Articles
Country guides
Quebec's Law 25: Everything you need to know
Country guides
new

Quebec's Law 25: Everything you need to know

Published  

7/26/2022

by 

Sarah Barker

18
min read

Published  

July 26, 2022

by 

Sarah Barker

10 min read
Summary

The privacy and data protection landscape in Quebec is changing - and the clock has already started ticking for organizations to get up to speed. 

 

Following in the footsteps of the enhanced privacy standards introduced by the General Data Protection Regulation (GDPR) in Europe, Law 25 (The Privacy Legislation Modernization Act) was adopted unanimously by the National Assembly of Quebec on 21 September 2021.

 

In this article, we will cover everything you need to know about Law 25.

 

Update May 2024: We recently organized a webinar hosted by Jean-Baptiste Garcin, our Quebec & Canada Manager, accompanied by Louis Audureau, Manager, Data Marketing & Digital Strategy at M13H, and Camille Blain-Coallier, Senior Director, Data & Analytics at Labelium.
 
We discussed Law 25, its impact on the market, its implications for business operations, and user data management strategies before taking a closer look at how to effectively implement your tags and consent banners to ensure legal compliance and marketing performance.

Click on the image to watch the on-demand recording:

Didomi - Law 25 webinar replay

 

What is Quebec’s Law 25?

 

In a move that is likely to set the pace for wider provincial reforms across Canada, Law 25 is designed to modernize Quebec’s privacy laws. Introducing a raft of changes to the existing legal framework, it grants significant new data protection rights to individuals, along with increased obligations for the public and private organizations that handle their personal information. 

 

Historically, Quebec's privacy law framework has been comprised of an array of provincial and federal legislation. Law 25 acts as a broad brush update to this regime, most notably in respect of the law governing access to documents held by public bodies (The Public Sector Act) and the law governing the protection of personal information in the private sector (The Private Sector Act). 

 

Law 25 will come into effect through a phased rollout over the next three years. Whilst this staggered implementation period reduces the pressure slightly, now is the time for companies to start getting their ducks in a row. The incoming changes are comprehensive, and implementation will require considerable time and resources - with serious penalties on the table for non-compliance.

 

Why is it no longer called Bill 64?

 

“Bill 64” was the name of the original legislative text first proposed to Quebec’s national assembly on June 12, 2020. Following a lengthy consultation process and numerous amendments, it passed the assembly and parliamentary committee stages in September 2021.

 

In Quebec, a Bill officially becomes Law once it receives assent from the Lieutenant-Governor. Bill 64 finally completed its passage into legislation when it received formal assent on September 22, 2021. At this point, it became The Privacy Legislation Modernization Act - otherwise known as Law 25. 

 

Which businesses does Law 25 apply to?

 

At first glance, it is easy to assume that the new legislative provisions are, therefore, of minimal relevance to those outside of Quebec. However, the reality is that the knock-on effects of the regime will be felt far beyond provincial borders. This is for two reasons:

 

  • Firstly, in line with global data protection laws and a well-established line of jurisprudence under the local regulator, the Commission for Access to Information (CAI), Law 25 will have a general application for any organization based outside of the province with any customers using its products or services in Quebec.

    In practice, this means that a single visitor to a global website from inside the province will bring the provider within jurisdiction.
  • Secondly, Law 25 is a pioneering legal framework in Canada - and one that reflects a general direction of travel throughout the rest of the developed world. With Canada’s regionalized approach to data regulation, it remains to be seen whether this will lead to a provincial “domino effect,” with neighboring governments following suit.

    If this occurs, federal reform at some point in the future is a very real possibility. 

 

What and who does Law 25 cover?

 

Law 25 updates the existing legal framework for protecting personal information in Quebec. Whilst this covers the law in respect of both the public and private sectors, the latter is of primary relevance for private organizations.   

 

The Private Sector Act defines personal information as:

 

“any information which relates to a natural person and allows that person to be identified.”

 

This definition includes all personal information “relating to other persons which a person collects, holds, uses or communicates to third persons in the course of carrying on an enterprise.”  

 

The Private Sector Act applies to all such personal information, regardless of its form (including, but not limited to, information that is written, graphic, taped, filmed, or computerized).

 

Who is covered? In short - potentially everyone. Because the scope of Law 25 extends to any end-user of a Quebec-based service provider outside the province, it captures not only all “natural persons” inside the border but those outside of it, too.  There are no citizenship restrictions. 

 

What data rights do Quebec consumers have under Law 25?

 

Mockup of a consent banner for a website, represented in a laptop, with a flag of Québec floating in the top left corner and the Didomi logo in the bottom left

 

Make no mistake—Law 25 is good news for consumers. Following the tailwinds of the GDPR, the new framework strengthens the protection of personal information, handing back a greater degree of control to the individual. Unless otherwise specified, all consumer rights below came into force on 22 September 2023.

 

The right to privacy by default

In a significant shift, Law 25 reverses the previous de facto position on online privacy, granting consumers the automatic right to confidentiality over their personal information. In practice, this means that, for example, any profiling or tracking technology must be deactivated on a company website unless express consent is given - and not the other way around.

 

Transparency 

Consumers will be entitled to a greater level of transparency when private organizations collect their personal information. The new regime provides for the following:

 

  • Basic right of access: When collecting any personal information, companies must now inform the individuals concerned of the following:
    • The purpose for which the information is gathered;
    • How this information is being collected;
    • The consumer’s right to access this information and rectify it where necessary;
    • The consumer’s right to withdraw consent for this information to be gathered. 

 

  • Third parties: Companies must now also inform individuals of the following with respect to third-party use of their personal information:
    • The names of any third parties for whom the information is gathered;
    • The names of any third parties to whom this information may be passed on;
    • The fact that this information may be communicated outside of Quebec. 

 

  • Automated processing: If a company uses automated processes to make a decision about an individual, they must notify that person of the following:
    • When a decision has been made,
    • Their right to access or correct the personal information used to make the decision;
    • Their right to information about how the decision was made;
    • Their right to have the decision reviewed;
    • Their right to submit additional information where required by way of an appeal.

 

  • Right to request additional information: If they choose to request it, consumers are also now entitled to receive the following information:
    • Details of what information has been collected from them;
    • The categories of people who have access to this information within the organization;
    • How long will this information be kept;
    • Contact details for the person responsible for protecting this information.

 

Giving and collecting consent under Law 25

The new framework introduces a raft of new rules regulating how consumers consent to using their personal information. The most significant provisions are:

  • Requests for consent: Companies are already required to seek free and informed consent to the collection and use of personal information. However, Law 25 adds teeth, stipulating that requests for consent must be made in clear and simple language. It also adds that such requests must be made in isolation - in other words, they cannot be buried in the small print!
  • Sensitive information: Consumers must now give their express consent for the use of “sensitive” personal information for any other purpose than that for which it was originally collected. Information that is considered “sensitive” includes medical, biometric, or otherwise intimate details that give rise to a reasonable expectation of privacy.
  • Minors: Companies cannot collect any personal information concerning a child under the age of 14 without parental consent. The only exception is where the information collected is of clear benefit to the child (for example, in an emergency situation).
  • Biometrics: Biometrics will no longer be permitted to verify a person’s identity without their express consent.
  • Exceptions: Law 25 introduces some limited exceptions in which the presumption of consent will not apply. Organizations may now use personal information without consent if this is necessary to detect or prevent fraud, or if such use is necessary in order to deliver a product or service expressly requested by the individual concerned.

 

In November 2023, the Quebec data protection authority (the Commission d'accès à l'information) , released guidelines and recommended practices for public and private organizations required to obtain consent from individuals to use or disclose their personal information.

 

These guidelines, which aim to ensure the validity of consent, serve as a benchmark for responsible data management and emphasize the protection of personal data within the legislative framework of Quebec. Some of the essential expectations to keep in mind for organizations include:

 

  1. Consent should be obtained explicitly; however, there is an allowance for implicit consent in certain cases, such as scrolling on a website. Nonetheless, page 18 of the guidelines suggests that implicit consent is presumably more suitable when there is only one purpose for data collection, which implies that for websites with multiple purposes, implicit consent may not be appropriate.
  2. Consent must be informed, meaning detailed information should be transparently displayed, including the purposes for data collection, types of personal information gathered, and the identities of third parties or vendors with access to the data.
  3. Consent is temporary and should only be valid for a specified period, with examples ranging from six months to three years. This indicates that consent can have a considerably long duration but isn’t indefinite.
  4. When a company, publisher, or website uses tracking technologies such as cookies or pixels, they must do so transparently. This transparency includes providing information on the first layer of the Consent Management Platform (CMP) banner.
  5. Publishers or website owners must document the consent obtained in order to maintain a record as proof of consent.
  6. The option to "accept all" or "reject all" tracking technologies must be presented on the same layer (e.g., the first layer of the CMP notice), ensuring that users are not unduly influenced to consent, thereby safeguarding the freedom of consent.
  7. Users must be able to withdraw their consent at any time, necessitating a link in the website's footer to resurface the CMP notice or the use of a floating icon.
  8. Companies should inform users about the duration of consent validity, indicating clearly how long the consent will last before it must be renewed.

 

Right to erasure

From 22 September 2023, in the spirit of the “right to be forgotten” first created under the GDPR, consumers have been entitled to ask companies to cease distributing their personal information. In cases where this distribution is causing the individual harm (or where it contravenes a court order), they will also have the right to have any internet links attached to their names de-indexed. 

 

Right to portability

This is the final provision to come into effect on September 22nd, 2024. Individuals will be granted the right to receive a digital copy (in a commonly used format) of all personal information collected from them by any organization.

 

How is Law 25 enforced?

 

Law 25 comes with a robust enforcement scheme compared to the previous regime, creating both a two-tier monetary penalty model and a right of action in the civil courts. 

 

Monetary penalties

For individuals, the maximum penalty for penal offenses under Law 25 is $100,000. For private sector companies, penal fines for non-compliance can rise to whichever of the following is greater:

 

  • A sum ranging from CAD $15,000 to $25,000,000; or
  • A sum corresponding to 4% of the organization’s worldwide turnover for the preceding fiscal year. 

 

Authority for the enforcement of monetary penalties rests with the CAI.

 

Right of action

The Act also gives rise to a new private right of action, allowing individuals to bring claims against companies for statutory damages in respect of specific breaches.

 

Actionable breaches include (but are not limited to) unlawful use of personal information, failures to provide adequate privacy notices, and failures to notify data subjects in cases of automated decisions and confidentiality breaches.

 

The title "Quesions about the impact of law 25?" on top of the image introduces a blue square with the picture of a smiling man and the word "Our expert Jean-Baptiste Garcin will be happy to answer them", with a button saying "Request a demo"

 

How can my business comply with Law 25?

 

Whilst the raft of reforms is extensive, the essence of some provisions has already been either fully or partially mandated by other applicable regimes (such as PIPEDA) or has simply become common practice over recent years. 

 

However, for the bulk of provisions that are entirely new, existing systems are likely to fall short and require a comprehensive overhaul. Fortunately, the phased rollout breaks this process down. At a minimum, organizations should expect to tick off the following boxes over the below time frame:

 

 By 22 September 2022

 

  • Assign a Privacy Officer: Appoint a person who will take on authority for ensuring compliance with the law within your organization. Responsibility for this role will fall to the CEO by default - but the position can be delegated to any appropriate individual. Their title and contact details must be published on your website, and the CAI must be notified of the same.

 

  • Mandatory Breach reporting: Your organization must notify both the CAI and any affected individuals of any data breach involving personal information that presents a risk of serious harm. You must also maintain a register of breaches. For most companies, these mechanisms should largely already be in place due to existing requirements - however, this is an important opportunity to review your systems to confirm that they are compliant.

 

  • Biometrics: If your company uses, or intends to use biometric banks, from this date onwards you must disclose their existence to the commission no later than 60 days before your system is implemented. 

 

 By 22 September 2023

 

  • Privacy policy: You must ensure that, by this date, you have a comprehensive privacy policy published on your website. This must set out your data protection policies and practices in clear and simple language, and provide sufficient information for consumers (for example, on personal data management, breach reporting, consent, access requests, and automatic decision making) to meet transparency obligations.

 

  • Mandatory Privacy Impact Assessments (“PIA”): It is now mandatory to carry out a PIA when communicating any personal information outside of Quebec, when creating or acquiring any digital systems involving private data, or before disclosing any personal information without consent for research purposes. You will need to have guidance in place governing how this requirement is triggered, as well as clear communication procedures for staff. 

 

  • Establish transparency and consent systems: Long before this date, your organization should have conducted a comprehensive review into its existing mechanisms for gathering, storing, and disseminating consumer information. These should now be updated to meet the new consumer rights framework, paying particular attention to the following points:

    • Deactivate any data collection technology on your website by default without requiring users to confirmatory action. Instead, provide an explicit “opt-in” mechanism, which excludes the use of cookies.
    • Update your consent forms and access to information systems. Ensure that, when requested, you can provide details of the categories of individuals within your company who have access to any given customer’s personal information, as well as the contact information of your privacy officer.
    • Identify any cross-border jurisdictions to which your organization may transfer personal information and conduct a PIA(s) in respect of those locations.
    • Ensure that you have procedures in place to manage confidentiality exceptions for bereavement. You may pass on personal information relating to somebody who has passed away to their spouse or close relatives - but only if this is likely to help them in the mourning process, and if the deceased did not withdraw consent to this in life.
    • Ensure that your organization no longer collects personal information about children under 14 without parental consent.
    • Ensure that your privacy policy provides details of your organization’s automated decision-making processes, including access to information and appeals.  

 

  • Anonymization: You must have a system in place to either destroy personal data once the purposes for which it was collected have been achieved or to anonymize it where applicable. If you are implementing or updating an anonymization system, this must meet the high bar of ensuring that the person concerned can no longer be directly or indirectly identified. 

 

  • The right to erasure: Assessing requests for the removal of personal information is likely to be a complex exercise. Ensure that you have guidelines in place to properly consider and respond to these requests (relevant factors to be taken into account are provided by the Act). Learn more about our Privacy Request module, which might help in this process.

 

By 22 September 2024

 

  • Facilitate the right to portability: Ensure that you have the technology and training in place to be able to produce a digital copy of all personal information that you hold in respect of any individual if it is requested. 

 

What are the main differences and similarities between Law 25, GDPR, and CCPA? 

 

Law 25 brings Québec’s privacy laws closer to the GDPR, one of the leading data protection frameworks in the world. Because, like Canada, the USA is not governed by federal privacy law, the  California Consumer Privacy Act (CCPA) is seen as one of the most important privacy developments in the country, inviting a natural comparison with Law 25 in Canada.

 

Although these legislative frameworks all deal with generally recognized principles, they also differ radically in their approaches in many ways. Because of this, a comprehensive analysis of their differences and similarities would be too extensive to list here. However, in many ways, Law 25 is the most stringent of the three regimes. There are some key distinctions to note: 

 

  • Scope of protection: Both Law 25 and the GDPR offer broad protections to all natural persons and have no specific residency requirements. The CCPA's remit is narrower, protecting only consumers who reside within the state of California.

 

  • Privacy by default: Bill 64’s “confidentiality by default” clause is far broader in scope and significantly more stringent than the “privacy by design” concept under the GDPR. The CCPA does not provide for this concept, instead taking an “after-the-event” remedial approach. 

 

  • Consent: As the only regime to require consent as default with minimal exceptions, Law 25 is by far the most stringent. The GDPR allows for a wider range of justifications, including compliance with legal obligations and public interest. The CCPA does not place consent obligations on companies; instead, it offers consumers the ability to opt out of dissemination or invoke the right of erasure once their information has been collected.

 

  • Impact assessments: Law 25 is broad and requires a PIR to be carried out whenever conditions are met, regardless of the leve