Protecting privacy and data online has become a major issue in recent years, prompting several governments to legislate on the subject. The privacy and data protection landscape in Quebec is undergoing significant transformation, Law 25 is now adopted by The National Assembly of Quebec, necessitating actions by organisations to ensure compliance.
With this blog, we aim to provide a comprehensive understanding of Law 25's key aspects, and equip readers with the essential knowledge required to adhere to the new legislation.
In this blog, we’ll cover:
- What is Quebec's Law 25?
- Is your organisation ready to comply?
- Which businesses does Law 25 apply to?
- How is "Personal Information" defined under Law 25?
- What are the 3 implementation phases and requirements of Law 25?
- What are the consequences of non-compliance?
- 3 Important insights gained from Law 25
- How should you prepare for Law 25?
- Train your staff now to stay compliant with Law 25
What is Quebec's Law 25?
Law 25, also known as The Privacy Legislation Modernization Act, entered into force on 22 September 2021. This law introduces a variety of modifications to the current legal framework, bringing individuals significant new rights for safeguarding their data. Moreover, it imposes additional responsibilities on both public and private organisations that are entrusted with handling personal information.
Law 25 is originated from Bill 64 which was proposed to Quebec’s national assembly on 12 June 2020. In Quebec, a Bill attains the status of Law once it obtains assent from the Lieutenant Governor. In September 2021, Bill 64 passed the assembly and parliamentary committee stages. It then officially transformed into The Privacy Legislation Modernization Act, commonly referred to as Law 25, after receiving formal assent.
Is your organisation ready to comply?
According to the Bill 64 Survey Report published by PwC in June 2021, despite the fact that many businesses are willing to comply with the new law, many of them are still unsure of the precise measures they need to take in order to achieve full compliance.
The report has found:
- Only 35% of businesses will be fully ready to comply.
- 50% of businesses indicated that the requirement for Data Transfers will have the largest impact.
- 66% of small businesses do not understand the impact of Bill 64 and do not have a robust privacy program.
Navigating the intricacies of Quebec Law 25 seems to be a daunting task for many organisations.
Which businesses does Law 25 apply to?
Law 25 subjects any enterprise, regardless of its size or location, that collects, holds, uses, or communicates personal information to its requirements.
With that being said, Law 25 will have a general application for any organisation based outside of Quebec with any customers using its products or services in the province. In practice, this means that a single visitor to a global website from inside Quebec will bring the provider based in another country within the jurisdiction.
How is "Personal Information" defined under Law 25?
According to The Act Respecting the Protection of Personal Information, "personal information" is defined as:
“Any information which relates to a natural person and allows that person to be identified.”
This can include but is not limited to, information such as name, address, age, gender, identification numbers, financial information, email address, username and password, digital certificates or even certain types of online identifiers.
It is crucial to remark that the data does not need to be able to identify a person on its own. If the data can be utilised alongside other data to ascertain a person's identity, it will fall under the umbrella of “personal information”.
What are the 3 implementation phases and requirements of Law 25?
Law 25's legal impact is profound, with provisions coming into effect in three distinct phases, scheduled for September 2022, 2023, and 2024. Notably, the most substantial changes are set to take effect in September this year.
By 22 September 2022 (1st Phase)Appoint a Privacy Officer: Companies must designate a person responsible for the protection of personal information and publish his or her title and contact details on the company's website.
Mandatory Breach Reporting: In the event of a confidentiality incident, a company must keep a record of the incident and take prompt actions to reduce the risk of harm to the persons concerned. The company must also notify The Quebec Commission on Access to Information (CAI) as well as to any affected individuals.
Biometrics Disclosure: Companies have to disclose in advance to CAI any verification or confirmation of identity made by means of biometric characteristics or measurements.
By 22 September 2023 (2nd Phase )
Mandatory Privacy Impact Assessments (PIA): Companies have to conduct a PIA when sharing personal information outside Quebec, when creating or acquiring digital systems involving private data, or before disclosing personal information without consent for research purposes. Companies will also need to have guidance in place to ensure clear communication procedures for staff.
Establish Transparency and Consent Systems: Companies must update mechanisms for collecting, storing, and sharing consumer information to meet the new consumer rights framework.
Anonymization: Companies need to implement a system to destroy or anonymize personal data once its collection purpose has been achieved. Anonymization must ensure the person concerned can no longer be identified.
Right to Erasure: Companies have to develop guidelines to assess and respond to requests for the removal of personal information.
By 22 September 2024 (3rd Phase)
Right to Portability: Companies must prepare to produce a digital copy of all personal information they hold concerning an individual upon request.
What are the consequences of non-compliance?
Law 25 establishes a comprehensive enforcement framework that includes a two-tier monetary penalty and the right of action in civil courts. Starting in 2023, failure to comply may result in:
The maximum penalty for individuals is $100,000, while private sector companies face fines ranging from CAD $15,000 to CAD $25,000,000 or 4% of their global turnover for the preceding fiscal year, whichever is greater.
Right of action
As of 22 September 2023, consumers will be able to bring claims against companies for statutory damages relating to specific breaches of privacy law, including unlawful use of personal information, illegal use of personal information, and inadequate privacy notices.
3 Important insights gained from Law 25
The continuously evolving nature of security laws
Law 25 aims to update Quebec's privacy laws and is going to continue evolving, with the government announcing that amendments and improvements will be added over the years to ensure that Law 25 remains relevant in the face of technological advances. It is generally believed that this new law could potentially inspire similar changes in other provinces across Canada and even other countries in the world.
In fact, privacy regulations are mounting globally. According to The 2021 Data Regulation Recap by In Country, there’s a growing patchwork of privacy laws and regulations changing around the globe, forcing companies to adapt new measures to comply or risk facing more significant fines and penalties than ever before.
Ignorance of the law excuses no one
Many businesses engage in the collection of personal data from their website visitors. This occurs in various scenarios, including when customers place orders, when candidates apply for jobs through the website, or when visitor profiles are created. In addition, many organisations have implemented mechanisms to gather personal data in order to facilitate marketing and sales performance.
However, these types of personal information collection may now violate the law if your customers are not duly informed about the intended use of their information, or they have not specifically consented to the personal information collection.
The importance of Security Awareness Training (SAT)
Law 25 strongly suggests training users in cybersecurity, as this is one of the best ways to protect the company from cyber-attacks. Attacks take many different forms today, with email phishing remaining a common tactic, but even this has been perfected with the help of artificial intelligence to make phishing attempts even more realistic. That's why educating your employees with SAT is more important than ever before.
How should you prepare for Law 25?
Based on the cybersecurity trends, usecure provides clients with up-to-date security awareness training courses covering the latest data privacy laws, regulations and a lot of various topics. Here are the key features of our SAT.
Wide range of security topicsOur training courses cover the world’s most important cybersecurity laws and regulations, such as compliance topics for Quebec's Law 25, GDPR, HIPAA and PCI. In addition, the courses include the most popular security topics, such as cloud security, phishing, social engineering, password security, data protection, and so much more!
Engaging and interactiveusecure understand the power of effective training. We offer bite-size SAT courses that are designed to keep your users engaged. All of our training courses include quizzes, animations or short videos that aim to encourage users’ active participation through the learning process.
Our training courses allow customisation to match your organisation's specific needs. You will be able to automate enrolment, course reminders, reports or even tailor content. At usecure, we strive to offer easy-to-implement solutions to your compliance goals!
Train your staff now to stay compliant with Quebec Law 25!
Stay ahead of the regulatory landscape and empower your staff to navigate the intricacies of the laws with confidence. Watch a demo now or give our 14-day free trial a go to discover the ultimate admin-lite approach to staying compliant with Quebec's Law 25.