You’ve heard rumblings of Québec’s Law 25, previously referred to as Bill 64, “An act respecting the protection of personal information in the private sector”. Gaining a reputation as the world’s strictest data privacy law, it’s clear that it’ll dramatically affect the way we collect, protect and consent to sharing personal data. Law 25 affects all businesses that collect data on Québec residents, including companies based outside the province. This means, for example, if you’re an Ontario company with contacts from Québec in your database, this law affects your organization too.
A Growing National Trend
Canada is set to revamp its federal privacy laws with Bill C-27 currently in parliamentary discussion. Other provinces are considering updating their privacy laws to offer wider protection to consumers as well. The fines for non-compliance are quite hefty, ranging from a minimum fine of $1,000 CAD to as much as $25,000,000 CAD or four percent of worldwide turnover for the preceding fiscal year.
Don’t panic. We’re here with a guide that’ll get you in the know and prepared for everything.
Timeline and How to Take Action
Here we will help guide you with what you need to do to ensure compliance.
September 22, 2022 Requirements
Even though the vast majority of the requirements of Law 25 will come into effect on September 22, 2023, a portion of it has already come into effect as of September 22, 2022. If you haven’t taken action on the following, prioritize these steps first.
- Designate a privacy officer. By default, if one is not designated, this will be the CEO or highest level director of the company.
- Notify the Commission d’accès à l’information (CAI) and the affected individuals of any privacy breaches which present a risk of serious harm that occur. You can notify the CAI by completing the Declaration of Incident Form (only available in French) on the CAI website and sending it to them either by email, fax or snail mail.
- Record all security incidents. Keep those records on hand for five years.
- Align with your internal legal team: IT, marketing and all relevant stakeholders to develop a plan and ensure compliance.
Sept 22, 2023 Requirements
This is when the crux of the legislation comes into effect. These requirements represent quite a few big changes, so putting new policies in place now will help your organization adapt well and comply with Law 25’s requirements.
- Establish and implement internal privacy policies to manage and protect personal information. This includes reviewing any contracts with third party service providers and how they manage personal data. It is also important to ensure that they will promptly report to you all privacy incidents involving personal information.
- Review your current process for obtaining consent for collecting personal information. Consent needs to be obtained separately for each specific purpose, meaning if you collect a name and email for an event registration, you must also ask for consent separately for sending a newsletter. Consent clauses should always be presented in clear and simple language.
- Update your subscription forms to include the specific reason for collecting personal information and the right for the user to modify or withdraw consent at any time.
- Deactivate any data collection device that collects information by default.
- Obtain explicit consent from the user for any data collection device that is active such as a cookie warning with the option to opt out.
- Store records of consent obtained.
- Conduct a privacy impact assessment for any projects involving personal information. This goes for any projects that will acquire, develop or overhaul an information system or electronic service delivery system.
- Conduct a privacy impact assessment for any data transfer outside the province of Québec. This means you need to first identify every single transfer of personal information outside the province that occurs. You’ll then need to classify the different types of cross-border data transfer, meaning identifying the type of personal information and where it’s being transferred. Each different type of cross-border transfer should then undergo a privacy impact assessment which evaluates whether the data will receive the same level of protection in the new jurisdiction and identifies any risks. You can refer to the Guide d’accompagnement (in French only) for more information.
- Facilitate the right of erasure. Clients have a right to be forgotten. Ensure you are able to identify all personal information you have on a client and double check that you have procedures in place in order to erase all of a client’s data at their request.
Note: there are some exceptions to obtaining consent for commercial transactions and research purposes. If this applies to you, consult your legal team to understand how these exceptions apply.
Sept 22, 2024 Requirements
This may feel far into the future, but don’t let it catch you off-guard. Being prepared will help you get ahead of the game and be sure your company is ready.
- Facilitate data portability. You must be able to generate a report on all personal information you have on a client at the client’s request. Ensure that you have pipelines in place in order to do this efficiently.
Québec’s new legislation is very onerous and goes even further than the European General Data Protection Regulation (GDPR) requirements. However, it's part of a growing global trend to legislate stricter privacy requirements, so getting prepared by having the proper mechanisms in place will ensure success and compliance long term.