In September 2021, the Government of Quebec enacted a new privacy law that introduced sweeping changes to how companies doing business administer personal information within that province. These changes were initiated in the aftermath of Bill C-11, the proposed federal privacy reform that did not go through the legislative process due to the early call of the General Federal Elections. Unlike the federal Bill C-11, the Quebecois legislation, An Act Respecting the Protection of Personal Information in the Private Sector (AKA Law 25, formerly “Bill 64”), passed into law in September 2021, involving data protection requirements that are heavily modelled on the European Union’s General Data Protection Regulation (GDPR). As a result, Law 25 is far ahead of other comparable Canadian data privacy laws in terms of the obligations it imposes on companies and the privacy rights given to members of the public.
New Law 25 applies to all private-sector and public bodies entities based across Quebec, as well as to any out-of-province business organizations handling the personal information of Quebec residents. Therefore, Law 25 applies to not only other domestic entities, but also to any foreign entities doing business in the Province of Quebec.
Schedule of Requirements
Business obligations under Law 25 are designed to roll out in a manner where, on the anniversary date (September 2021) of its enactment until 2024, a new set of privacy compliance obligations become binding law in practice. The goal is to have all parts of Law 25 be binding no later than September 2024, allowing businesses up to three years to set up and operationalize their Privacy Program. Summarized below is the roll-out of the requirements on each anniversary date:
- Hire a Data Privacy Officer (consultant or employee) who will design and oversee a company’s Privacy Management Program (in the absence of that person, the CEO is the default Data Privacy Officer) and the contact information of that resource person must be accessible; for example, that contact information should be published on the company website (s. 3.1).
- Mandatory Breach Reporting: implement a Privacy Breach Response Protocol that requires entities to report “confidentiality incidents” to the regulator and/or to affected stakeholders and to maintain a register of these incidents (ss. 3.5-3.8).
- Consent: ensure that consent is always free and unencumbered, and that adequate notice is given to individuals at the time their data is collected. If there is scope creep where personal data is used for purposes beyond those for which they were originally collected (or “secondary purposes”), an entity must duly obtain new consent (ss. 8.3, 12, 14).
- Document collection: establish privacy policies and procedures to create the framework within which an entity manages data privacy and ensures that privacy protection measures are in place (s. 3.2).
- Privacy Impact Assessments (PIAs) must be completed on all IT systems that heavily collect, use, disclose, and store personal information, with specific attention paid to the impact on persons whose privacy has been breached, especially if highly sensitive personal data is involved (ss. 3.3-3.4).
- Cross-border data transfers: PIAs must be conducted on IT systems, projects, initiatives, or procedures that send personal data outside of Quebec (s. 17).
- Automated decision-making: establish a process where, if a company uses IT systems that process personal data to make decisions affecting the rights and freedoms of persons, that they advise those persons that they are relying on automated decision-making mechanisms (s. 12.1).
- Transparency: through relevant documentation ensure that any profiling done by a company is transparent and open to queries from the public (s. 8.1).
- Review of outsourcing agreements to align with data protection requirements (s. 18.3).
- Retention and destruction: establish and operationalize policies and procedures governing when a business entity deletes data. Retention and destruction are not always the same thing because destruction needs to be a fully operational back-end process (s. 23).
- Right of de-indexation: a right given to a person directing an entity to destroy all the data about the person themselves, subject to any exceptions provided by Law 25 (s. 28.1).
Right of data portability: a person may direct an entity to give them a copy of all the personal information about and derived from the personal data they gave to the organization. The data set must be provided in a common, technologically readable format.
What Are the Operational Requirements?
The following is an “at-a-glance” view of how a business can or should operationalize these outstanding requirements:
For September 2022
Data Privacy Officer
Hire a Data Privacy Officer. If you do not have one, the CEO is the Data Privacy Officer by default. A Data Privacy Officer may be a part-time consultant who acts as an advisor to the company, while the actual Data Privacy Officer may be still the CEO or an employee.
Mandatory Breach Response
Create and test a Privacy Breach Response Protocol, incorporating details about roles, responsibilities, workflow, and template breach reporting documents.
For September 2023
Ensure that your consent forms are constantly up to date and accurate, unambiguously reflect how your organization collects personal information and data, works with such data, discloses, and stores personal information.
Privacy Management Program
Establish and maintain a document collection that includes all privacy-related policies (governance) and procedures (operational).
Privacy Impact Assessment (PIA)
Complete a PIA on any IT systems where processing of personal information involves sensitive personal data or is considered high-risk activity. PIAs should also be completed on any projects or IT systems where personal information cross borders or is sent out of the province.
Ensure that any persons are made aware that decisions affecting them will be made using only automated means, with no human intervention.
Review any service agreements, licensing agreements, or similar documents to ensure that there are data protection schedules in place.
Retention and Destruction
Establish policies and procedures on how long personal data is retained, when it is to be deleted and actual workflow to delete the stored data.
Right of De-Indexation
Create a process where personal data can be removed from processing upon request from the person to whom that data pertains, and any exceptions thereto.
For September 2024
Right of Data Portability
Create technical workflow where a person may request a copy of all the personal data from, about, derived from, or pertaining to them.
Regarding instances of non-compliance, the penalty schedule of Law 25 encompasses:
- For administrative violations, fines are up to 2% of annual turnover or CAD$10 million;
- For penal violations (those with a criminal component), fines are up to 4% of annual turnover or CAD$25 million; and
- Sections 158 & 159 of Law 25 allow fines to be levied against individuals as well as companies: “anyone who commits an offence and is liable to a fine of CAD$5,000 to CAD$50,000 in the case of a natural person and of CAD$15,000 to CAD$150,000 in all other cases.”
The above fines can be levied by the Quebecois Privacy Regulator (CAIQ), meaning that a person does not need to file a lawsuit just to enforce the penalties. These fines do not preclude anyone from instigating legal proceedings against a company for invasion of privacy, which may include class action lawsuits for major privacy breaches.
What Are the Risks of Not Complying with Privacy Laws?
- Reputational harm or damage to a business’s brand name.
- Drop in company stock price (for publicly trading businesses).
- Loss of business.
- Immediate out-of-pocket costs if a breach occurs and damage must be mitigated, such as retaining IT security breach response teams, external legal counsel, crisis management firms, and publicists.
- Denial of cyber-liability insurance coverage: insurers may look dimly upon realizing that a business has not completed their due diligence.
How Can I be Compliant with Law 25?
There are several due diligence steps a business can take in complying with Law 25, and In-Sec-M through its IRAP Program (90%+ subsidy) or the Law25 Program (50%+ subsidy for Quebec base companies) has considerable resources to connect businesses with their compliance needs. These include the following:
- Recommending and appointing a Data Privacy Officer to respond to queries, concerns, and complaints on behalf of the entity;
- Retaining an external consultant to develop a Data Privacy Program for the organization;
- Creating and maintaining a data inventory, with data sets listing all types of personal data collected;
- Conducting a Privacy Gap Assessment exercise to identify any gaps in data privacy compliance;
- Completing Privacy Impact Assessments as a risk mitigation tool and due diligence exercise;
- Implementing sufficient IT security measures and safeguards to ensure your environment is secure;
- Creating and operationalizing a privacy breach response protocol (in addition to an incident response protocol);
- Training staff in data privacy on a regular basis to help foster a culture of privacy awareness throughout the organization;
- Creating a privacy road map to compliance (based on regulatory resources), including an assessment of the applicable laws and the current best practices in place; and
- Consulting with legal counsel and insurers to ensure there is sufficient coverage and risk mitigation steps in place.
Not every business organization needs to achieve every bullet point mentioned above unless new Law 25 requires it. Some of the above activities are better suited to larger organizations with complex IT security infrastructure or to smaller business that process highly sensitive data (such as health records, financial information, or criminal history). The size of the company does not release or absolve the business of its full liability in the event of a privacy breach or a major security incident.