Even as the business landscape changes, one consideration that always stays at the top of every organization’s priority list is legal compliance. The challenge here is that laws constantly change, as illustrated by the recent evolution of data privacy protections in Quebec.
Law 25, also known as the Privacy Legislation Modernization Act or Bill 64, is the latest significant effort from the Canadian province to protect the privacy rights of an organization’s clients, employees, suppliers, and business partners. The National Assembly of Quebec unanimously adopted the legislation on September 21st, 2021, and it went into effect just recently.
Quebec is not alone in this endeavor. Other high-profile privacy standards worldwide, like the well-known General Data Protection Regulation (GDPR) of the European Union, show that data privacy is becoming a legal trend. More than 8 out of 10 users believe data collection hurts more than helps, and concerns over privacy have largely driven these legislations.
Preparing your business for Law 25 helps you stay in line with its regulations, avoid non-compliance penalties, and prepare for potential future data privacy reforms across Canada and the world.
What is Law 25?
Enforced by Quebec’s Commission for Access to Information (CAI), Law 25 updates and modernizes provincial regulations on how companies can handle the personal information it collects from third parties.
It does so by evolving the legal framework of data protection, expanding the privacy rights of a business’s users, and adding new obligations for organizations to follow regarding personal data. Law 25 changes two pieces of Quebec’s provincial and federal privacy regulations: The Public Sector Act and The Private Sector Act for public and private organizations, respectively.
Law 25 received its original name, “Bill 64,” from the text of its original proposal to the National Assembly of Quebec on June 12th, 2020. The document passed assembly and parliamentary consultation in September of that year. The Lieutenant-Governor approved the bill on September 22nd, 2021, when it officially became law.
Why should I care?
Even if your business operates outside of Quebec, you will still feel its impact for two reasons.
Law 25 applies to any organization outside of Quebec’s borders as long as it works with clients, suppliers, or partners within Quebec. The same pattern occurred with GDPR, as its global impact forced companies everywhere to adopt new privacy policies to stay in line with it.
Law 25, reflecting the general direction of data regulations worldwide, is also only a part of new legal privacy regulations in Canada. It will cause a domino effect where neighboring provinces will follow suit, and even federal reform is not unlikely.
What Are the Penalties for Non-Compliance?
Implementation of Law 25 regulations will roll out over the next 3 years. Companies must begin to make changes now to stay up-to-date to avoid significant penalties.
According to CAI, the penalties of Law 25 are significant, ranging from $15,000 to $25,000,000 for the private sector or the equivalent of 4% of the company’s global turnover in the previous fiscal year. Clients can even bring up claims against companies for statutory damages due to data breaches or unlawful use of personal information.
How Far Does Law 25’s Coverage Extend?
Companies globally will feel the ripple effects of Law 25, but the legislation itself impacts Canadian businesses specifically.
What Does Law 25 Cover?
In terms of what it covers, the Privacy Legislation Modernization Act defines personal information the same way The Private Sector Act does: “any information which relates to a natural person and allows that person to be identified.” That information can take written, graphic, or digitized forms. The extent also covers information “relating to other persons which a person collects, holds, uses or communicates to third persons in the course of carrying on an enterprise.”
Who Does Law 25 Protect?
Everyone within Quebec receives the coverage, as well as anybody outside provincial borders who interacts with a Quebec-based service provider.
And all organizations—whether private, public, large, or small— must comply as long as they collect and process the personal information of any clients or partners.
How Does Law 25 Safeguard Data Privacy?
Confidentiality rights and online privacy were only in practice before, but Law 25 ensures they are by default. So, for instance, if your company website contains tracking tools, you must first obtain expressed consent from your users rather than use an opt-out model as you could before. Other changes include:
- Usage transparency: Businesses must divulge how it collects personal information and its intended purposes. If third parties are involved, the company must describe which ones the information goes to and whether the information ever leaves Quebec.
- User consent: Clear, expressed consent is mandatory, especially for sensitive personal information like medical data or biometrics.
- Right to request extra information: Users have the right to know how long the business keeps their personal information and whoever is responsible for protecting or accessing the data internally. If the information goes through automated processing, they can ask to know of any decisions the business makes as a result.
- Right to deletion: Users can ask companies at any point to stop distributing their personal information and even ask for Internet links to become de-indexed in some cases.
- Right to request a record: Users can request a digital copy of all the personal information a company has on them.
Businesses must respond to these changes with proper practices and policies to protect personal information, giving their users more control over personal data and enhancing rules regarding consent.
How Do I Comply with Law 25?
The first priority is to designate a privacy officer responsible for ensuring data regulation compliance. Notify the CAI of your decision and add the person’s contact information to your website for reference.
Form a breach reporting protocol in the event of a data security incident. Businesses must immediately inform affected clients, partners, and other affected organizations, alongside CAI. Other steps to prepare for Law 25 include:
- Performing a Privacy Impact Assessment (PIA): PIAs are meticulous reviews of how well your organization protects the personal information you collect for regular operations. It’s a mandatory process for Law 25 compliance, especially when creating or maintaining digital systems involving private data.
- Refining your approach to data disposal: Companies must also have a system for destroying or anonymizing personal data once they have fulfilled the purposes of collection. Keep in mind that users have the right to demand the removal of personal data and might request a digital copy of all collected personal information.
Build your strategy around the type of personal information you collect. For instance, the B2B industry relies heavily on cold calling. How you obtain another business’s contact information must be compliant, especially if you exchange it through a third party.
How Does Law 25 Compare to Other International Privacy Regulations?
Law 25 closely resembles other recent developments in international privacy regulation, namely the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). The primary differences are:
- Scope: The CCPA is the narrowest in scope, applying only to those in California. Law 25 and the GDPR have broader protections that don’t have residency requirements.
- Privacy by default: Law 25 considers privacy a default, so your clients or partners must opt-in to data collection. GDPR instead goes for a “privacy by design” approach, and CCPA focuses primarily on remediation after a breach.
- Defining consent: What sets Law 25 apart from the others is its stringent definition of consent, especially compared to GDPR, which allows companies to justify using personal information for compliance or public interest purposes.
- Risk assessments: The CCPA text does not cover impact assessments. While GDPR and Law 25 do, GDPR only requires assessments in high-risk situations. Law 25 is broader and demands assessment regardless of the projected risk level.
Ensure Compliance with Bill 25 by Partnering with Indigo Consulting
High-profile privacy regulations around the world like Law 25 are heavily impacting the corporate landscape in all industries. A significant push from customers and businesses demands that organizations keep the sensitive data of their clients, vendors, and partners more secure.
Organizations looking to update their cybersecurity and privacy governance for modern and upcoming privacy regulations must start as soon as possible. Bring best practices like a robust GRC program and Identity and Access Management into your workflow to minimize your chances of a breach.
Looking for advice on how to become compliant with Law 25? Get in touch with our team of data privacy experts today to learn more about the steps you need to take to maintain compliance.