Book a demo
Login to console
didomi-quebec-law-25
  • Country focus

Everything you need to know about Quebec's Law 25 (ex Bill 64)

Published on July 18, 2022 by Sarah Barker

Updated on July 26, 2022 by Sarah Barker

The privacy and data protection landscape in Quebec is changing - and the clock has already started ticking for organizations to get up to speed. 

 

Following in the footsteps of the enhanced privacy standards introduced by the General Data Protection Regulation (GDPR) in Europe, Law 25 (The Privacy Legislation Modernization Act) was adopted unanimously by the national assembly of Quebec on 21 September 2021.

 

In this article, we will cover everything you need to know about Law 25.

 

Summary:

 

 


 

What is Quebec’s Law 25?

 

In a move that is likely to set the pace for wider provincial reforms across Canada, Law 25 is designed to modernize Quebec’s privacy laws. Introducing a raft of changes to the existing legal framework, it grants significant new data protection rights to individuals, along with increased obligations for the public and private organizations that handle their personal information. 

 

Historically, the framework of privacy law in Quebec has been comprised of an array of provincial and federal legislation. Law 25 acts as a broad brush update to this regime, most notably in respect of the law governing access to documents held by public bodies (The Public Sector Act) and the law governing the protection of personal information in the private sector (The Private Sector Act). 

 

Law 25 will come into effect through a phased rollout over the next three years. Whilst this staggered implementation period reduces the pressure slightly, now is the time for companies to start getting their ducks in a row. The incoming changes are comprehensive, and implementation will require considerable time and resources - with serious penalties on the table for non-compliance.

 

Why is it no longer called Bill 64?

 

“Bill 64” was the name of the original legislative text first proposed to Quebec’s national assembly on June 12, 2020. Following a lengthy consultation process and numerous amendments, it passed the assembly and parliamentary committee stages in September 2021.

 

In Quebec, a Bill officially becomes Law once it receives assent from the Lieutenant-Governor. Bill 64 finally completed its passage into legislation when it received formal assent on September 22, 2021. At this point, it became The Privacy Legislation Modernization Act - otherwise known as Law 25. 

 

Which businesses does Law 25 apply to?

 

At first glance, it is easy to assume that the new legislative provisions are therefore of minimal relevance to those outside of Quebec. However, the reality is that the knock-on effects of the regime will be felt far beyond provincial borders. This is for two reasons:

 

  • Firstly, in line with global data protection laws and a well-established line of jurisprudence under the local regulator, the Commission for Access to Information (CAI), Law 25 will have a general application for any organization based outside of the province with any customers using its products or services in Quebec.

    In practice, this means that a single visitor to a global website from inside the province will bring the provider within jurisdiction.

 

  • Secondly, Law 25 is a pioneering legal framework in Canada - and one which reflects a general direction of travel throughout the rest of the developed world. With Canada’s regionalized approach to data regulation, it remains to be seen whether this will lead to a provincial “domino effect”, with neighboring governments following suit.

    If this occurs, federal reform at some point in the future is a very real possibility. 

 

What and who does Law 25 cover?

 

Law 25 updates the existing legal framework for the protection of personal information in Quebec. Whilst this covers the law in respect of both the public and private sectors, the latter is of primary relevance for private organizations.   

 

The Private Sector Act defines personal information as:

 

“any information which relates to a natural person and allows that person to be identified.”

 

This definition includes all personal information “relating to other persons which a person collects, holds, uses or communicates to third persons in the course of carrying on an enterprise”.  

 

The Private Sector Act applies to all such personal information, regardless of the form it takes (including, but not limited to, information that is written, graphic, taped, filmed, or computerized).

 

Who is covered? In short - potentially everyone. Because the scope of Law 25 extends to any end-user of a Quebec-based service provider outside the province, it captures not only all “natural persons” inside the border but those outside of it too.  There are no citizenship restrictions. 

 

What data rights do Quebec consumers have under Law 25?

 

Body Fomart - Quebec 1

 

Make no mistake - Law 25 is good news for consumers. Following the tailwinds of the GDPR, the new framework strengthens the protection of personal information, handing back a greater degree of control to the individual. Unless otherwise specified, all of the consumer rights below will come into force on 22 September 2023.

 

The right to privacy by default

In a significant shift, Law 25 reverses the previous de facto position on online privacy, granting consumers the automatic right to confidentiality over their personal information. In practice, this means that, for example, any profiling or tracking technology must be deactivated on a company website unless express consent is given - and not the other way around.

 

Transparency 

Consumers will be entitled to a greater level of transparency when their personal information is collected by private organizations. The new regime provides for the following:

 

  • Basic right of access: When collecting any personal information, companies must now inform the individuals concerned of:

    • The purpose for which the information is gathered;

    • How this information is being collected;

    • The consumer’s right to access this information, and rectify it where necessary;

    • The consumer’s right to withdraw consent for this information to be gathered. 

 

  • Third parties: Companies must now also inform individuals of the following in respect of third party use of their personal information:

    • The names of any third parties for whom the information is gathered;

    • The names of any third parties to whom this information may be passed on;

    • The fact that this information may be communicated outside of Quebec. 

 

  • Automated processing: If a company uses automated processes to make a decision about an individual, they must notify that person of the following:

    • When a decision has been made;

    • Their right to access or correct the personal information used to make the decision;

    • Their right to information about how the decision was made;

    • Their right to have the decision reviewed;

    • Their right to submit additional information where required by way of an appeal.

 

  • Right to request additional information: If they choose to request it, consumers are also now entitled to receive the following information:

    • Details of what information has been collected from them;

    • The categories of people who have access to this information within the organization;

    • How long this information will be kept for;

    • Contact details for the person responsible for protecting this information.

 

Consent

The new framework introduces a raft of new rules regulating the way that consumers consent to the use of their personal information. The most significant provisions are:


  • Requests for consent: Companies are already required to seek free and informed consent to the collection and use of personal information. However, Law 25 adds teeth, stipulating that requests for consent must be made in clear and simple language. It also adds that such requests must be made in isolation - in other words, they cannot be buried in the small print!

  • Sensitive information: Consumers must now give their express consent for the use of “sensitive” personal information for any other purpose than that for which it was originally collected. Information that is considered “sensitive” includes medical, biometric, or otherwise intimate details which give rise to a reasonable expectation of privacy.

  • Minors: Companies cannot collect any personal information concerning a child under the age of 14 without parental consent. The only exception is where the information collected is of clear benefit to the child (for example, in an emergency situation).

  • Biometrics: Biometrics will no longer be permitted to verify a person’s identity without their express consent.

  • Exceptions: Law 25 introduces some limited exceptions in which the presumption of consent will not apply. Organizations may now use personal information without consent if this is necessary to detect or prevent fraud, or if such use is necessary in order to deliver a product or service expressly requested by the individual concerned.

 

Right to erasure

From 22 September 2023, in the spirit of the “right to be forgotten” first created under the GDPR, consumers will now be entitled to ask companies to cease distributing their personal information. In cases where this distribution is causing the individual harm (or where it contravenes a court order), they will also have the right to have any internet links attached to their names de-indexed. 

 

Right to portability

This is the final provision to come into effect, and will do so on 22 September 2024. Individuals will be granted the right to receive a digital copy (in a commonly used format) of all personal information that has been collected from them by any given organization.

 

How is Law 25 enforced?

 

Law 25 comes with a robust enforcement scheme when compared with the previous regime, creating both a two tier monetary penalty model and a right of action in the civil courts. 

 

Monetary penalties

For individuals, the maximum penalty for penal offenses under Law 25 is $100,000. For private sector companies, penal fines for non-compliance can rise to whichever of the following is greater:

 

  • A sum ranging from CAD $15,000 to $25,000,000; or

  • A sum corresponding to 4% of the organization’s worldwide turnover for the preceding fiscal year. 

 

Authority for the enforcement of monetary penalties rests with the CAI.

 

Right of action

The Act also gives rise to a new private right of action, allowing individuals to bring claims against companies for statutory damages in respect of specific breaches.

 

Actionable breaches include (but are not limited to) unlawful use of personal information, failures to provide adequate privacy notices, and failures to notify data subjects in cases of automated decisions and confidentiality breaches.

 

How can my business comply with Law 25?

 

Whilst the raft of reforms are extensive, the essence of some provisions have already been either fully or partially mandated by other applicable regimes (such as PIPEDA), or have simply become common practice over recent years. 

 

However, for the bulk of provisions which are entirely new, existing systems are likely to fall short and require comprehensive overhaul. Fortunately, the phased rollout breaks this process down. At a minimum, organizations should expect to tick off the following boxes over the below time frame:

 

 By 22 September 2022

 

  • Assign a Privacy Officer: Appoint a person who will take on authority for ensuring compliance with the law within your organization. Responsibility for this role will fall to the CEO by default - but the position can be delegated to any appropriate individual. Their title and contact details must be published on your website, and the CAI must be notified of the same.

 

  • Mandatory Breach reporting: Your organization must notify both the CAI and any affected individuals of any data breach involving personal information which presents a risk of serious harm. You must also maintain a register of breaches. For most companies, these mechanisms should largely already be in place due to existing requirements - however, this is an important opportunity to review your systems to confirm that they are compliant.

 

  • Biometrics: If your company uses, or intends to use biometric banks, from this date onwards you must disclose their existence to the commission no later than 60 days before your system is implemented. 

 

 By 22 September 2023

 

  • Privacy policy: You must ensure that, by this date, you have a comprehensive privacy policy published on your website. This must set out your data protection policies and practices in clear and simple language, and provide sufficient information for consumers (for example, on personal data management, breach reporting, consent, access requests, and automatic decision making) to meet transparency obligations.

 

  • Mandatory Privacy Impact Assessments (“PIA”): It is now mandatory to carry out a PIA when communicating any personal information outside of Quebec, when creating or acquiring any digital systems involving private data, or before disclosing any personal information without consent for research purposes. You will need to have guidance in place governing how this requirement is triggered, as well as clear communication procedures for staff. 

 

  • Establish transparency and consent systems: Long before this date, your organization should have conducted a comprehensive review into its existing mechanisms for gathering, storing, and disseminating consumer information. These should now be updated to meet the new consumer rights framework, paying particular attention to the following points:

    • Deactivate any data collection technology on your website by default, without requiring any confirmatory action by users. You can provide an explicit “opt-in” mechanism instead. This excludes the use of cookies.

    • Update your consent forms and access to information systems. Ensure that, when requested, you are able to provide details of the categories of individuals within your company who have access to any given customer’s personal information, as well as the contact information of your privacy officer.

    • Identify any cross-border jurisdictions to which your organization may transfer personal information, and conduct a PIA(s) in respect of those locations.

    • Ensure that you have procedures in place to manage the confidentiality exception for bereavement. You may pass on personal information relating to somebody who has passed away to their spouse or close relatives - but only if this is likely to help them in the mourning process, and if the deceased did not withdraw consent to this in life.

    • Ensure that your organization is no longer collecting any personal information concerning a child under the age of 14 without parental consent.

    • Ensure that your privacy policy provides details of your organization’s automated decision making processes, including access to information and appeals.  

 

  • Anonymization: You must have a system in place to either destroy personal data once the purposes for which it was collected have been achieved, or to anonymize it where applicable. If you are implementing or updating an anonymization system, this must meet the high bar of ensuring that the person concerned can no longer be directly or indirectly identified. 

 

  • The right to erasure: Assessing requests for the removal of personal information are likely to be complex exercises. Ensure that you have guidelines in place to properly consider and respond to these requests (relevant factors to be taken into account are provided by the Act). 

 

By 22 September 2024

 

  • Facilitate the right to portability: Ensure that you have the technology and training in place to be able to produce a digital copy of all personal information that you hold in respect of any individual if it is requested. 

 

What are the main differences and similarities between Law 25, GDPR and CCPA? 

 

Law 25 brings Québec’s privacy laws closer in line with the GDPR, one of the leading data protection frameworks in the world. Because, like Canada, the USA is not governed by federal privacy law, the  California Consumer Privacy Act (CCPA) is seen as one of the most important privacy developments in the country, inviting a natural comparison with Law 25 in Canada.

 

Despite the fact these legislative frameworks all deal with generally recognized principles, they also differ radically in their approaches in many ways. Because of this, a comprehensive analysis of their differences and similarities would be too extensive to list here. However, in many ways, Law 25 is the most stringent of the three regimes. There are some key distinctions to note: 

 

  • Scope of protection: Both Law 25 and the GDPR offer broad protections to all natural persons, and have no specific residency requirements. The remit of the CCPA is narrower, protecting only consumers who reside within the state of California.

 

  • Privacy by default: Bill 64’s “confidentiality by default” clause is far broader in scope and significantly more stringent than the “privacy by design” concept under the GDPR. The CCPA does not provide for this concept at all, instead taking an “after-the-event” remedial approach. 

 

  • Consent: As the only regime to require consent as default with minimal exceptions, Law 25 is by far the most stringent. The GDPR allows for a wider range of justifications, including compliance with legal obligations and public interest. The CCPA does not place consent obligations on companies at all, instead offering consumers the ability to opt-out of dissemination, or invoke the right of erasure once their information has been collected.

 

  • Impact assessments: Law 25 is broad and requires a PIR to be carried out whenever conditions are met, regardless of the level of risk. The GDPR is less stringent, only requiring assessments in cases where processing is likely to result in a ‘high risk’ to rights and freedoms. Because the CCPA does not specifically focus on accountability-related obligations, it does not mandate impact assessments.

 

Didomi helps companies get ready for the data privacy revolution

 

The data privacy revolution may have started in Europe with the GDPR, but it is rapidly spreading across the world. More and more countries—and more and more states—are rolling out data privacy legislation. The UCPA’s passage shows that data privacy is not a red state issue or a blue state issue. It’s an issue for all Americans. 

 

Although U.S. privacy law remains fragmented, there is widespread consensus among Americans that their information is less secure than it used to be and that current laws and practices are out of date. Most say that it is difficult to control who has access to their online information and they have little trust in companies to keep their personal information secure.  

 

The message is clear for marketers: those that make customer privacy a priority will enjoy a strong competitive advantage. Complying with the UCPA, CCPA, CPA, VCDPA, and future iterations of these laws is a floor—not a ceiling. And the sky’s the limit for companies that place consumer consent at the center of their digital marketing strategy, especially as we move further into the cookieless future

 

A brand based on trust is a brand positioned for success in a user-centric world. Find out how Didomi’s Consent Management Platform and Preference Management Platform takes the guesswork out of data compliance and helps you turn privacy into business opportunities. 

 

Talk to an Expert

avatar Sarah Barker

Sarah Barker

Former UK lawyer producing specialist content for law firms, professional bodies, and digital agencies.

Related articles