Quebec Law 25 - Just the basics

Quebec's Bill 64, now recognized as Law 25, is a pivotal piece of legislation designed to revamp the province's approach to personal information protection. Enacted on September 22, 2021, it underscores a broader shift in Canada's dedication to strengthening its privacy framework, both provincially and federally.

Overview of Law 25:

Originally proposed in June 2020, Bill 64 was officially integrated into Quebec's legal system in September 2021. The legislation imposes several new stipulations on businesses operating within Quebec, including the appointment of Data Protection Officers (DPOs) and the necessity for privacy impact assessments (PIAs). Its provisions will gradually come into force over three years, with most being operational by September 2023.

Law 25 bolsters individual privacy rights and mandates businesses to adopt specific measures such as risk assessments, data breach notifications, and updated privacy policies.

Here are the basic elements that you need to be concerned with:

Breach Notification - Organizations must promptly report data breaches to Le Commission d'accès à l'information du Quebec and affected parties, especially if there's a potential for severe harm.

DPO Role - Firms should appoint a responsible individual for Law 25 compliance, defaulting to top management unless specified otherwise. Details of the appointed officer should be public.

Privacy Impact Assessment - Mandatory in specific scenarios, PIAs evaluate the potential risks and measures in data-related endeavours. 

Privacy Notices - Required when utilizing technology that may identify or profile individuals or when decisions are based solely on automated processing.

Individual Rights - Echoing the GDPR, Law 25 grants individuals various rights concerning their data, including access, rectification, erasure, and data portability.

Consent Requirements - Consent now has a stricter definition, especially concerning minors and sensitive information. It should be clear, purpose-specific, and separate from other information.

Transition Period - Law 25's phased approach provides companies with ample preparation time. By the end of the transition, businesses should be entirely compliant or risk facing hefty penalties ranging from $5,000 to potentially millions, based on the severity and entity type.

The timeline for Law 25’s key provisions becoming effective is as follows: 

September 2022: 

- Breach notification requirements 

- Privacy Officer appointment

September 2023: 

- Privacy Impact Assessments

- Updated privacy policies 

- Offer a right to restrict processing 

- Offer a right to erasure 

- Enhanced consent requirements 

September 2024: 

- Offer a right to data portability  

Once the implementation period ends, penalties of between $5,000 and $50,000, in the case of a natural person. In all other cases, fines can range between $15,000 and $25,000,000 or 4% of worldwide turnover for the previous year, whichever is greater can be imposed on companies.

Where to begin – We recommend starting off with an automated data mapping program and a current state privacy compliance assessment. You can learn more about these steps here or contact our team (below) for more information.

Quebec's Law 25, born from Bill 64, is a beacon in the move toward fortified personal data protection in Canada. Organizations should take the necessary steps to ensure alignment with its provisions and stay ahead of the curve.

‍