Bill 25 Quebec: everything you need to know about personal data protection.

Bill 25 in Quebec is an important piece of legislation aimed at strengthening the protection of personal information in an increasingly digital world. Adopted in September 2021 and due to come fully into force in September 2023, this law brings significant changes to the data privacy obligations of businesses and public bodies.

In this article, we’ll look in detail at the definition of Law 25, its implications for businesses, obligations in the event of a privacy incident, potential penalties for non-compliance, and the steps you need to take to become compliant. Whether you’re an SME or a large corporation, it’s essential to fully understand these new regulations to avoid fines and preserve your customers’ trust. Ask the 1001Web.ca experts about how to effectively implement the guidelines of Bill 25.

Definition of Bill 25

Bill 25, also known as the Act to Modernize Legislative Provisions Respecting the Protection of Personal Information, was adopted by the Quebec National Assembly in September 2021. This law is largely inspired by the European Union’s General Data Protection Regulation (GDPR), introduced in 2016 to better protect personal data by establishing responsibilities for companies that collect such data.

Bill 25 aims to give individuals more control over their personal information, by strengthening consent rules and requiring companies to implement specific policies and practices to improve data protection. It modernizes the framework applicable to the protection of personal information in various laws, including the Act respecting access to documents held by public bodies and the protection of personal information, and the Act respecting the protection of personal information in the private sector.

Origins of the Law

Law 25 was passed on September 22, 2021, with the first measures phased in from September 22, 2022, followed by the full implementation of penalties on September 22, 2023, and the application of all articles of the law on September 22, 2024.

Why a new law?

This new law was introduced for several key reasons:

1. Giving individuals more control over their personal information
2. Improving consent rules
3. Require companies to implement specific policies and practices to improve the protection of personal data

Law 25 defines personal information as any form of information about a natural person that enables that person to be identified directly or indirectly. In the digital world, this can include non-personal data (such as a unique identifier) that can be linked to a set of personal information and therefore to an individual.

Personal information covered by Canadian privacy law includes a wide variety of information such as :

• Name, ethnic origin, religion, marital status, level of education
• E-mail address, e-mail messages, IP address
• Age, height, weight, medical records, blood type, DNA, fingerprints, voice signature
• Income, purchases, consumer habits, banking information, credit or debit card data, loan or credit reports, tax returns
• Social insurance number or other identification number

Ask the experts at 1001Web.ca about how to effectively implement the guidelines of Bill 25 in an informative and engaging way.

Implications for Business

Law 25 brings significant changes to the data privacy obligations of companies and public bodies. Companies will have to comply with new requirements, including consent, data protection for minors, privacy impact assessments (PIAs) and data breach notifications.

Compliance obligations

Here are some of the main obligations that companies will have to comply with:

1. Enhanced consent: Companies will have to obtain the explicit consent of individuals before collecting, using or disclosing their personal information. Consent will have to be sought separately for each purpose.
2. Data protection for minors: The consent of the holder of parental authority will be required to collect, use or communicate personal information concerning a minor under the age of 14.
3. Privacy Impact Assessments (PIAs): Companies will be required to conduct PIAs before disclosing personal information outside Quebec.
4. Data breach notifications: In the event of a confidentiality incident presenting a risk of serious harm, companies will be required to notify the Commission d’accès à l’information and the individuals concerned.

Concrete examples of implementation

Here are a few concrete examples of how companies can comply with Act 25:

• Review privacy policies and consent forms to ensure compliance with new requirements
• Implement processes to verify the age of users and obtain parental consent where necessary
• Conduct PIAs before transferring personal data outside Quebec
• Establish procedures for detecting, reporting and managing confidentiality incidents

Compliance with Bill 25 will require significant effort on the part of companies. However, it can also be an opportunity to build customer confidence and stand out from the competition by demonstrating a strong commitment to privacy protection. Ask the experts at 1001Web.ca about how to effectively implement the guidelines of Bill 25 in an informative and engaging way.

Obligations in the event of a Confidentiality Incident

Under Bill 25, any person carrying on a business who has reason to believe that a privacy incident involving personal information held by him or her has occurred must take reasonable steps to reduce the risk of harm and prevent similar incidents in the future.

If the incident presents a risk of serious harm, the person operating the business must promptly notify the Commission d’accès à l’information and any person whose personal information is affected by the incident, failing which the Commission may order him or her to do so. It may also notify any person or organization likely to reduce the risk, by communicating only the personal information required for this purpose without the consent of the person concerned. In the latter case, the person responsible for the protection of personal information must record the communication.

Notwithstanding the second paragraph, a person whose personal information is affected by the incident does not have to be notified as long as this might hinder an investigation by a person or body charged by law with preventing, detecting or repressing crime or offences against the law.

A government regulation may determine the content and terms of the notices provided for in this section.

Incident Register

Anyone operating a business must keep a confidentiality incident register. Government regulations may determine the content of the register.

A copy of the register must be sent to the Commission on request.

Notification of Concerned Parties

As regards notification to the data subject, this must include in particular :

• a description of the personal information in question or, if not known, the reasons why it is impossible to provide such a description;
• a brief description of the circumstances of the incident;
• the date or period of the incident or, if not known, the approximate period ;
• a brief description of the measures taken or planned to reduce the risk of damage ;
• suggested measures to reduce the risk of harm or to mitigate such harm ;
• contact details where the person concerned can obtain further information about the incident.

Ask the experts at 1001Web.ca about how to effectively implement the guidelines of Bill 25 in an informative and engaging way.

Sanctions and Consequences in the Event of Non-Compliance

Bill 25 provides a robust enforcement regime compared to the previous one, creating both a two-tiered monetary penalty model and a right of action in civil courts.

Types of penalties

For individuals, the maximum penalty for criminal offences under Bill 25 is $100,000. For private-sector companies, criminal fines for non-compliance can reach the highest of the following amounts:

• An amount ranging from $15,000 to $25,000,000 CDN; or
• A sum equivalent to 4% of the organization’s worldwide sales for the previous financial year.

The authority responsible for applying financial penalties lies with the CAI.

The Act also creates a new private right of action, enabling individuals to sue companies for statutory damages in respect of specific breaches.

Actionable breaches include (but are not limited to) unlawful use of personal information, failure to provide adequate privacy notices and failure to inform data subjects of automated decisions and privacy breaches.

Fines

Type of penalty	Amount of fine
Criminal offence for individuals	up to $100,000
Criminal fines for non-compliance by private-sector companies	15,000 to CA$25,000,000 or 4% of worldwide sales for the previous fiscal year (whichever is greater)

Ask the experts at 1001Web.ca about how to effectively implement the guidelines of Bill 25 in an informative and engaging way.

Compliance: Steps to follow

Here are the main steps to follow to comply with Bill 25 in Quebec, according to the experts at 1001Web.ca :

1. Appoint a privacy officer within your company. This person will be responsible for ensuring compliance with the law, and for implementing the necessary policies and practices. If no one is designated, this responsibility falls by default to the company’s chief executive officer.
2. Conduct Privacy Impact Assessments (PIAs) when required by law, particularly before disclosing personal information outside Quebec. The PIA must take into account the sensitivity of the information, the purposes for which it will be used, the safeguards that will apply and the legal framework of the jurisdiction where it will be disclosed.
3. Train staff and make them aware of the new obligations regarding the protection of personal information. This includes defining everyone’s roles and responsibilities throughout the life cycle of personal information held by the company.

Other key actions to take, according to the experts at 1001Web.ca :

• Review privacy policies and consent forms to ensure compliance
• Implement processes to verify the age of users and obtain parental consent where necessary
• Establish procedures for detecting, reporting and managing confidentiality incidents
• Have a system for destroying or anonymizing personal information once the purposes have been achieved
• Establish guidelines for assessing requests for the right to be forgotten

By following these steps and learning from the experts at 1001Web.ca, you’ll be well on your way to effective compliance with Bill 25. Don’t hesitate to call on their expertise to support you in this important step for your business.

Conclusion

Quebec’s Bill 25 represents a major step forward in the protection of personal information in the digital age. It imposes new obligations on companies in terms of consent, data protection for minors, privacy impact assessments and data breach notifications. Penalties for non-compliance can be severe, with fines of up to $25 million or 4% of worldwide sales.

To achieve compliance, companies must appoint a privacy officer, conduct PIAs when required, train their staff and review their privacy policies. If all this sounds complex, don’t hesitate to let our experts at 1001Web.ca do it for you. They’ll be able to guide you through this essential process in an informative and engaging way, to preserve your customers’ trust and avoid penalties.

FAQs

What is Bill 25 in Quebec?

Quebec’s Bill 25 brings significant changes to the protection of personal information. It amends the Act respecting access to documents held by public bodies and the protection of personal information, as well as the Act respecting the protection of personal information in the private sector.

Does Bill 25 apply to employees?

Yes, Bill 25 applies to anyone who collects, holds, uses or transmits personal information in the course of operating a business, regardless of size. It is therefore applicable to various sectors, including construction contractors.

How can we comply with Bill 25?

To comply with Bill 25, which has been in force since 2022, it is necessary to clearly define roles and responsibilities within a privacy policy, carry out an inventory of personal information held to assess its sensitivity, and put in place preventive measures to limit the consequences of a privacy incident.

Who can help you comply with Bill 25?

The MaLoi25 program is available to all PMOs (Small and Medium-sized Organizations) in Quebec. The program is open to all organizations, whether for-profit or not, headquartered in Quebec and with fewer than 500 employees.