Protecting privacy and data online has become a major issue in recent years, prompting several governments to legislate on the subject. The privacy and data protection landscape in Quebec is undergoing significant transformation, Law 25 is now adopted by The National Assembly of Quebec, necessitating actions by organisations to ensure compliance.
With this blog, we aim to provide a comprehensive understanding of Law 25's key aspects, and equip readers with the essential knowledge required to adhere to the new legislation.
In this blog, we’ll cover:
Law 25, also known as The Privacy Legislation Modernization Act, entered into force on 22 September 2021. This law introduces a variety of modifications to the current legal framework, bringing individuals significant new rights for safeguarding their data. Moreover, it imposes additional responsibilities on both public and private organisations that are entrusted with handling personal information.
Law 25 is originated from Bill 64 which was proposed to Quebec’s national assembly on 12 June 2020. In Quebec, a Bill attains the status of Law once it obtains assent from the Lieutenant Governor. In September 2021, Bill 64 passed the assembly and parliamentary committee stages. It then officially transformed into The Privacy Legislation Modernization Act, commonly referred to as Law 25, after receiving formal assent.
According to the Bill 64 Survey Report published by PwC in June 2021, despite the fact that many businesses are willing to comply with the new law, many of them are still unsure of the precise measures they need to take in order to achieve full compliance.
The report has found:
- Only 35% of businesses will be fully ready to comply.
- 50% of businesses indicated that the requirement for Data Transfers will have the largest impact.
- 66% of small businesses do not understand the impact of Bill 64 and do not have a robust privacy program.
Navigating the intricacies of Quebec Law 25 seems to be a daunting task for many organisations.
Law 25 subjects any enterprise, regardless of its size or location, that collects, holds, uses, or communicates personal information to its requirements.
With that being said, Law 25 will have a general application for any organisation based outside of Quebec with any customers using its products or services in the province. In practice, this means that a single visitor to a global website from inside Quebec will bring the provider based in another country within the jurisdiction.
According to The Act Respecting the Protection of Personal Information, "personal information" is defined as:
“Any information which relates to a natural person and allows that person to be identified.”
This can include but is not limited to, information such as name, address, age, gender, identification numbers, financial information, email address, username and password, digital certificates or even certain types of online identifiers.
It is crucial to remark that the data does not need to be able to identify a person on its own. If the data can be utilised alongside other data to ascertain a person's identity, it will fall under the umbrella of “personal information”.
Law 25's legal impact is profound, with provisions coming into effect in three distinct phases, scheduled for September 2022, 2023, and 2024. Notably, the most substantial changes are set to take effect in September this year.
Privacy Policy: Companies have to publish a comprehensive privacy policy on their websites in clear and simple language to meet transparency obligations.
Mandatory Privacy Impact Assessments (PIA): Companies have to conduct a PIA when sharing personal information outside Quebec, when creating or acquiring digital systems involving private data, or before disclosing personal information without consent for research purposes. Companies will also need to have guidance in place to ensure clear communication procedures for staff.
Establish Transparency and Consent Systems: Companies must update mechanisms for collecting, storing, and sharing consumer information to meet the new consumer rights framework.
Anonymization: Companies need to implement a system to destroy or anonymize personal data once its collection purpose has been achieved. Anonymization must ensure the person concerned can no longer be identified.
Right to Erasure: Companies have to develop guidelines to assess and respond to requests for the removal of personal information.
Right to Portability: Companies must prepare to produce a digital copy of all personal information they hold concerning an individual upon request.
Law 25 establishes a comprehensive enforcement framework that includes a two-tier monetary penalty and the right of action in civil courts. Starting in 2023, failure to comply may result in:
The maximum penalty for individuals is $100,000, while private sector companies face fines ranging from CAD $15,000 to CAD $25,000,000 or 4% of their global turnover for the preceding fiscal year, whichever is greater.
As of 22 September 2023, consumers will be able to bring claims against companies for statutory damages relating to specific breaches of privacy law, including unlawful use of personal information, illegal use of personal information, and inadequate privacy notices.
Law 25 aims to update Quebec's privacy laws and is going to continue evolving, with the government announcing that amendments and improvements will be added over the years to ensure that Law 25 remains relevant in the face of technological advances. It is generally believed that this new law could potentially inspire similar changes in other provinces across Canada and even other countries in the world.
In fact, privacy regulations are mounting globally. According to The 2021 Data Regulation Recap by In Country, there’s a growing patchwork of privacy laws and regulations changing around the globe, forcing companies to adapt new measures to comply or risk facing more significant fines and penalties than ever before.
Many businesses engage in the collection of personal data from their website visitors. This occurs in various scenarios, including when customers place orders, when candidates apply for jobs through the website, or when visitor profiles are created. In addition, many organisations have implemented mechanisms to gather personal data in order to facilitate marketing and sales performance.
However, these types of personal information collection may now violate the law if your customers are not duly informed about the intended use of their information, or they have not specifically consented to the personal information collection.
Law 25 strongly suggests training users in cybersecurity, as this is one of the best ways to protect the company from cyber-attacks. Attacks take many different forms today, with email phishing remaining a common tactic, but even this has been perfected with the help of artificial intelligence to make phishing attempts even more realistic. That's why educating your employees with SAT is more important than ever before.
Based on the cybersecurity trends, usecure provides clients with up-to-date security awareness training courses covering the latest data privacy laws, regulations and a lot of various topics. Here are the key features of our SAT.
Our training courses allow customisation to match your organisation's specific needs. You will be able to automate enrolment, course reminders, reports or even tailor content. At usecure, we strive to offer easy-to-implement solutions to your compliance goals!
Stay ahead of the regulatory landscape and empower your staff to navigate the intricacies of the laws with confidence. Watch a demo now or give our 14-day free trial a go to discover the ultimate admin-lite approach to staying compliant with Quebec's Law 25. You can also explore our blog for in-depth insights on effectively navigating global regulations and standards with usecure.