Since September 2022, businesses with activities in Quebec or handling the information of its residents have had to progressively adhere to Law 25, Quebec’s newest standard for privacy and data protection.
Quebec’s Law 25 is an amendment to the former ‘Act Respecting the Protection of Personal Information In The Private Sector’, and introduces new guidelines that both public and private organizations must follow to preserve the personal data protection rights of their customers.
Failure to adhere to Law 25 comes in the form of substantial penal fines and administrative penalties that can significantly set back businesses and their CEOs, who are held liable for their organization’s non-compliance.
In this article, we’ll explore Law 25 in depth, the severe consequences of not complying with it, and what you can do as a business to adhere to this new regulation if you haven’t already.
Table Of Contents:
- Law 25: What Is It And Why Should You Care?
- Law 25: Key Implementation Steps
- September 2024
- Consequences of Non-Compliance With Law 25
- Link to our previous article with general consequences of Non-Compliance
- Mindsec: The Stress-Free Road To Compliance
Law 25: What Is It And Why Should You Care?
Quebec’s Law 25 (formerly Bill 64) officially passed in September 2021 as ‘an Act to modernize legislative provisions as regards the protection of personal information’. Intended as an overhaul of Quebec’s privacy framework, it aims to align it with global standards like the EU’s General Data Protection Regulation (GDPR).
Law 25 applies to any company that collects, stores, or processes sensitive customer information from Quebec residents. This includes businesses physically established in Quebec, as well as e-commerce and digital ventures.
The purpose behind Law 25 is to protect consumers’ right to privacy in the face of growing identity theft crimes and hasty technological innovations. This is done by enforcing stricter security requirements businesses must follow, such as:
- Full disclosure and the need to request explicit user consent before collecting their data
- Total transparency about the use(s) you’ll give to user data, how you’ll store it, and for how long
- The need to have cybersecurity measures in place to protect customer data from unauthorized access
- Giving consumers the ability to access, modify, and transfer their personal information after they’ve shared it
- The obligation to notify individuals of data breaches affecting them
There are serious legal and financial consequences for businesses who don’t comply with Law 25. Especially now that it’s been completely phased in as of September 2024. We’ll discuss them in the following sections.
Law 25: Key Implementation Steps
Due to the big scope of regulatory changes, Law 25 came into effect in three yearly phases, with all of them happening during the month of September. This started in 2022 and culminated in 2024.
The first key provisions implemented during the initial phase were the following:
- Appointing Of A Privacy Officer: Organizations must appoint a person to undertake the responsibility of ensuring compliance. CEOs will assume this role by default, but they can delegate the position to someone else. Their contact information needs to be published on the company’s website.
- Mandatory Breach Reporting: Companies must notify both the Commission d’accés à l’information (CAI) and affected individuals of any data breach concerning their personal information. They must also maintain a log of all data incidents
The second phase, corresponding to September 2023, implemented most of Law 25’s provisions. The most important ones include:
- Establishing A Privacy Framework: Businesses need to establish a transparent privacy and confidentiality framework for collecting and processing data, and have procedures in place to deal with complaints.
- Increased Transparency: Companies must be fully transparent about how they use user data: what specific data are they collecting? Is a third party involved in its processing? What are the data subject rights? All of this needs to be articulated in a clear and easily accessible privacy policy.
- Privacy Impact Assessments (PIA): Organizations are now required to conduct a PIA for any project involving the collection, use, communication, retention, or destruction of personal data. PIAs are mandatory when acquiring digital systems, sharing data for research without consent, or handling personal information across borders, outside of Quebec. This applies for high-risk processing activities held within the province, too. Clear internal guidelines and communication procedures must also be established so the organization’s staff can ensure compliance.
- De-indexation Rights: In addition to the right to be forgotten, Quebec’s Law 25 enables data subjects to request the de-indexation of their personal information. Businesses also have to de-index any internet link attached to the user’s name.
- Cross-Border Transfers of PI: Cross-border transfers are subject to PIA’s to determine the transfer’s safety, in which case businesses will be allowed transfer data across Quebec borders.
- Privacy By Default And By Design: This requires businesses to embed the highest level of privacy on their products and services by default. This includes toggling off options interfering with user privacy, which now need consent first. This won’t apply to browser cookies.
- Retention And Destruction Of Information: Businesses must have policies in place for the destruction and anonymization of personal data once the original purpose it was collected for is completed. This is a requirement in order to have permission to use this information for legitimate purposes in the first place. Businesses must also map out and create an inventory of their user data and establish retention periods with deletion and anonymization protocols.
September 2024
The last phase of Quebec’s Law 25 was just rolled out in September 2024. It includes one last, but very important provision to make Quebec’s new privacy framework complete: the right to data portability. This grants users the ability to retrieve their personal information from a company’s records and move it onto another data controller.
Businesses must facilitate this right by having the necessary technology and training to produce a digital copy of all the personal information they hold in relation to any individual, in case it is requested by them. This data must be provided in a structured, commonly used, and machine-readable format so other authorized individuals or organizations can process it.
This specific aspect of Law 25 is designed to give individuals the possibility to have their personal data seamlessly transitioned between service providers, while forcing companies to make it as easy as possible for their users to do so.
Consequences of Non-Compliance With Law 25
Quebec’s Law 25 is stricter and comes with a more rigorous enforcement scheme compared to its preceding Act. As of September 2024, all businesses within Law 25’s jurisdiction are obligated to comply with all of its provisions, including the recently implemented right to data portability.
Entities who haven’t adhered to the latest September 2024 wave can be subjected to pricey fines enforced by the CAI and imposed by the Court of Quebec. Specifically:
- Penal fines of up to $100,000 CAD for individuals, and from $15,000 to $25M (or 4% of yearly worldwide turnover for the preceding fiscal year, whichever is higher) for non-compliant, private and public sector companies and their CEOs.
- Administrative penalties up to $10 million (or 2% of yearly worldwide turnover, whichever is higher) for non-compliant companies.
There’s also a right of action in civil courts that allows individuals to bring claims against companies for statutory damages related to specific breaches, like:
- Unlawful use of personal information
- Failures to provide privacy notices
- Failure to notify data subjects in case of confidentiality breaches
Businesses who don’t align with Law 25 also expose themselves to the common consequences of non-compliance, like suffering from damaged public reputation and credibility, and a loss of consumer trust. This inevitably leads to a decline in sales and revenue and can take a lot of time and resources to fix.
That’s why it’s important for businesses to put compliance at the top of their priority list, and why it makes sense to rely on the professional help and expert guidance of an accomplished compliance partner.
Mindsec: The Stress-Free Road To Compliance With Law 25
Complying with Quebec’s Law 25 is tough. More so, if you try to do it all on your own. Without a clear starting point, the entire process can take up to a year, and if you have no prior experience handling compliance procedures, it can be easy to omit information, make mistakes, and end up being fined for involuntary non-compliance.
Mindsec’s software and bilingual expert guidance simplify the requirements so you can update your privacy protocols in a matter of weeks, instead of months. We’ll help you avoid costly fines, maximize your ROI, and rest at ease doing business in Quebec, handling the information of its residents while also respecting their privacy.
By working with Mindsec, you’ll adhere to Quebec’s data privacy frameworks quickly, while taking a back seat and…
- Enjoying easy compliance with pre-mapped controls and policies for your security and IT teams
- Saving between 60-70% of the market costs of compliance
- Receiving support from bilingual security experts (EN/FR) to file documentation in a different language if needed
Book a free demo today to learn how we can help you stay compliant with Law 25 without draining your company’s resources, burning out your team, and with less than 2 hours of your input per week.