07 June 2023
The Act to Modernize Legislation Provisions Respecting the Protection of Personal Information, also known simply as Law 25, came into effect in September 2022 and will continue to be deployed in 2023 and 2024. This Act applies to organizations established in Quebec, as well as those that do business with persons living or operating there. The application of Law 25 is supervised by the Commission d'accès à l'information du Québec.
Law 25 is an amendment to the Act Respecting the Protection of Personal Information in the Private Sector that was implemented to better prevent and manage issues related to the digital age in which we live. It notably includes data protection transparency obligations that require organizations to inform individuals about the collection, use, and disclosure of their personal information.
A first set of responsibilities and obligations were introduced last September. The next ones are fast approaching in September 2023. But concretely, what does this involve? Inter alia:
- The obligation to create a governance program that details the practices and policies put in place to oversee the collection and possession of personal information (and share it with the individuals concerned).
- The obligation to publish a privacy policy, which indicates whether your company collects personal information, written in clear and simple language.
- The obligation to destroy or anonymize personal information collected once the task for which it was collected has been performed.
In the event of privacy incidents, the Commission d'accès à l'information du Québec can issue fines of up to $25 million or 4% of your company's worldwide turnover. It is therefore very important to comply with the terms of the Law from a monetary point of view but also to demonstrate your commitment.
For example, through the governance program, you protect the individuals whose personal information you collect, and you demonstrate that you are prepared to respond quickly if an incident occurs. The risks that arise from a confidentiality incident can be significant (reputational damage, hefty fines, reduced profitability, etc.), so it is necessary to ensure that all measures are put in place to prevent and resolve them!
At the digital level, there will also be an addition of regulations concerning the Consent Management Platform (CMP) that deals with the acceptance of cookies. We will see changes to:
- Requests for consent: There will be stricter requirements in this regard; companies will need to make an isolated request for consent written in clear, simple language and formulated in such a way as to make it easy for individuals to recognize that it is a request for consent.
- Sensitive information: Medical, biometric, or other private data can no longer be used in any context other than that for which they were initially collected without consent.
- Biometrics: Biometrics will no longer be used to verify identity without the concrete consent of the person concerned.
- Minors: For children under 14 years of age, the collection of data will be prohibited without the consent of the parents.
However, there may be exceptions to the rule in the event fraud is detected or prevented, or if the information is necessary to provide a product or service to an individual.
A reference guide (which was very useful to us!) by the Commission d'accès à l'information is available and contains all the relevant information on Law 25, as well as courses of action to be applied to ensure that your business complies with the law.
Our DMP partner "Eulerian" complies with Quebec's Law 25 (as a third-party partner) which modernizes the legislative provisions regarding the protection of personal information in the private sector.
