businesses to carefully check if the data will be as safe or even safer. This involves doing a Privacy Impact Assessment (PIA), setting up a contract with the recipient, and notifying the people whose data is being sent.

Quebec law requires opt-in consent for collecting, using, or sharing personal information. Before getting consent, evaluate whether collecting, using, or sharing personal information is necessary, legitimate, important, and proportional to the intended purpose.

For consent to be valid, it must be:

• Manifest: Clearly expressed, reflecting the individual’s genuine intent.
• Free: Given without any pressure or constraints, allowing for a real choice.
• Informed: Provided with all necessary information to fully understand its scope.
• Specific: Related to a precise and clearly defined purpose.
• Temporary: Valid only for the time required to achieve the stated purpose.

Additional requirements as of September 22, 2023

• Granular: Requested for each specific purpose.
• Understandable: Clearly explained in simple terms.
• Separate: Requested separately when given in writing.

 

 

For minors under 14 years, businesses must obtain consent from their parent or guardians for using or sharing their personal information. If the minor is 14 years or older, they or their parent/guardian can provide consent. If collecting data benefits the minor, organizations can collect it without parental consent.

Here are the key data subject rights under Law 25:

• Right to be informed: Users have the right to know how their personal data will be collected, used, and shared. This includes knowing why it’s being processed and who else might be involved.
• Right to access: Users can ask for access to their personal data held by an organization. They can find out what data they have and get a copy.
• Right to rectify: If users find mistakes or incomplete info in their personal data, they can request corrections.
• Right to erasure: Users can request the removal of their data in certain cases, like when it’s no longer needed.
• Right to withdraw consent: Users can change their minds and withdraw their consent for their data to be used.
• Right to data portability [to be effective September 22, 2024]: Users can request their data in a readable format and even ask for it to be sent to another organization if it’s possible. This is handy when they’ve given consent or have a contract.
• Right to be informed about automated processing: Users have the right to be informed when their personal information is used for automated decisions in business, and this information must be provided simultaneously with the decision itself.

Businesses are expected to reply to requests within 30 days of receiving them, and users may have the option to request an extension if needed.

Quebec Law 25’s requirements are rolled out in three phases: some are active from September 22, 2022, the majority from September 22, 2023, and the rest from September 22, 2024. 

September 22, 2022:

• Appoint a data protection contact
• Handle data breaches
• Conduct privacy impact assessments (PIAs)
• Adhere to new data-sharing rules
• Report biometric identity checks

September 22, 2023:

• Establish clear data policies
• Conduct PIAs for external data sharing
• Follow consent rules
• Dispose of or anonymize data as required
• Meet transparency obligations
• Comply with data sharing and use rules
• Collect data on minors responsibly
• Uphold the right to be forgotten

September 22, 2024:

• Respond to data portability requests

Individuals or entities that violate personal information laws may face substantial fines based on the severity of the offense and whether it is a repeat offense.

The fine can reach up to $10 million CAD or 2% of their global turnover, whichever is greater.

The fine for violation for individuals (natural person) who break the law range from $5,000 to $100,000.

For more severe violations, fines range from $15,000 to $25 million, or 4% of worldwide turnover for the preceding fiscal year, whichever is greater.

The CAI can initiate penal proceedings for these offenses. In the case of subsequent offenses, the fines are doubled.

Quebec’s Law 25 stands as a stringent data privacy regulation, surpassing Canada’s broader PIPEDA, which is a federal law in several pivotal aspects.

To begin with, Law 25 confers upon Quebec users rights that PIPEDA does not provide. These encompass the right to request data deletion and the right to receive personal data in a portable format.

Furthermore, Law 25 enforces more rigorous consent requirements by mandating that tracking technologies cannot activate without explicit consumer consent. PIPEDA allows many data collection practices in Canada to adhere to opt-out consent standards, unlike Law 25’s explicit opt-in consent requirement.

• Inform users through a clear and concise privacy policy.
• Ensure all data collection, use, and sharing (including cookie usage) is based on explicit and informed consent.
• Develop and publish data protection policies.
• Make provisions for users to exercise their data rights
• Appoint a Privacy Officer and make their contact information public.
• Conduct Privacy Impact Assessments (PIAs).
• Implement recommended protection measures.
• Notify the enforcing commission and affected users in the event of a data breach.

What is the Bill 64 Act in Quebec?

Bill 64, also known as Law 25 is a privacy legislation in the province of Quebec, Canada. It aims to modernize and strengthen the privacy protection framework for individuals’ personal information.

What is the Quebec Law 25 automated processing?

Quebec Law 25 automated processing refers to the use of technological means to collect, use, or disclose personal information. If an organization uses automated processes that involve personal data and could potentially impact user’s rights or decisions, they must inform the person concerned about how their data is being used.

What is the law 25 in Quebec cookies?

If an organization is using technology, such as cookies, that can identify, locate, or profile users, it is essential to obtain an opt-in consent beforehand. Additionally, they should proactively inform users about the cookies in use and provide guidance on how to deactivate it. When collecting personal information through cookies, the business’s website should feature a straightforward privacy/cookie policy. This policy must be readily accessible to users and provide comprehensive information about personal information practices.