Excusez-moi, Make Way for Quebec’s Privacy Law
by: Dhara Shah and Max Landaw
The bulk of Quebec’s privacy law, Law 25, is set to be in effect on September 22. Law 25 was passed on September 22, 2021, with implementation coming into effect over the course of three years – and this September marks the effective date for many of its core requirements. Quebec passed this law in the wake of continuous attempts at a general overhaul of Canada’s privacy regime to be more in line with modern privacy legislation inspired by the EU’s General Data Protection Regulation (GDPR). Law 25 is the first provincial law in Canada to mimic such GDPR requirements.
As September 22 approaches, below are some key points on what should be on your radar to comply with Law 25:
Who’s In Charge?: Law 25 has required the appointment of a “person in charge of the protection of personal information” since September 2022. This is the functional equivalent of what we have come to known as a Data Protection Officer (DPO) under laws like the GDPR. Note that Law 25 suggests that this person in charge of the protection of personal information (including administrators, directors, or representatives of the company who ordered or authorized an act or omission constituting an offense under Law 25) can be held personally liable.
What is Personal Information?: Quebec defines personal information broadly, just like the GDPR, as it includes any information that allows a person to be identified – including consumer, employee, and business to business personal information. Note that this differs from what we see from many US state privacy laws which exempt employee and business to business personal data from the ambit of the law.
Quebec Resident Rights: Similar to other privacy laws, Law 25 gives Quebec residents certain privacy rights. This includes the right to: be informed, access, rectify, erase, withdraw consent/restrict processing, and opt-out of profiling. Law 25 provides businesses with 30 days to respond. Note that the right to portability will be implemented in September 2024.
Contractual Requirements: Law 25, like GDPR and other comprehensive privacy laws, requires contractual language to be in place when disclosing personal information with processors like your service providers. Contracts should include restrictions on use of the personal information, ensure proper security measures are in place, and account for deletion of information upon expiration of the contract.
Expanded Risk Assessment Triggers: Law 25 mandates the completion of a risk assessment (similar to GDPR data privacy impact assessments) in certain situations, including those not required under other privacy laws. One notable time where a risk assessment is required is any time personal information may be transferred outside of Quebec. Amongst other factors, a risk assessment should contain a review of the processing activity, relevant safeguards set forth to protect the personal information, and an analysis of the legal framework of the country the information is being transferred to.
Quebec’s law also requires additional compliance measures – such as keeping a record of all breaches, even those that do not trigger notice requirements, providing disclosures relating to use of automated decision-making, and obtaining consent for the use of tracking technologies such as cookies. Law 25 will intertwine with other Quebec legal requirements, such as ensuring all notices, legal documents, and materials are available in French. Compliance with Quebec’s Law 25 should be taken seriously as it provides for both a private right of action and enforcement by the CAI for penalties of up to $25 million CAD or 4% of your company’s global turnover.
So What Should My Company Do Now? First, determine whether your organization is subject to the law – do you collect Quebec residents’ personal information? If the answer is yes, the good news is that many of Quebec’s requirements are familiar to companies already in compliance with laws like the GDPR and CPRA. You should work with legal counsel to update your privacy policies to ensure proper disclosures and privacy rights are provided for, update internal documents and DPAs, and set up processes to ensure risk assessments are conducted when needed.
Originally published by InfoLawGroup LLP. If you would like to receive regular emails from us, in which we share updates and our take on current legal news, please subscribe to InfoLawGroup’s Insights HERE.