What is Law 25?
Law 25, formerly Bill 64, or 'Act to modernize legislative provisions as regards the protection of personal information,' is Quebec’s modernized privacy law, the purpose of which is “to establish, for the exercise of the rights conferred by articles 35 to 40 of the Civil Code concerning the protection of personal information, particular rules with respect to personal information relating to other persons which a person collects, holds, uses or communicates to third persons in the course of carrying on an enterprise.” Law 25 brings a significant reform to the Private Sector Act, imposing changes that are to become effective over a period of three years, starting September 2022. Organizations collecting personal information from Quebec residents must be aware of Law 25’s impact, as it is one of North America’s most stringent data privacy regulations.
What is Personal Information and what are other key definitions?
Law 25 refers to organizations covered by this law as ‘entities’ or ‘enterprises’ but does not offer any definition for the terms, however, it defines ‘personal information’ as “any information which relates to a natural person and allows that person to be identified.” This means any type of information, “whatever the nature of its medium and whatever the form in which it is accessible, whether written, graphic, taped, filmed, computerized, or other” and it can include things such as name, phone number, IP address, etc.
Under this law, personal information is considered to be ‘sensitive personal information’ if “due to its nature or the context of its use or communication, it entails a high level of reasonable expectation of privacy.”
Another relevant definition is that of ‘profiling’ which is defined as “the collection and use of personal information to assess certain characteristics of a natural person, in particular for the purpose of analyzing that person’s work performance, economic situation, health, personal preferences, interests or behavior.”
Last but not least, anonymized information is seen as anonymized “if it irreversibly no longer allows the person to be identified directly or indirectly,” and the anonymization has to be done “according to generally accepted best practices,” and ‘confidentiality incident’ means:
- “access not authorized by law to personal information;
- use not authorized by law of personal information;
- communication not authorized by law of personal information; or
- loss of personal information or any other breach in the protection of such information.”
Who has to comply with Law 25?
Law 25 applies to any private-sector organization located in or offering services in Quebec; according to the text of the law, “any person carrying on an enterprise” has to comply. There is no mention and no differentiation between an organized economic activity that is of a commercial nature - such as providing a service or administration of a property - and others.
Law 25 covers both the personal information collected by an enterprise and any personal information it receives from any third party or person, “held by a professional order to the extent provided for by the Professional Code,” or information “held by an authorized entity to the extent provided for by the Election Act.”
Who is excluded from Law 25 compliance?
Public entities and several categories of personal information are not covered under Law 25, as follows:
- “personal information concerning the performance of duties within an enterprise by the person concerned, such as the person’s name, title and duties, as well as the address, email address and telephone number of the person’s place of work;”
- “journalistic, historical or genealogical material collected, held, used or communicated for the legitimate information of the public;”
- “personal information which by law is public;”
- “information held on behalf of a public body by a person other than a public body;”
- documents containing personal information that is more than 100 years old;
- documents containing personal information about an individual that has been dead for more than 30 years. One exception here is personal health information which cannot be communicated “without the consent of the person concerned unless 100 years have elapsed since the date of the document.”
How can I keep my organization Law 25 compliant?
Compliance with Law 25 can be summed up in the following 9 principles:
- identifying purposes;
- limiting collection;
- consent and information of the person concerned;
- limiting use, disclosure and retention;
- safeguards / confidentiality;
- individual access; and
- respond to requests for access to personal information, and for rectification, submitted by data subjects.
Law 25 came into effect starting September, 2022 and will be implemented over a 3-year period, with increased enforcement occurring with each passing year.
Data Protection Officer
Starting in September 2022, businesses will have to appoint a Data Protection Officer (DPO), by default the “person exercising the highest authority,” meaning the CEO. However, the CEO of an organization is allowed to delegate all or part of this responsibility to a staff member, with the title and contact details of that person in charge required to be published on your business’ website or “be made available by any other appropriate means.”
In addition, your organization must implement breach reporting procedures for those instances where breaches occur that present “a risk of serious injury,” as assessed by the text of PIPEDA, Canada’s national privacy law, and to keep a record of all breaches, and to inform both the CAI (Commission d'Accès à l'Information du Québec) and the person or persons impacted by a breach. According to the text of Law 25, “in assessing the risk of injury to a person whose personal information is concerned by a confidentiality incident, a person carrying on an enterprise must consider, in particular, the sensitivity of the information concerned, the anticipated consequences of its use and the likelihood that such information will be used for injurious purposes. The person must also consult the person in charge of the protection of personal information within the enterprise.”
By September 2023, your organization must establish, implement and publish its policies and practices for personal information use. These policies and practices are required to be available on your website and must include the following:
- the purposes for which the information is collected;
- the means by which the information is collected;
- the rights of access and rectification provided by law;
- the person’s right to withdraw consent to the communication or use of the information collected;
- if applicable, the name of the third person for whom the information is being collected and of the possibility that the information could be communicated outside Québec;
- on request, the personal information collected from him, the categories of persons who have access to the information within the enterprise, the duration of the period of time the information will be kept, and the contact information of the person in charge of the protection of personal information.
Beginning with September 2023 covered entities must also conduct Privacy Impact Assessments (PIA). You are responsible for conducting such assessments in the following scenarios:
- whenever your company undergoes an upgrade, an acquisition or a development of your infrastructure,
- whenever there is a need for transferring data outside of Quebec. In such cases, you are required to “in particular, take into account
- the sensitivity of the information;
- the purposes for which it is to be used;
- the protection measures that would apply to it; and
- the legal framework applicable in the State in which the information would be communicated, including the legal framework’s degree of equivalency with the personal information protection principles applicable in Québec.”
- when you disclose personal information “for research purposes” without the data subject’s consent.
One of the most modern requirements brought on by Law 25 is that of privacy by default, meaning that “when offering a technological product or service,” your company “must ensure that the parameters of the product or service provide the highest level of confidentiality by default, without any intervention by the person concerned.” What this means for your company is that by default any tracking, profiling or identification technology has to be disabled, and your website visitors must have easy access to expressly opt out of such features.
Data Subject Access Requests
As of September 2024, the right to data portability will come into effect. Preparing for this ahead of time may be considered as a best practice since it may bring with it structural changes to your company, according to the CAI.
It is of great importance for your business that you follow the law’s requirements about consent, which “must be clear, free and informed and be given for specific purposes. It must be requested for each such purpose, in clear and simple language and separately from any other information provided to the person concerned. If the person concerned requests, assistance is provided to help him understand the scope of the consent requested.” Regarding children, according to the text of the law, “the consent of a minor under 14 years of age is given by the person having parental authority. The consent of a minor 14 years of age or over is given by the minor or by the person having parental authority.”
What data access rights does Law 25 grant?
Just like with any other data privacy regulation, Law 25 grants individuals several data subject access rights, as follows:
Right to be informed: it is required of you to ensure the knowledge and consent of individuals, except in special circumstances. You must be open and transparent with your practices, the personal information you collect, and the purposes for this.
Right to access: individuals have a general right to access the personal data that you hold about them. Access requests have to be processed according to the law and in the event of a refusal, this has to be accompanied by an explanation.
Right to rectification: if personal information concerning them is inaccurate, incomplete, or equivocal, or if collecting, disclosing, or keeping it are not authorized by law, individuals may require that the information be rectified.
Right to erasure: “The person to whom personal information relates may require any person carrying on an enterprise to cease disseminating that information or to de-index any hyperlink attached to his name that provides access to the information by a technological means, if the dissemination of the information contravenes the law or a court order.” There are certain conditions that have to be met for this request to be granted, as outlined by the law in Section 28.
Right to object/opt-out: although not expressly stated in the law, this right is implied by an individual’s right to submit a complaint to your organization, to withdraw consent, or to file a complaint with the CAI.
Right to data portability: “At the applicant’s request, computerized personal information must be communicated in the form of a written and intelligible transcript. Unless doing so raises serious practical difficulties, computerized personal information collected from the applicant must, at his request, be communicated to him in a structured, commonly used technological format. The information must also be communicated, at the applicant’s request, to any person or body authorized by law to collect such information.”
Right not to be subject to automated decision-making: Any person carrying on an enterprise who uses personal information to render a decision based exclusively on an automated processing of such information must, at the time of or before the decision, inform the person concerned accordingly. He must also inform the person concerned, at the latter’s request,
- of the personal information used to render the decision;
- of the reasons and the principal factors and parameters that led to the decision; and
- of the right of the person concerned to have the personal information used to render the decision corrected.
The person concerned must be given the opportunity to submit observations to a member of the personnel of the enterprise who is in a position to review the decision.
How should organizations address data subject access requests under Law 25?
Data subject access requests have to be addressed within 30 days after the date of receipt and, according to the text of the law, “failure to respond within 30 days of the receipt of a request is deemed to be a refusal to grant the request.”
There is no mention of any extension possible and access should be given free of charge, however “a reasonable charge” may be imposed. If you intend to require a charge, you must inform the individual “in advance, of the approximate amount that will be charged for the transcription, reproduction or transmission of information.”
If you refuse to grant a request for access or rectification, you must inform the individual of the refusal “in writing, giving reasons, and inform the person concerned of the recourses open to him.” It is important to note that Law 25 says that you must refuse access to personal information “where disclosure would be likely to reveal personal information about a third person or the existence of such information and the disclosure may seriously harm that third person, unless the latter consents to the communication of the information or in the case of an emergency that threatens the life, health or safety of the person concerned.”
Enforcement and penalties
The CAI enforces Law 25 and has authority to investigate and impose penalties which can go up to no more than $50,000 in the case of a natural person and, in all other cases, $10,000,000 or, if greater, the amount corresponding to 2% of worldwide turnover for the preceding fiscal year.
In the case of penal offenses, penalties go from $5,000 to $50,000 in the case of a natural person and, in all other cases, of $15,000 to $25,000,000, or, if greater, the amount corresponding to 4% of worldwide turnover for the preceding fiscal year, and in the case of a subsequent offense, the fines are doubled.”
Data Subject Rights - GDPR vs. PIPA-AB vs. PIPA-BC vs. Law 25
- Right to access data
- Right to correct inaccurate data
- Right to the portability of data
- Right to delete personal information
- Right to information about how entities are sharing your data
- Right to restrict processing
- Right to object to processing
- Right to object to automated processing
- The Right to Access
- Right to rectification
- The Right to Access
- Right to rectification
- The Right to be Informed
- The Right to Access
- Right to rectification
- Right to erasure
- Right to object/opt-out
- Right to data portability
- Right not to be subject to automated decision making
How can Clym help?
Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:
- All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
- Seamless integration into your website;
- Adaptability to your users’ location and applicable regulation;
- Customizable branding;
- Ready Compliance: Covering 30+ data privacy regulations;
- Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.