The exploitation, collection and use of data that constitutes personal information are increasingly used around the world, particularly with artificial intelligence greatly facilitating this process, and are often essential to the business operation.
The current privacy laws applicable in Quebec were in some respects outdated in comparison to technological developments and to some other laws applicable in other jurisdictions around the world (such as the General Data Protection Regulation in the European Union), and with this in mind, Quebec is the first Canadian province to modernize its privacy regime to bring it in line with current realities.
What is Law 25?
As a result, the Act to modernize legislative provisions respecting the protection of personal information (“Law 25”) was adopted on September 22, 2021. Law 25 amends several laws currently in force in Quebec, including the Act to establish a legal framework for information technology, the Act respecting access to documents held by public bodies and the protection of personal information and the Act respecting the protection of personal information in the private sector.
Coming into force of Law 25
Law 25 will come into force gradually from September 22, 2022, to September 22, 2024. During this period, private companies and public organizations doing business in Quebec will face new obligations and have new rights regarding the protection of personal information. These businesses and organizations will need to ensure that they update their policies, practices and processes to avoid potentially significant fines (for example, in the event of a breach, a business could face fines ranging from $15,000 to $25 million, or 4% of the turnover of this company.
What is the purpose of Law 25?
Law 25 generally modernizes the framework applicable to the protection of personal information collected by a person carrying on a company in Quebec, with a view, in particular, to increase public trust in businesses and to support responsible innovation that takes into account the privacy rights of individuals.
To give just a few examples, Law 25 accomplishes these objectives by introducing rules regarding the handling of incidents affecting the confidentiality of personal information, transparency obligations in relation to the governance of personal information, and new consent requirements for the collection, use and disclosure of personal information.
What are the new obligations that come into effect on September 22, 2022?
- Designate a Privacy Officer who is accountable for compliance with the Act and whose title and contact information shall be made publicly available (e.g., on the company’s website). In the absence of such a designation, the individual with the highest authority in the organization will be the Privacy Officer.
- Establish an incident management plan and procedures to follow in the event of privacy incidents. The incident may refer to unauthorized access, loss, unauthorized disclosure, and any other breach of personal information.
- Build a privacy incident log to record all incidents, even those that do not pose a risk of serious harm, and a notification process.
- Diligently disclose any privacy incident that poses a risk of serious harm to the Commission d’accès à l’information du Québec and to any individual whose personal information is affected by the incident.
Does Cyberimpact comply with Law 25?
Tips for complying with Law 25?
We recommend that you familiarize yourself with the new Law 25 as soon as possible to ensure that your business will be able to make the necessary changes to comply before it comes into force. Many relevant resources are available to the public online regarding Law 25.
What about PIPEDA?
The Personal Information Protection and Electronic Documents Act (“PIPEDA”) is a Canadian federal law that governs the collection, use and disclosure of personal information in the course of commercial activities in Canada. PIPEDA applies across Canada, except in Quebec, British Columbia and Alberta, as these provinces have enacted legislation that is considered “substantially similar to PIPEDA” (although PIPEDA continues to apply to federally regulated businesses in these provinces, such as banks and airports).
Law C-27 (An Act to enact the Consumer Privacy Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts) is currently under consideration by the Canadian government, which would replace PIPEDA with a legal framework that is better suited to the current technological environment.
At the time of publishing this article, this new law is still in second reading in the House of Commons and has not yet been assented to. We advise you to keep an eye on the progress of Law C-27, which will also have repercussions on your company’s rights and obligations in relation to the exploitation, collection and use of data that constitutes personal information.
* The information provided in this article does not constitute legal advice. We encourage you to consult with legal counsel for any questions you may have regarding personal information laws. This article is provided for informational purposes only, without any warranty as to the quality, accuracy or completeness of the information contained herein.