Law 25: What is it about?


by

Recently, a new law was adopted to modernize the legislation on the protection of personal information, inspired by the new requirements in this field in European countries. The evolving context of technology and the rapid exchange of information have forced the government to look at the protection of personal information held by Quebec organizations.

Personal information is protected in Quebec by several laws, both in the private and public domain. Due to the advent of new technologies, these laws were updated with the adoption of the Act to modernize legislative provisions as regards the protection of personal information (hereinafter referred to as “Law 25”) in 2021. This law imposes several new obligations on both private and public organizations, with the aim of increasing the level of protection of personal information held by these organizations and thereby promoting trust between them and individuals.

The Act is said to be phased in because the obligations it imposes are implemented over three consecutive years. The majority of the obligations will come into effect in September 2023, but some have been in effect since September 2022 and others will not come into effect until September 2024.

The Commission d’accès à l’information du Québec (CAI) is responsible for monitoring the requirements of the Act and for sanctioning non-compliant organizations. The CAI also oversees the application of the Act by publishing guidelines to assist organizations in fulfilling the various new obligations.

What about businesses ?

More specifically, and concisely, Law 25 amends, among other things, the Act respecting the protection of personal information in the private sector (hereinafter the “Private Sector Act”) by creating the position of Privacy Officer, by removing the possibility of communicating information of a confidential nature without the consent of the persons concerned, and by revising the rules surrounding the use of such information.

The Privacy Act applies to the protection of personal information collected in the course of carrying on an enterprise1. This same law specifies that personal information is “any information which relates to a natural person and allows that person to be identified”2.

Although all businesses operating in Québec are covered by the Private Sector Act, the fact remains that some businesses, due to the nature of their activities, will not be bound by the obligations set out in Law 25. In fact, depending on the nature of the activities of each enterprise, the obligations to which each will be bound will vary. It is therefore important to clearly identify the activities of the business and the use that is made of the personal information collected.

As mentioned above, Law 25 creates several new obligations that must be met by businesses, some of which are already in effect. Here is a brief overview of these obligations based on their effectiveness:

September 2022:

  • Designate a Privacy Officer;
  • Notify affected individuals and the CAI in the event of a privacy incident and maintain an incident registry;

September 2023:

  • Requirement to implement a privacy governance framework;
  • Requirement for transparency;
  • Anonymization and destruction of personal information in certain circumstances;
  • Privacy risk assessment in certain circumstances;
  • New consent obligations;
  • Providing parameters for the highest level of privacy

September 2024:

  • Right to portability: the obligation to provide a data subject with the information a company holds about him or her, upon request.

It is important to mention that significant penalties are to be expected in the event of non-compliance with the new obligations set out in Law 25. Indeed, the CAI may impose severe financial penalties that will be proportionate to the seriousness of the breach and to the company’s ability to pay.

To learn more about Law 25 and its new obligations, we invite you to consult our expertise page on Law 25.

Written with the collaboration of Mrs Marianne Lapointe, intern.

1 Act respecting the protection of personal information in the private sector, R.L.R.Q., c. P-39.1, art. 1.
2 Id., art. 2.