Law 25: Québec’s second wave of new privacy amendments is here

Québec’s privacy landscape is undergoing significant changes, following the coming into force of Law 25, which modernizes the “Act respecting the protection of personal information in the private sector”.

Building on our previous insights on the amendments that took effect last year, we now look at the new changes coming into force on September 22, 2023.

Heavy administrative penalties and fines for non-compliance

Among the more notable changes is the newfound authority granted to the Commission d’accès à l’information (CAI)—Québec’s privacy regulator—to impose penalties on organizations for non-compliance, in alignment with the European Union’s GDPR.

These substantial penalties can reach up to $50,000 for individuals and $10,000,000 or 2% of the global turnover for the preceding fiscal year for other legal entities, whichever is greater. 

Instances of non-compliance such as the following can result in an offence punishable upon prosecution: 

• Unlawful use of personal information
• Failure to report confidentiality incidents
• Impeding the CAI’s inquiries or inspections 

In these cases, fines can range from $5,000 to $100,000 for individuals and from $15,000 to $25,000,000 or 4% of the worldwide turnover for other legal entities, whichever is greater.

Transparency requirements

Moreover, the amendments coming into force will update the transparency provisions, requiring organizations to provide individuals with certain information regarding their privacy practices. 

Anyone collecting personal information from an individual must inform them in “clear and simple language” of the following:

• The purposes for which the information is being collected
• How the information is being collected
• The rights of access and rectification as provided by law
• The individual’s right to withdraw their consent for the communication or use of their information

 Automated decision-making, identification, localization and profiling technologies

Organizations must let individuals know when they use their personal information to come to a decision solely through automated processing. Upon inquiry, an organization must inform the individual of 
a)    the personal information that was used in the decision;
b)    the main factors and criteria used to make it;
c)    the individual’s right to have any incorrect personal information used corrected.

In addition, the amendments introduce for organizations that collect personal information with technology that includes identification, localization or profiling functions (e.g., cookies used for targeted advertising) the requirement to inform the individuals of
a)    the use of such technology;
b)    the means of activating these functions. 

Consent requirements for minors

There are new requirements regarding the consent of minors. Moving forward, when an organization is required to obtain consent for handling the personal information of a minor under the age of 14, the person with parental authority or the tutor will have to provide it. It will be permitted, however, to collect personal information without an adult’s consent when it is clearly beneficial to the minor.

Destroying and anonymizing data

Organizations must now ensure that personal information is destroyed or anonymized when the purposes for which it was collected or used have been achieved. It is therefore important to assess on a continued basis whether there are legitimate purposes to keep personal information in the systems.

Organizational impact on companies 

Organizations must establish and implement governance policies and practices concerning personal information. Detailed information about these policies and practices must be published for public consultation. They must address frameworks for storing and destroying personal information, define roles and responsibilities for staff, and provide for the creation of a complaint management system.

Organizations must also conduct privacy impact assessments for any projects related to acquiring, developing, or overhauling information systems or electronic service delivery systems handling personal information. A similar assessment is now required when transferring personal information outside of Québec. 

Right to be forgotten

Québec is the first jurisdiction in Canada to grant individuals a “right to be forgotten.” They can request that an organization or a person cease disseminating information or de-index any hyperlink attached to their name. 

Final takeaways

The changes coming into force on September 22, 2023 will significantly impact the operational side of businesses, requiring them to establish policies for personal information collection and to conduct privacy impact assessments from the moment that the information leaves the province. We will continue to monitor closely how the CAI will exercise its powers in awarding administrative penalties for non-compliance.

Download memory aid

We encourage you to contact our Cyber Security and Data Protection Group for any inquiries about how these changes may impact your business.