Organisations that collect, processA series of actions or steps taken in order to achieve a particular end. and store the personal information of Quebec individuals must ensure their existing privacy programs are in line with the provisions of Quebec’s Law 25. This new law was adopted in September 2021 and has been implemented in stages, with the final stage coming into effect on September 22, 2024.
Law 25 represents a milestone for provincial privacy legislation. It marks a complete overhaul of Quebec’s privacy regime, strengthening privacy rights for individuals and updating organisational requirements.
In this guide, we provide essential information to help support your journey towards achieving and maintaining compliance. We explain who Law 25 affects and detail what each stage of its provisions include.
Law 25 introduces several key concepts to modernise data protection practices in Quebec and strengthen privacy rights for individuals.
The legislation has been brought into effect in stages, over a three-year period, which has allowed organisations to adapt gradually to the new privacy requirements. By September 2024 organisations should ensure all provisions are fully implemented.
Fines for non-compliance can range between CA$15,000 and CA$25,000,000 (approx €10,150 to €16,900,000) or 4% of worldwide turnover for the previous year, whichever is greater.
Law 25 applies to all businesses, including non-profits, that collect, process, use, or disclose the data of Quebec residents, regardless of size, revenue, or location of the business.
Law 25 imposes a range of obligations on businesses, with the aim of striking a balance between privacy protection, individual rights, and business accountabilityPerhaps the most important GDPR principle, which requires controllers to take responsibility for complying with the GDPR and, document their compliance..
To ensure compliance with the new regulations, you should complete a gap analysis of your current privacy programmes. This will identify any required updates that need to be made to your current policies, procedures and data handling practices.
If you are operating within the province of Quebec and process personal dataInformation which relates to an identified or identifiable natural person., these are the important aspects you should already have in place or need to address by September 22, 2024:
The Data Privacy Officer role shares a similarity with the EU’s requirement for a Data Protection Officer (DPO). However, unlike the GDPR, the Privacy Officer role defaults to the highest-ranking individual in an organisation, if one is not otherwise appointed.
Many organisations may not be aware of the defaulting nature of the Privacy Officer role. Where a Privacy Officer is not explicitly appointed, the responsibility falls to the CEO or MD.
What you need to do: It is crucial for organisations of any size or industry sector to recognize the importance of this role. A Privacy Officer should have the expertise and specialist knowledge to ensure compliance with privacy laws and understand the complexities of global data protection legislation.
Organisations must ensure that breach management processes are in place. Data breaches must be reported to the Commission d’accès à l’information (CAI) and all affected individuals as soon as possible.
What you need to do: Create and test a data breach responseAn organisation's procedure or approach for recording, investigating, containing and mitigating a personal data breach. protocol. When identifying a potential data breach, you must assess whether an incident poses a “risk of serious injury” based on information sensitivity, anticipated consequences and likelihood of harmful use.
Your data breach response protocol should include:
Biometric data collection includes physical features such as fingerprints, facial features and iris patterns.
What you need to do:
All organisations operating in Quebec must have a comprehensive Privacy Policy that outlines data handling practices.
What you need to do: Create a Privacy Policy to include these important details:
A PIA is a systematic process to evaluate the impact of data processing activities on individuals’ privacy rights.
What you need to do: .
Under Law 25, organisations must conduct a Privacy Impact Assessment (PIA) for:
These are transfers that involve moving personal data from Quebec to another jurisdiction outside Canada (or to another province).
What you need to do:
Law 25 sets stricter rules for acquiring permission before using people’s personal information. Organisations must obtain explicit opt-in consent before collecting, storing, processing, and sharing personal information. Additionally, for children under 14, you will need the parent’s permission first.
What you need to do:
Law 25 emphasises the importance of collecting only the essential data for the intended purpose. Organisations must avoid excessive data collection and retain only relevant information.
What you need to do:
These rights came into effect September 2023, with the right to data portability effective in September 2024 (see below section).
Subject rights include:
What you need to do:
With this specific area of Law 25, individuals have the right to have their personal data seamlessly transitioned between service providers.
What this means is that you are obliged to provide the requested information in a specified format.
What you need to do:
The final stage of Quebec’s Law 25 comes into effect on September 22, 2024.
Organisations operating within the province of Quebec must implement the necessary operational and procedural changes by that date to ensure compliance with the new regulations.
We covered the key aspects of Law 25 in the above sections, but these are the main elements to consider:
From our offices in Toronto, Ontario, The DPO Centre Canada provides outsourced Canadian Privacy Officers to organisations operating across Quebec and other provinces.
If you would like to discuss how our range of specialist services can support your organisation’s privacy governance, please contact The DPO Centre Canada.
Fill in your details below and we’ll get back to you as soon as possible