What are the key privacy requirements of Quebec’s Bill 64 (Law 25)?
Law 25 provides extensive revisions to the privacy regime in Quebec. New requirements will mean that organizations covered by Law 25’s scope will be obliged to amend their existing privacy program to accommodate stricter provisions for valid consent, extended privacy rights, and data breach notification, among other things.
Breach notification
Law 25 requires organizations to make data breach notifications to Le Commission d’accès à l’information du Quebec, as well as to any affected individuals. A breach notification will be required when the unauthorized access of personal information is likely to cause a "risk of serious injury" to the individual. Law 25 will rely on PIPEDA’s determination of what the "real risk of significant harm" looks like and generally includes any incident where sensitive personal data is involved.
Under Law 25, organizations must report a breach as soon as possible after an incident occurs, as well as maintain a record of all security incidents.
DPO appointment
Businesses are required to designate an employee responsible for compliance with Law 25. Although any individual can be designated as a privacy officer, Law 25 defaults the responsibility of overseeing compliance to the highest senior employee (e.g., the CEO). If a privacy officer other than the CEO is assigned, organizations must publish the name, title, and contact information of the individual responsible on their website.
Privacy Impact Assessment (PIA)
Law 25 adds a requirement for organizations to conduct a Privacy Impact Assessment (PIA) in certain circumstances, such as when acquiring, developing, or overhauling an information system or electronic service delivery system that involves the collection, use, release, keeping, or destruction of personal information.
The contents of a PIA vary based on several factors, including whether you are based in the public or private sector, the scope of the activity, and the types of information involved. Law 25 does state that a PIA is required for activities where personal information will be shared outside of Quebec. An assessment should include information relating to:
- The sensitivity of the information
- The purposes for which it is to be used
- The protection measures, including contractual ones, that would apply
- The legal framework applicable in the jurisdiction that the information is shared
Privacy notices
Law 25 requires businesses to provide certain information to individuals when they collect personal information using technology that identifies, locates, or profiles the individual, or when they use personal information to make a decision solely based on automated processing.
Subject rights
Subject rights under Law 25 resemble those found under the EU General Data Protection Regulation (GDPR). The majority of new subject rights will be effective by September 2023, with the right to data portability becoming effective in September 2024.
Subject rights in Quebec now include:
- Right to be informed
- Right to access
- Right to rectification
- Right to erasure
- Right to withdraw consent
- Right to restrict processing
- Right to data portability
Privacy officers should respond to requests within 30 days of receipt, with the possibility of an extension.
Enhanced consent
The act defines certain enhanced rules relating to individuals’ consent required prior to the collection, use, or distribution of personal information. A public body or organization that requests consent in writing must do so independently from any other information provided to the individual. Consent for some uses or disclosures of sensitive personal information must be given expressly. Furthermore, the consent of the person with parental authority or the tutor must be obtained before collecting, using, or disclosing personal information about a minor under the age of 14.
For consent to be considered valid under Law 25, it must be:
- Free and informed
- Given for specific purposes
- Requested for each purpose
- Presented in clear and simple language
- Requested separately from any other information
- Given expressly for sensitive personal information
Additionally, individuals must be made aware of:
- Their right to withdraw consent (private sector only)
- The name of third parties outside of Quebec that personal information is shared with
- Categories of people within the business who have access to personal information
- How long data will be retained
- The contact information of the responsible individual
- Whether the request is mandatory or optional (public sector only)
- Consequences for refusing to respond or withdrawing consent (public sector only)
How to approach Law 25’s three-year entry into effect
Bill 64's proposed three-year entry into effect is intended to provide businesses with sufficient time to prepare for the new privacy requirements and make the necessary changes to their data protection practices. The three-year transition period will give organizations time to prepare for compliance before the new privacy requirements come into effect.
The timeline for Law 25’s key provisions becoming effective includes:
- September 2022: Breach notification requirements
- September 2022: Privacy officer appointment
- September 2023: Privacy Impact Assessments
- September 2023: Updated privacy policies
- September 2023: Offer a right to restrict processing
- September 2023: Offer a right to erasure
- September 2023: Enhanced consent requirements
- September 2024: Offer a right to data portability
During the three-year transition period, businesses will be expected to take steps to comply with the proposed changes to Quebec's privacy laws. This includes conducting a privacy audit, updating privacy policies and procedures, implementing security measures, training staff, appointing a privacy officer, and reviewing contracts with service providers.
Once the transition period ends, organizations will be expected to be fully compliant with the new privacy requirements or face newly introduced penalties of between $5,000 and $50,000, in the case of a natural person. In all other cases, fines can range between $15,000 and $25,000,000 or 4% of worldwide turnover for the previous year, whichever is greater.