Protection of personal data in Québec

September 21, 2022 | &CO

Following the privacy protection standards introduced by the European Union’s General Data Protection Regulation (GDPR), Act 25 (Loi sur la modernisation de la législation en matière de protection de la vie privée). An act to modernize privacy legislation]) was unanimously adopted by the National Assembly of Québec on September 21, 2021.

This new framework is something of a revolution, radically changing how privacy and personal data are protected in Québec. And the countdown to these major changes has already started for Québec businesses.

Our &CO teams created this guide to explain everything you need to know about Act 25.

I. What is Act 25?

This act modernizes Québec’s legislation on the protection of personal data. It introduces a series of changes to the existing legal framework and grants individuals substantial data protection rights and increases the obligations of public and private organizations who handle their personal information.

Act 25 is a general update to this framework, especially with regard to access to documents held by public organizations and the act governing the protection of personal information in the private sector.

It will come into force in phases over the next three years. Although the transition period alleviates some pressure, businesses should adapt their practices now.

There are many changes on the horizon, and implementing them will require significant time and resources. Serious penalties will be imposed for non-compliance.

II. Who does this affect?

At first glance, you could easily assume that the new legal provision wouldn’t be relevant to companies outside of Québec. In reality, however, this act will have an impact well beyond the province.

In accordance with international data protection laws and a well-established case law under the auspices of the Commission d’accès à l’information (CAI), Act 25 will be of general application, including to all organizations based outside the province with customers who use their products or services in Québec.

In practice, this means that a single visitor to an international website from inside the province will bring the provider under its jurisdiction.

III. What does the act cover?

Act 25 updates the existing legal framework for the protection of personal information in Québec. It encompasses both the public and private sectors, but mainly concerns private companies

The legislation applies to all personal information, regardless of the form it takes (including but not limited to written, graphic, saved, filmed and computerized information).

IV. How are consumers protected?

Unless otherwise indicated, the following consumer rights will enter into force on September 22, 2023.

  1. Right to privacy by default

    Act 25 reverses the previously de facto position on online privacy, now granting consumers the automatic right to keep their personal information confidential. In practice, this means that, for example, any profiling or tracking technology must be deactivated on company websites unless explicit consent is given, and not the opposite.

  2. Transparency

    Consumers will have the right to more transparency when their personal information is collected by private companies. The new rules stipulate the following:

    Basic right of access: At the time when any personal information is collected, companies must now inform the concerned individuals of:

    • Why the information is being collected
    • How the information is collected
    • The consumer’s right to access this information and correct it if necessary
    • The consumer’s right to withdraw their consent to have this information collected

    Third parties: If companies use an individual’s personal information is used by a third party, companies must now also inform these individuals of the following:

    • The name of any third party for whom the information is collected
    • The names of all third parties to whom this information may be transmitted
    • The fact that this information may be disseminated outside of Québec

    Automated processing: If a company uses automated processes to make any decision concerning an individual, it must inform the individual of the following:

    • When this decision was made
    • Their right to access and correct the personal information used to make this decision
    • Their right to obtain information on how the decision was made
    • Their right to have the decision reviewed
    • Their right to provide additional information, when required, as part of an appeal

    The right to request additional information: If they choose to ask, consumers now also have the right to receive the following information:

    • The details of the information collected
    • The categories of persons within the organization with access to this information
    • The period during which this information will be kept
    • The contact information of the personal responsible for protecting this information

  3. Consent

    The new framework introduces a series of new rules governing the way consumers consent to the use of their personal information. The most important provisions are the following:

    Requests for consent: Companies are already required to ask for free and informed consent to collect and use personal information. However, Act 25 strengthens this obligation, stipulating that requests for consent must be formulated in plain language. It also adds that these requests must be set apart—in other words, they can’t be buried in the small print!

    Sensitive information: Consumers must now give their explicit consent for the use of “sensitive” personal information for any purpose other than the one for which it was originally collected. Sensitive information includes medical, biometric and otherwise intimate details that give rise to a reasonable expectation of privacy.

    Minors: Companies may not collect any personal information on children under 14 years old without their parents’ consent. The only exception is when the collected information provides the child with an obvious advantage (such as in an emergency situation).

    Biometrics: Companies will no longer be permitted to verify the identity of an individual using biometrics without their explicit consent.

    Exceptions: Act 25 introduces some limited exceptions where the presumption of consent does not apply. Organizations can now use personal information without the individual’s consent if required to detect or prevent fraud, or if this use is necessary to provide a product or service explicitly requested by the individual.

  4. Right to erasure

    Starting from September 22, 2023, and in the spirit of the GDPR’s “right to be forgotten,” consumers will now have the right to ask companies to stop disseminating their personal information. In any case where this dissemination may cause them harm (or contravenes a court decision), they will also have the right to have all web links associated with their name deindexed.

  5. Right to portability

    This is the last provision to come into effect, and will do so on September 22, 2024. Individuals will be given the right to receive a digital copy (in a commonly used format) of all personal information collected from them by a given organization.

V. What are the penalties for non-compliance with the Act?

Act 25 has stricter regulations than the previous legislation. It sets out a two-tier monetary penalty model and a right of action in civil court. The power to enforce monetary penalties lies with the CAI.

  1. Monetary penalties

    The maximum penalty for individuals who commit criminal offences under Act 25 is $100,000. For private sector companies, fines for criminal offences may be higher than:

    • An amount between CAN$15,000 and CAN$25,000,000 or
    • An amount equal to 4% of the organization’s global revenue for the previous fiscal year

  2. Right to action

    The Act also creates a new private right of action, allowing individuals to seek statutory damages from companies for specific breaches.

    Actionable breaches include but are not limited to: unlawful use of personal information, failure to provide adequate privacy notices and failure to inform the parties concerned of automated decisions and privacy breaches.

VI. How to comply with Act 25

While the Act includes many reforms, some of the provisions’ principles have already been either fully or partially set forth in other legislation, like the Personal Information Protection and Electronic Documents Act (PIPEDA), or have become standard practice in recent years.

Nevertheless, the current systems will likely need to be completely overhauled to comply with the majority of the entirely new provisions. Phased deployment breaks up this process.

At the very least, organizations should expect to tick the following boxes according to the designated timeframe:

Before September 22, 2022

Designate a privacy officer: Decide who will be in charge of ensuring that your organization complies with the Act. By default, the CEO assumes this responsibility, but any appropriate an employee can take on this role. Their title and contact details must be posted on your website, and the CAI must be informed.

Mandatory reporting of breaches: Your organization must notify the CAI and anyone affected of any data breach involving personal information that poses a risk of significant harm. You must also keep a record of all breaches. Most organizations should already have these measures in place under the current legislation, but this is a good time to ensure your systems are in compliance.

Biometrics: From this date, your company must disclose to the CAI whether you use or intend to use biometric databases at least 60 days before deploying your system.

By September 22, 2023

Privacy policy: By this date, you should have a comprehensive privacy policy on your website. It should detail your data protection policies and practices in clear, simple language, and provide enough information to users to meet transparency obligations (e.g., how personal data will be managed, breach notifications, consent, access requests and automated decision making).

Mandatory Privacy Impact Assessments(PIA): It is now mandatory to conduct a PIA when transmitting any personal information outside of Québec, when creating or acquiring any digital system that involves personal data, or before disclosing personal information without consent for research purposes. You will need to institute guidelines that dictate how this obligation will be handled and include clear reporting procedures for your employees.

Establish consent and transparency systems: Your organization should have already comprehensively reviewed its existing methods of collecting, storing and sharing user information well before this date. You must now update these methods to meet the new consumer rights framework and take particular care to:

  • Disable any data collection technology on your website by default, without requiring users to confirm this action. Alternatively, you can offer them an explicit opt-in option. This excludes the use of cookies.
  • Update your consent and information systems access forms. If requested, make sure you are able to provide details on the categories of persons within your organization who have access to a customer’s personal information, and provide your privacy officer’s contact information.
  • Identify all jurisdictions where your organization may conduct cross-border data transfers and carry out a PIA for these locations.
  • Ensure that procedures are in place to handle the exception for the grieving process. You can pass on personal information about a deceased person to their spouse or relatives, but only if it is likely to help them grieve, and only if the deceased did not refuse this access during their lifetime.
  • Make sure your organization no longer gathers personal information on children younger than 14 without their parents’ consent.
  • Make sure that your privacy policy explains your organization’s automated decision-making processes, including access to information and calls.

Anonymization: You must have a system to either destroy personal data once it has fulfilled its original purpose, or to anonymize it if necessary. If you launch or update your anonymization system, it must meet the strict criterion that a given individual can no longer be identified directly or indirectly.

The right to erasure: Evaluating requests to suppress personal information can prove complex. Make sure you have guidelines in place to adequately consider and respond to these requests (the Act sets out which factors to take into account).

By September 22, 2024

Facilitate the right to data portability: Make sure you have adequate technology and training to produce a digital copy of all of a given person’s personal information if they request it.

&CO will help you with your privacy needs

One thing is for sure: brands that prioritize their customers’ privacy have a significant competitive advantage, especially as we head toward a cookie-free future. Our experts will help you define your consent management strategy and draw up a comprehensive plan to ensure your data complies with the new legislation.

Book an appointment