Everything You Need To Know About Quebec's Law 25: A Comprehensive Guide to Privacy and Data Protection in Canada [Updated 2024]

Staying informed about legal frameworks and best practices is crucial for businesses operating in Canada. Quebec's Law 25, officially known as the "Act to modernize legislative provisions as regards the protection of personal information," stands as a significant step towards strengthening data protection rights within the province.

This comprehensive guide dives deep into the key aspects of Law 25, offering an updated understanding of its provisions as of 2024. Whether you're a Quebec-based business or an organization interacting with residents of the province, this guide equips you with the knowledge necessary to navigate the evolving landscape of data privacy in Canada.

Get ready to explore the core principles of Law 25, its impact on individuals and organizations, and essential steps towards achieving compliance. We'll delve into key areas like user consent, data breach notification, and data minimization, ensuring you stay informed and empowered in the face of this transformative legislation.

What is Quebec's Law 25?

Law 25, also known as the "Act to modernize legislative provisions as regards the protection of personal information" or simply Bill 64, is a comprehensive piece of legislation enacted in Quebec, Canada, that significantly strengthens data protection rights for individuals and imposes new responsibilities on organizations that handle personal information. It was adopted in September 2021 and came into effect in phases, with some key provisions fully implemented as of September 2023.

The law aims to modernize Quebec's existing data privacy framework, aligning it with more stringent global standards like the General Data Protection Regulation (GDPR) in the European Union. It introduces several key changes, including:

• Enhanced user consent: Organizations need explicit and informed consent from individuals before collecting, using, or disclosing their personal information.
• Increased transparency: Businesses are required to provide clear and easily accessible information about how they collect, use, and protect personal data.
• Stronger enforcement mechanisms: The law establishes a new data protection authority with increased enforcement powers and the ability to impose significant penalties for non-compliance.
• New data breach notification requirements: Organizations must notify individuals and the relevant authorities in case of a data breach that is likely to cause serious harm.

Law 25 has significant implications for businesses operating in Quebec or collecting data from individuals residing in the province. Understanding its provisions and implementing appropriate compliance measures is crucial for businesses to avoid potential legal ramifications and protect user trust.

What is Quebec's Bill 64?

Quebec's Bill 64 is the same piece of legislation as Law 25. While both names are used interchangeably, Law 25 is the official name given to the legislation once enacted, while Bill 64 refers to it during its proposal and pre-enactment stage.

Therefore, Bill 64 and Law 25 refer to the same comprehensive data protection legislation in Quebec, Canada, aimed at strengthening individual privacy rights and imposing stricter regulations on organizations handling personal information.

When does the Law 25 come into effect?

Quebec's Law 25, also known as Bill 64, was enacted in September 2021. However, its various provisions came into effect in a phased approach:

• 22 September 2022: This initial phase implemented some key requirements, including:

- Appoint a privacy officer. The CEO is in charge of protecting personal information by default, but they may delegate these tasks in writing to someone else in the organization. The Privacy Officer’s job is to ensure that the organization implements the legal requirements. Their contact information needs to be published on the company website.

- Breach reporting. Businesses will have to inform the Commission d’accès à l’information (CAI) and affected individuals about any data breach that poses a serious risk to the individuals. Businesses currently have this obligation under PIPEDA, but the Quebec Privacy Law imposes a similar requirement.

In addition, businesses have to keep a register of all breaches.

• 22 September 2023: This major phase saw the implementation of most of Law 25's provisions, including:

- Policies and practices about data processing. Businesses will have to establish and implement policies and practices regarding collecting and processing personal data. These policies will provide a framework for the processing, determine the roles of the personnel involved in the processing, and establish a process of dealing with complaints.

It also needs to establish a confidentiality policy to share personal data with third parties.

- Increased transparency. Businesses have to be transparent to users about how they use their data. This includes providing information about the categories of data processed, the processing purposes, the third parties involved in the processing, the data subject rights, etc. In general, this information needs to be included in a privacy policy.

In addition to this information, businesses will have to meet increased requirements about the use of profiling, geolocation, and identification technologies.

- Privacy impact assessments (PIA). Businesses will have to do a privacy impact assessment for any information system project or electronic service delivery project involving the collection, use, communication, keeping, or destruction of personal information and communicating personal information outside Quebec. The PIA should be proportionate with the sensitivity of the data, the purpose of processing, the amount of data, etc.

- Automated processing notice. Businesses will have to inform users if their personal data is processed automatically. The processing results affect their rights (for example, an insurance company processes personal data automatically to determine the premium).

- Cross-border transfers. In general, cross-border transfers are allowed, but they must be subject to a privacy impact assessment. This assessment should determine whether the transfer is safe. If it is safe, businesses can transfer data across Quebec borders.

- Written agreements with service providers. Service providers are the data processors. According to Bill 64, service providers can process data only based on a written agreement, similar to the GDPR requirement. The written agreement must contain information about the purpose of processing, data security measures, etc.

- Consent. Businesses will have to obtain explicit, free, informed, and specific consent for each processing purpose, which stretches out the standards set by PIPEDA. In addition, businesses have to obtain express consent for the secondary use of sensitive personal data.

- Privacy by default. The widely-known privacy concept will become part of Quebec law in 2023. It requires businesses to embed privacy on their products and services. This won’t apply to cookies, in any case.

- De-indexation rights. In addition to other data subject rights, including the right to be forgotten, Quebec Privacy Law will enable data subjects to request de-indexation of their personal information, which in practice would mean that the business has to cease disseminating the personal information or to de-index any link attached to their name.

- Retention and destruction. Organizations will have to destroy the personal data they do not need anymore or anonymize it and use it for a legitimate purpose.

• 22 September 2024: The final phase, which is currently underway, focuses on the implementation of:

- Data portability right. Users will have the right to obtain their personal information from your records and move it to another data controller.

Therefore, as of today, most of Law 25's provisions are already in effect, with the final phase coming into effect on September 22nd, 2024. Businesses operating in Quebec, or handling data from individuals residing there, are required to comply with the currently mandated requirements and prepare for the upcoming implementation of the right to data portability.

Who does Law 25 apply to?

Quebec's Law 25, also known as Bill 64, casts a wide net when it comes to its scope of application. Unlike some data privacy regulations that may focus on specific industries or organizational sizes, Law 25 applies to a diverse range of entities:

• Businesses: This encompasses all for-profit organizations, regardless of their size or industry, from small local businesses to large multinational corporations. Whether you operate a retail store, an online platform, or offer professional services, if you collect, use, or disclose personal information of individuals residing in Quebec, you are subject to Law 25's requirements.
• Public Institutions: Government agencies, educational institutions, and other public bodies in Quebec are also obligated to comply with the law. This ensures consistent data protection standards across the public sector and protects the personal information entrusted to these institutions.
• Non-Profit Organizations: Non-profit organizations, charities, and other entities not operating for profit are not exempt from Law 25. If they collect, use, or disclose personal information of individuals in Quebec in the course of their activities, they must adhere to the law's provisions.
• Individuals Acting in a Professional Capacity: Even individuals acting in a professional capacity, such as doctors, lawyers, accountants, or real estate agents, are subject to Law 25 if they handle personal information of Quebec residents. This ensures a comprehensive approach to data protection that extends beyond traditional organizational structures.

It is important to note that the scope of application is based on the location of the individual, not the organization. This means that even organizations located outside of Quebec, but collecting, using, or disclosing personal information of individuals residing in Quebec, are subject to Law 25. This emphasizes the territorial nature of the law and its intention to protect the privacy rights of Quebec residents, regardless of the organization's physical location.

Learn about the Bristish Columbia Personal Information Privacy Act.

What is considered "personal information" under Law 25?

Under Quebec's Law 25, personal information is defined as [anything that] "concerns a physical person and allows that person to be identified. It is confidential. Barring exceptions, it cannot be communicated without the consent of the person concerned.”

This means that personal information does not apply to information relating to a legal person (for example information concerning a business).

Sensitive information

Law 25 recognizes a category of "sensitive personal information" that deserves heightened protection. This includes data directly related to an individual's health, biometrics, or other details inherently private in nature, where individuals have a strong expectation of privacy.

What are some key requirements of Law 25?

Although Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) has already been effect, Law 25 is stricter and more comprehensive.

While Law 25 shares similarities with prominent data privacy regulations like GDPR and CCPA/CPRA, it also diverges notably from the typical framework of North American data privacy laws. This can be particularly evident for organizations accustomed to the general format of U.S. privacy regulations.

Explicit Opt-In Consent

Quebec's Law 25 stands out in North America as the only legislation requiring explicit opt-in consent for tracking technologies like cookies. This contrasts with the more prevalent opt-out approach common in the region, including the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

Similar to the General Data Protection Regulation (GDPR) in Europe, Law 25 mandates that businesses:

• Obtain explicit and informed consent before deploying any technology that tracks personal information, including cookies.
• Provide clear and transparent information to users about:

- The purpose of data collection

- The methods employed for collection

- Individual rights regarding their data

Organizations already navigating the GDPR's consent management protocols will find Law 25's approach familiar. However, businesses accustomed to the opt-out framework of CCPA/CPRA require a significant shift in their approach. Under Law 25, automatic loading of cookies or deploying any tracking technology without explicit user consent is prohibited.

Data Privacy Officer

Quebec's Law 25 offers flexibility regarding its privacy officer role, which shares some similarities with but also differs from the General Data Protection Regulation's (GDPR) requirement for a data protection officer (DPO).

Responsibilities:

• Overseeing compliance activities such as:

- Fulfilling data subject access requests (DSARs)

- Reporting data breaches

- Conducting privacy impact assessments (PIAs)

Appointment:

• Law 25 allows organizations to either designate a specific individual as the privacy officer or default to the highest-ranking individual, who would then be considered the de facto privacy officer by the Commission for the Protection of Personal Information of Quebec (CPQPI).

Key Points:

• Optional: Unlike the GDPR, appointing a privacy officer under Law 25 is not mandatory.
• Transparency: Organizations must be transparent about who holds the privacy officer role, regardless of whether it's a designated individual or the default.

Private Right of Action 

Unlike many global data privacy laws, including PIPEDA and GDPR, Quebec's Law 25 empowers individuals with a private right of action. This allows citizens to take legal action, including collective action, against businesses that violate their privacy rights under the law, whether through intentional misconduct or gross negligence. Individuals can seek damages starting at a minimum of CAD 1,000.

Confidentiality by Default 

Inspired by the principle of privacy by design, Law 25 mandates confidentiality by default. This means that any public-facing system collecting personal information must automatically use the highest privacy settings, requiring no action by the consumer.  Crucially, this approach extends to consent: organizations cannot collect personal information without first obtaining the consumer's explicit and affirmative opt-in consent.

Data Privacy Impact Assessments 

Quebec's Law 25, like many privacy laws, mandates the conduct of a Privacy Impact Assessment (PIA) in specific situations. These include:

• Transferring personal information outside of Quebec.
• Developing, acquiring, redesigning, or modifying any system that processes personal information.
• Assessing whether personal information can be used for research purposeswithout individual consent.

Beyond these examples, the law might require a PIA in other scenarios.

Data Subject Rights 

Similar to other prominent data privacy laws, Law 25 empowers individuals with various data subject rights, granting them control over their personal information. These rights include:

• Right to access: Individuals can request access to their personal information held by the organization, allowing them to understand how it is being used.
• Right to rectification: Individuals have the right to request that inaccurate or incomplete information be corrected.
• Right to portability: Individuals can request their personal information in a structured format, making it easier to transfer it to another organization (coming soon in September 2024).
• Right to erasure (right to be forgotten): Individuals have the right to request that their personal information be deleted, subject to certain exceptions. This right is not currently present in most U.S. state laws.
• Right to information: Individuals have the right to understand how their personal information is collected, used, and disclosed. This includes information about any third-party recipients of their data.
• Right to object to automated decision-making: Individuals have the right to object to decisions made solely based on automated processing and potentially request human intervention.

By recognizing these rights, Law 25 emphasizes individual control over personal information and aligns with the broader data privacy landscape observed in other major regulatory frameworks.

Third-Party Data Protection Requirements 

Law 25 requires businesses to go beyond simply informing individuals about data transfers to third parties. Organizations must also implement robust contractual safeguards to ensure those third parties provide an appropriate level of protection for the transferred personal information. These safeguards typically address:

• Technical, physical, and organizational security measures: This encompasses practices like encryption, access controls, and data security protocols to safeguard the information.
• Purpose limitations: The third party cannot use the personal information for any purpose beyond what was originally agreed upon in the contract.
• Data retention limitations: Personal information cannot be retained by the third party longer than necessary to fulfill the contractual obligations.

Additionally, Law 25 grants organizations the right to:

• Obtain a written description of the safeguards implemented by the third party.
• Conduct audits to verify the effectiveness of those safeguards.

These comprehensive requirements ensure that personal information transferred outside an organization remains protected throughout its lifecycle, aligning with the core principles of Law 25.

International Data Transfer Requirements 

Quebec's Law 25 mandates that organizations transmitting personal data outside the province must:

• Assess the level of protection the data will receive in the destination jurisdiction, ensuring it's at least equivalent to the protection provided within Quebec.
• Conduct a Privacy Impact Assessment (PIA) to analyze the potential risks associated with the transfer.
• Establish a formal contract with the receiving third party outlining the necessary safeguards to protect the personal information.
• Inform the individuals whose information is being transferred.

Security

Complying with data privacy regulations like Law 25 necessitates a comprehensive approach to personal information protection. This includes:

• Data Mapping: Identifying and understanding the types and locations of personal information your organization collects, stores, and processes.
• Implementation of Cybersecurity Measures: Employing appropriate technical and organizational safeguards to mitigate risks of unauthorized access, disclosure, alteration, or destruction of personal information.
• Establishment of an Incident Response Plan: Developing a standardized process for identifying, containing, and recovering from data security incidents.

Who enforces Law 25?

Law 25 is enforced by the Commission for the Protection of Personal Information of Quebec (CPQPI), also known as the Commission d'accès à l'information du Québec (CAI) in French.

The CPQPI is an independent public body established under Quebec law responsible for:

• Promoting and protecting the right to privacy in the province.
• Supervising the application of Law 25.
• Providing information and guidance to individuals and organizations on personal information protection.
• Investigating complaints related to alleged violations of Law 25.
• Imposing administrative sanctions for non-compliance, including fines ranging from $5,000 to $25 million CAD.

Individuals who believe their privacy rights have been violated under Law 25 can file a complaint with the CPQPI. Additionally, the CPQPI has the authority to conduct inspections and audits of organizations to ensure compliance with the law.

What are the penalties for non-compliance with Law 25?

Quebec's Law 25 empowers various entities to enforce the law and hold violators accountable. This ensures comprehensive protection for individual privacy:

• The Commission for the Protection of Personal Information of Quebec (CPQPI) can issue administrative monetary penalties for minor to moderate offenses. These penalties range from $5,000 to $25 million CAD, or up to 4% of the organization's worldwide revenue.
• The Court of Quebec can impose even higher fines for severe offenses that cause significant harm to individuals. These fines can reach up to $25 million CAD or 4% of the organization's worldwide revenue.
• Individuals have the right to take legal action against violators of their privacy rights under Law 25. This allows individuals to claim damages of at least $1,000and potentially pursue collective action alongside other affected individuals.

How can businesses prepare for the Law 25?

While the majority of Law 25's provisions have already come into effect as of September 22nd, 2023, with the final phase coming soon in September 2024, businesses can still benefit from taking proactive steps for compliance. Here's a breakdown of some crucial steps businesses can take to prepare for Law 25:

1. Conduct a Privacy Audit: Assess your current data practices to identify any areas where your processes might not be compliant with Law 25. This may involve reviewing your data collection methods, storage practices, consent procedures, and security measures.
2. Develop a Comprehensive Privacy Policy: Create a clear and accessible privacy policy that outlines how you collect, use, and disclose personal information. Ensure the policy aligns with Law 25's requirements regarding transparency, consent, and individual rights.
3. Implement Robust Security Safeguards: Put in place strong technical and organizational measures to protect personal information from unauthorized access, use, disclosure, loss, or destruction. This includes encryption, access controls, and regular security updates.
4. Obtain Explicit and Informed Consent: Revisit your consent practices to ensure they meet Law 25's standards. Obtain explicit and informed consent from individuals before collecting, using, or disclosing their personal information. This requires clear, concise, and unambiguous communication about the purposes for which the data is collected and how it will be used.
5. Train Your Employees: Educate your employees on Law 25 and your organization's privacy policies and procedures. Ensure they understand their responsibilities regarding data handling and privacy protection.
6. Establish a Data Governance Framework: Develop a clear framework within your organization to govern your data handling practices. This framework should outline roles and responsibilities, data lifecycle management strategies, and procedures for handling data breaches and individual requests.
7. Designate a Privacy Officer (Optional): While not mandatory, consider designating a privacy officer within your organization who is responsible for overseeing compliance with Law 25.
8. Stay Updated: Law 25 is a relatively new piece of legislation, and the CPQPI may issue additional guidance or interpretations. Regularly monitor updates from the CPQPI to ensure you remain compliant with evolving regulations.

How does Law 25 compare to PIPEDA?

While both Quebec's Law 25 and Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) aim to protect individuals' privacy regarding personal information, they differ in several key aspects:

Scope

• Law 25: Applies solely to the province of Quebec.
• PIPEDA: Applies to most commercial organizations across Canada, with some exceptions like government institutions and certain health information.

Consent

• Law 25: Requires explicit and informed consent from individuals before collecting, using, or disclosing their personal information. Consent must be freely given, specific, and unambiguous.
• PIPEDA: Allows for implied consent in some situations, where individuals can be assumed to have consented by their actions (e.g., providing information when purchasing a product).

Transparency and Individual Rights

• Law 25: Provides individuals with a wider range of rights regarding their personal information, including:

- Right to data portability: The ability to request their data in a structured format and transmit it to another organization (coming soon in September 2024).

- Right to object to automated decision-making: The right to challenge decisions made solely based on automated processing.

• PIPEDA: While PIPEDA grants individuals access and correction rights, it doesn't explicitly mention data portability or the right to object to automated decision-making.

Enforcement

• Law 25: Enforced by the Commission for the Protection of Personal Information of Quebec (CPQPI), with the ability to impose administrative monetary penalties ranging from $5,000 to $25 million CAD. Individuals can also take legal action against violators.
• PIPEDA: Enforced by the Office of the Privacy Commissioner of Canada (OPC), with the ability to recommend sanctions but not directly impose financial penalties. Individuals cannot directly sue organizations under PIPEDA; they can file complaints with the OPC.

Overall, Law 25 is considered to be more comprehensive and stringent than PIPEDA in its approach to data privacy protection. It offers stronger safeguards, clearer consent requirements, and broader individual rights compared to the federal law. Organizations operating in Quebec, or handling data from individuals residing there, must comply with both Law 25 and PIPEDA where applicable.

FAQs for Law 25 of Quebec

What is a "confidentiality incident"?

A confidentiality incident under Law 25 refers to any unauthorized event that compromises the security of personal information. This includes:

• Unauthorized access: Any individual or entity gaining access to personal information without legal permission.
• Unauthorized use: Any individual or entity using personal information in a way not authorized by law or beyond the purpose for which it was collected.
• Unauthorized disclosure: Any individual or entity revealing personal information to a third party without legal permission or the individual's consent.
• Loss of personal information: Any event where personal information is lost or misplaced, making it inaccessible or at risk of unauthorized access.

What are biometric characteristics under Law 25?

Quebec's Law 25 emphasizes user control and informed consent regarding the collection, use, and disclosure of personal information, including biometric data. Biometric data, broadly encompassing:

• Morphological: Physical characteristics like fingerprints, hand geometry, facial features, iris, and retina.
• Behavioral: Analysis of patterns in actions like signature, voice, typing rhythm.
• Biological: Analysis of biological samples like DNA, blood, and saliva (not explicitly mentioned in the previous text but falls under Law 25's definition).

Crucially, Law 25 prohibits the disclosure of biometric data for the purpose of verifying an individual's identity without their explicit consent. This emphasizes the importance of obtaining clear and unambiguous authorization from individuals before using their biometric information for any purpose, including verification.

Who are considered minors under Law 25?

Under Law 25, organizations generally require parental consent before collecting any personal information from individuals under 14 years old. However, exceptions may exist if the collection presents a clear benefit to the child, such as in emergency situations where immediate action is necessary for their safety and well-being.