Everything you need to know about Law 25

The exploitation, collection and use of data that constitutes personal information are increasingly used around the world, particularly with artificial intelligence greatly facilitating this process, and are often essential to the business operation. 

The current privacy laws applicable in Quebec were in some respects outdated in comparison to technological developments and to some other laws applicable in other jurisdictions around the world (such as the General Data Protection Regulation in the European Union), and with this in mind, Quebec is the first Canadian province to modernize its privacy regime to bring it in line with current realities.

In this article, we explain everything you need to know about Law 25:

1. What is Law 25?
2. Coming into force of Law 25
3. What is the purpose of Law 25?
4. Obligations that come into effect on September 22, 2022
5. New obligations as of September 22, 2023
6. New obligations as of September 22, 2024
7. What are the rights of Quebec users?
8. Cyberimpact and Law 25
9. Tips for complying with Law 25
10. What about PIPEDA?

What is Law 25?

As a result, the Act to modernize legislative provisions respecting the protection of personal information (“Law 25”) was adopted on September 22, 2021. Law 25 amends several laws currently in force in Quebec, including the Act to establish a legal framework for information technology, the Act respecting access to documents held by public bodies and the protection of personal information and the Act respecting the protection of personal information in the private sector.

Coming into force of Law 25

Law 25 came into effect gradually from September 22, 2022, to September 22, 2024. During this period, private companies and public organizations doing business in Quebec will face new obligations and have new rights regarding the protection of personal information. These businesses and organizations will need to ensure that they update their policies, practices and processes to avoid potentially significant fines (for example, in the event of a breach, a business could face fines ranging from $15,000 to $25 million, or 4% of the turnover of this company.

What is the purpose of Law 25?

Law 25 generally modernizes the framework applicable to the protection of personal information collected by a person carrying on a company in Quebec, with a view, in particular, to increase public trust in businesses and to support responsible innovation that takes into account the privacy rights of individuals.

To give just a few examples, Law 25 accomplishes these objectives by introducing rules regarding the handling of incidents affecting the confidentiality of personal information, transparency obligations in relation to the governance of personal information, and new consent requirements for the collection, use and disclosure of personal information.

New obligations that come into effect on September 22, 2022:

1. Designate a Privacy Officer who is accountable for compliance with the Act and whose title and contact information shall be made publicly available (e.g., on the company’s website). In the absence of such a designation, the individual with the highest authority in the organization will be the Privacy Officer.
2. Establish an incident management plan and procedures to follow in the event of privacy incidents. The incident may refer to unauthorized access, loss, unauthorized disclosure, and any other breach of personal information.
3. Build a privacy incident log to record all incidents, even those that do not pose a risk of serious harm, and a notification process.
4. Diligently disclose any privacy incident that poses a risk of serious harm to the Commission d’accès à l’information du Québec and to any individual whose personal information is affected by the incident.

Overall, starting from September 22, 2022, the new obligations will affect how companies must manage and protect the collection and use of personal information.

New obligations as of September 22, 2023:

1. Develop a governance framework for the protection of personal information (practices governing the retention, destruction, and anonymization of personal information).
2. Implement a process for handling complaints regarding the protection of personal information and de-indexing.
3. Enhance the information provided to citizens when collecting their personal information on your company’s website, such as the names of third parties for whom the information is collected and the categories of third parties.
4. Destroy or anonymize personal information in certain circumstances.
5. The person concerned has the right to withdraw their consent to the communication or use of their personal information.
6. Assess privacy risks in certain uses and communications of personal information.
7. Obtain prior consent from the individual to use their personal information for commercial prospecting purposes.
8. Inform the person of the possibility that their personal information may be transferred outside the territory of Quebec.

In summary, the obligations that will come into effect as of September 22, 2023, affect the transparency of data collected by your company towards your users, as well as the obligation to obtain their consent regarding the use of their personal data.

New obligations as of September 22, 2024:

Communicate, upon request of the individual concerned, their personal information that they have provided to a company.

What are the rights of Quebec users under Law 25?

Law 25 constitutes a favorable advancement for Quebec users. Indeed, this new regulation strengthens the protection of personal data and grants greater control to the individual. As of September 22, 2023, users will have the right to:

• Greater transparency from companies regarding how their personal information will be collected, used, and gathered by private organizations.
• Requests for consent must be formulated in clear and simple language, which facilitates understanding and acceptance of the terms proposed by companies. This allows users to better understand what they are consenting to, which suggests that explicit consent will be required.
• Companies will now be required to respect users’ right to request the cessation of the dissemination of their personal information. Thus, for companies, it will be more difficult to track conversions and data performance in Google Analytics.
• Users will be entitled to a digital copy of all personal information that organizations have collected about them. This will allow them to better control the use of their personal data.

Does Cyberimpact comply with Law 25?

Cyberimpact ensures that its activities comply at all times with the laws applicable to the protection of personal information in all jurisdictions where it operates, including the new provisions of Law 25 when they gradually come into force. We take the protection of personal information and other data entrusted to us by our customers and partners seriously. If you have any questions in this regard, we invite you to consult our Privacy Policy or to contact us.

Tips for complying with Law 25

We recommend that you familiarize yourself with the new Law 25 as soon as possible to ensure that your business will be able to make the necessary changes to comply before it comes into force. Many relevant resources are available to the public online regarding Law 25.

What about PIPEDA?

The Personal Information Protection and Electronic Documents Act (“PIPEDA”) is a Canadian federal law that governs the collection, use and disclosure of personal information in the course of commercial activities in Canada. PIPEDA applies across Canada, except in Quebec, British Columbia and Alberta, as these provinces have enacted legislation that is considered “substantially similar to PIPEDA” (although PIPEDA continues to apply to federally regulated businesses in these provinces, such as banks and airports).

Law C-27 (An Act to enact the Consumer Privacy Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts) is currently under consideration by the Canadian government, which would replace PIPEDA with a legal framework that is better suited to the current technological environment.

At the time of publishing this article, this new law is still in second reading in the House of Commons and has not yet been assented to. We advise you to keep an eye on the progress of Law C-27, which will also have repercussions on your company’s rights and obligations in relation to the exploitation, collection and use of data that constitutes personal information.

* The information provided in this article does not constitute legal advice. We encourage you to consult with legal counsel for any questions you may have regarding personal information laws. This article is provided for informational purposes only, without any warranty as to the quality, accuracy or completeness of the information contained herein.