Quebec’s privacy and data security arena is transforming, and organizations are already racing against time to adapt. Mirroring the advanced privacy benchmarks set by Europe’s General Data Protection Regulation (GDPR), Quebec’s National Assembly unanimously passed Law 25, also known as The Privacy Legislation Modernization Act, on September 21st, 2021. The regulation’s rollout consists of three phases deployed every year for the next 3 years after the enactment.
By September 22, 2022, organizations must have appointed a data protection contact, implemented measures for handling data breaches, conducted privacy impact assessments (PIAs), adhered to new data-sharing rules, and reported biometric identity checks.
In the second phase, starting on September 22, 2023, organizations were required to establish clear data policies, conduct PIAs for external data sharing, follow consent rules, dispose of or anonymize data as needed, meet transparency obligations, comply with data sharing and use rules, collect data on minors responsibly, and uphold the right to be forgotten.
Finally, on September 22, 2024, organizations must respond to data portability requests.
Law 25 is a complete overhaul of Quebec’s privacy legislation. It has significant consequences for companies doing business in Quebec or handling the personal information of Quebec residents – like names, emails, phone numbers, addresses, payment information, and more.
The GDPR is a robust privacy and security law passed by the European Union (EU) and has set high standards globally. It imposes obligations onto organizations anywhere as long as they target or collect data related to people in the EU. The regulation was enacted on May 25, 2018, and it levies harsh fines against those violating its privacy and security standards.
On the other hand, the CCPA is a landmark data privacy legislation that gives California residents more control over the personal information that businesses collect about them. It came into effect on January 1, 2020. The CCPA secures new privacy rights for California consumers, including the right to know about the personal information a business collects about them and how it is used and shared.
Similarities between Law 25, GDPR, and CCPA
Each of these three rules was established to enhance individuals’ control over their private data. They all govern the methods by which organizations gather and utilize data. The main commonality among these regulations is their purpose. They are all designed to safeguard the privacy of personal data and the information of individuals, not merely businesses.
Moreover, these rules were established to safeguard individuals in an era of escalating global interconnectedness, where cross-border personal data transfers are becoming more common and complex. Although there are subtle differences in the extent of these laws, they all aim for similar objectives.
Compliance requirements for each legislation
Law 25 necessitates that organizations maintain transparency regarding how they collect and use data. It demands straightforward and concise privacy policies that reveal the reasons for data collection, rights to access, disclosures to third parties, and transfers of data internationally. Consent must be explicitly provided, specific, and informed.
Compliance with GDPR requires organizations to respond to consumer requests, disclose why they collect personal data, require informed consent before collecting data, and implement adequate security measures to safeguard user data.
Compliance with the CCPA requires businesses to be transparent about collecting and using data. Companies are required to notify consumers at or before the collection of data. They must develop processes to handle consumer requests to opt-out, know, and delete. Companies must include a “Do Not Sell My Info” link for opt-out requests on their website or mobile application.
Penalties for non-compliance
Law 25 increases the fines for non-compliance with privacy legislation, with private-sector entities subject to penalties ranging from $15,000 to CAD 25,000,000 or four percent of worldwide turnover for the preceding fiscal year (whichever is greater).
The penalty framework for severe violations of the GDPR can be up to 20 million euros or, in the case of an undertaking, up to 4% of the total global turnover of the preceding fiscal year, whichever is higher. But even for less severe violations in Art. 83 (4), GDPR sets forth fines of up to 10 million euros, or, in the case of an organization, up to 2% of its entire global turnover of the preceding fiscal year, whichever is higher.
The CCPA provides for fines of up to $7500 per individual violation. Failure to rectify issues within a 30-day notice period may result in a civil penalty of up to $2,500 per violation, regardless of whether it was accidental or intentional. Additionally, organizations may face a $7,500 fine in case of wilful violations of CCPA provisions.
New compliance requirements to expect in Law 25 – key differences Vs. GDPR and CCPA
Law 25 is the most rigorous of the three regulations in several respects. It’s important to highlight some crucial differences:
- Protection scope: GDPR provides extensive safeguards to all individuals without particular residency prerequisites. On the other hand, Law 25 pertains to entities engaged in systematic economic endeavours, including the accumulation, preservation, employment, or dissemination of personal data belonging to Quebec inhabitants or offering services to individuals residing in Quebec, irrespective of their profit-oriented status. The scope of the CCPA is more limited, safeguarding only those consumers who are California residents.
- Default Confidentiality: Law 25’s “confidentiality by default” provision is considerably more comprehensive and stricter than the GDPR’s “privacy by design.” The CCPA doesn’t incorporate this principle. Instead, it adopts a corrective approach after an incident has occurred.
- Permission: Law 25 stands out as the only regulation that necessitates consent by default, with very few exceptions, making it the most rigorous. On the other hand, the GDPR permits a broader array of justifications, such as adherence to legal duties and public interest. Also, the CCPA does not impose consent requirements on businesses. Instead, it allows individuals to opt out of data sharing or exercise their right to deletion after gathering their data.
- Impact assessment: Law 25 has a broad scope and mandates a Privacy Impact Review (PIR) whenever certain conditions are fulfilled, irrespective of the risk level. The GDPR is more lenient, necessitating evaluations only when processing is likely to pose a ‘high risk’ to individuals’ rights and freedoms. Since the CCPA does not mainly concentrate on responsibilities related to accountability, it does not require impact assessments.
Unlock Compliance with Mindsec: Your Partner for Law 25 Implementation
Quebec’s Law 25 stands out as a game-changer. As businesses adapt to their stringent requirements and broad scope of protection, they need a trusted ally to navigate this complex terrain. Enter Mindsec.
Mindsec specializes in cybersecurity and privacy risk management. Our seasoned experts understand the nuances of Law 25, ensuring your organization’s practices align seamlessly with its provisions. Whether you’re based in Quebec or operate internationally, we’ve got you covered.
Mindsec’s secret sauce? Automation. We harness advanced AI and cutting-edge technologies to streamline risk mitigation and compliance readiness. Say goodbye to manual processes and hello to efficiency. By optimizing internal resources, we empower your team to focus on what truly matters.
From data protection strategies to security audits, Mindsec offers end-to-end solutions. Are you seeking certification under SOC 2, ISO 27K, HIPAA, GDPR, CCPA, and PCI-DSS? Consider it done. We’re your compass in the compliance wilderness. Ready to embrace Law 25 confidently? Let Mindsec be your guide! Book a call.