What is Quebec’s Law 25? – A Detailed Guide on Compliance

Quebec’s Law 25 represents a significant advancement in privacy regulation, establishing a new and more rigorous framework for the management of personal information and the obligations of businesses.

The Act to Modernize Legislative Provisions Regarding the Protection of Personal Information establishes important regulations for organizations. It requires them to obtain explicit and clear consent from individuals before handling their personal information.

Additionally, it mandates strict security standards for handling this data and requires the appointment of a privacy officer to oversee compliance and ensure proper monitoring of personal information.

It provides greater transparency, accountability, and consumer confidence in a world where privacy is becoming increasingly important.

Whether your company does business in or serves Quebec, learning about Law 25 is about compliance and maintaining a good reputation.

Background of Quebec’s Law 25

Quebec has been a pioneer of privacy legislation in Canada. It was the first province to pass laws securing personal information. The first privacy legislation, Respecting the Protection of Personal Information in the Private Sector, was passed in 1994.

Yet, technological improvements and the emergence of data-intensive industries over time left loopholes in the legislation. Companies increasingly collect, process, and transfer personal data in ways the initial act could not precisely control.

It led to the conclusion that Quebec’s privacy system required an entire overhaul to better manage contemporary data governance issues.

How Law 25 Replaces the Act Respecting the Protection of Personal Information

Quebec introduced Law 25  to update its strategy. Officially titled the Act to Modernize Legislative Provisions Regarding the Protection of Personal Information, the new law supersedes and considerably tightens the provisions of the original act.

It includes tighter requirements for consent, data protection, and individual rights, including the right to access, correct, and erase their personal information.

The law also requires organizations to have a privacy officer, perform privacy impact assessments, and inform authorities and impacted people in case of data breaches.

These steps are designed to align Quebec’s regulatory system with the imperatives of the digital era, making it more accountable and protective of people.

Alignment with Other Global Privacy Policies

Law 25 aligns Quebec with international privacy laws like the European Union’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA). Like the GDPR, Law 25 focuses on transparency, responsibility, and consumer rights.

It also adds elements such as privacy by design and default, where organizations must focus on protecting data from the beginning of their business.

Like the CCPA, Law 25 provides greater control over individuals’ data, with easier access to request data access or erasure.

This harmonization with global standards fortifies Quebec’s privacy regime and streamlines compliance for international organizations doing business in the province.

Companies that comply with GDPR or CCPA obligations will find commonality in Law 25 provisions, which enable them to apply their current privacy practices to meet Quebec law.

Key Objectives of Law 25

Quebec’s Law 25, officially titled the Act to Modernize Legislative Provisions as Regards the Protection of Personal Information, is designed to address the growing concerns around data privacy and security in the modern digital landscape. The key objectives of the law include:

1. Strengthening Individual Rights

 Unlike the previous versions of this law, Law 25 provides an individual with many methods to control his or her personal information. The newly established right of data portability allows a person to access and transfer their data among various entities.

Individuals have the authority to seek rectification or deletion of their information, which hands over control of the data.

2. Mandating Transparent Data Practices

In a bid to maintain transparency, the law requires that individuals be told what information is being collected about them, how it will be used, and whether it will be shared.

Businesses must present clearly written terms and policies for data collection to take place, and consent is required so that people understand the motive behind the processing of personal data.

3. Enforcing Robust Data Security

Law 25 requires that organizations implement adequate security features to protect private information and strengthen security measures to prevent breaches. 

Organizations must also perform privacy impact reviews and follow privacy-by-design methodologies, which means data protection features are incorporated into the processes.

Notifying an individual or third party of a data breach must be reported to the Commission d’accès à l’information (CAI) as soon as possible.

4. Appointing Privacy Officers

As per Law 25, each organization is obliged to appoint a privacy officer who ensures compliance with the relevant regulations.

This role involves applying and managing privacy policies, ensuring compliance, and liaising for privacy-related inquiries or concerns.

5. Promoting Accountability

Under Law 25, organizations are made responsible for the existence of personal data within their custody. They must document their data processing activities and perform self and regulatory compliance audits.

Failure to comply will attract substantial financial penalties, so compliance with the law is crucial.

6. Aligning with Global Standards

The law intends to incorporate Quebec’s privacy legislation within international contours, particularly the GDPR and CCPA.

This guarantees that Quebec residents will enjoy the same privacy protections as those in other regions with sophisticated data protection laws, which boosts consistency and reduces the burden of compliance for multinational companies.

To achieve these goals, Law 25 creates a solid privacy framework that builds trust, accountability, and data protection in Quebec, Canada.

Who Does Quebec’s Law 25 Apply To?

Law 25 applies to organizations of all sizes, such as companies and small and medium-sized enterprises that sell goods or offer services in Quebec. It also applies to organizations with Quebec residents as their target market, regardless of their physical location.

The law’s application covers personal information handled by professional orders under the Professional Code (chapter C-26).

Some kinds of data, though, are excluded from the law. They include information for journalistic, historical, or genealogical purposes that are in the proper public interest.

In addition, Law 25 does not cover public bodies or any data kept on their behalf by third parties.

Rights Granted to Individuals Under the Quebec’s Law 

Quebec Law 25 dramatically improves the rights of a person over his or her personal information. Such rights give people more control, transparency, and security for their data. The most important rights conferred are:

1. Right to Access Personal Information

People have the right to ask for access to their personal information held by an organization. They can ask how their information is used, why it was collected, and to whom it was disclosed. 

2. Right to Data Rectification

People can ask to correct personal information if it is outdated, incomplete, or wrong. This helps businesses keep accurate and relevant information, which will cause less harm if there is any misinformation.

3. Right to Data Portability

Law 25 also establishes the right to data portability. Individuals can ask for a copy of their data in a structured and widely used electronic format, which makes it easy for them to transfer their data to another organization.

4. Right to Withdraw Consent

Individuals are entitled to withdraw consent for collecting, using, or disclosing their personal information at any time. This makes consent dynamic and in line with the individual’s current wishes.

5. Right to Be Forgotten

The law gives people the right to ask for their data to be deleted, sometimes called the “right to be forgotten.” This right is especially applicable when the information is no longer needed for the purpose for which it was initially recorded.

6. Right to Transparency

Organizations need to make their data processing practices clear and understandable and provide information on the purposes of data collection, data retention, and individual rights. This will allow individuals to make informed decisions regarding their data.

7. Right to Notification in Case of a Breach

The individual must be informed if there is a risk of data breach to the individual’s privacy. This right gives people notice so they can become aware of risks and take protective measures.

8. Right to File Complaints

People can complain to the Commission d’accès à l’information (CAI) if they think their rights under Law 25 have been infringed upon. The CAI investigates and enforces, ensuring that organizations are brought to justice.

These rights, in totality, provide more independence and safeguards for Quebec people in the new digital age to ensure trust and responsibility in how data is handled.

Requirements for Organizations To Follow Under the Quebec’s Law 25 

Following Quebec law, opt-in consent is required before personal information can be collected, used, or disclosed. Organizations must first establish whether the collection of data or its use is necessary, legitimate, essential, and proportionate to the intended purpose.

For consent to be effective, it must be under the following principles:

• Clearly Expressed (consent): Individuals must clearly express their intent.
• Voluntary (Free): Consent must be given freely, ensuring an unpressured choice.
• Well-Informed (Informed): Individuals must receive all relevant information to fully understand the implications of their consent.
• Purpose-Specific (Specific): Consent must apply to a specific purpose.
• Time-Limited (Temporary): Consent remains valid only for the duration necessary to achieve the stated purpose.

Other provisions come into effect from 22nd September 2023

• Detailed (Granular): Various consents must be obtained for various purposes.
• Communicated (Comprehensible): Information should be plain and comprehensible.
• Independent (Distinct): Signed consents shall remain distinct and not collated in some other agreement.

Companies need consent from the parent or guardian before they use or disclose the information of children under 14. In the case of children over 14, either the parent/guardian or the child can give consent.

However, organizations may collect information without parental permission if doing so benefits the child.

Fines for Non-Compliance with the Law 25

Breaching personal information laws can result in heavy penalties, depending on the seriousness of the breach and whether it is a repeat breach.

Regulators can fine businesses up to CAD 10 million or 2% of their worldwide revenue, whichever is greater.

Individuals convicted of breaches will face fines ranging from CAD 5,000 to CAD 100,000.

For less severe offenses, the fines rise to CAD 15,000 and CAD 25 million, or 4% of the last fiscal year’s worldwide revenue, whichever is greater.

The CAI may commence proceedings for such violations, and for repeated infringements, fines are doubled.

Steps for Complying with the Quebec’s Law 25

Quebec’s Law 25, previously Bill 64, came into force in September 2021 and added a set of regulations to strengthen the safeguarding of personal information.

While it parallels Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), Law 25 also includes aspects closely associated with the General Data Protection Regulation (GDPR).

To ensure compliance with this law, organizations must address several key requirements. Below are eight actionable steps to help your business meet Quebec Law 25’s standards.

1. Perform Privacy Impact Assessments (PIAs)

It is easy to infringe on personal privacy by gathering, utilizing, or disclosing personal information without proper attention to the implications of risk created. Hence, a Privacy Impact Assessment must take place in terms of these challenges. Organizations should find and identify possible weaknesses and specify their associated mitigation plans.

Use software such as WP Legal Pages to draft detailed privacy policies and terms consistent with the findings of your PIAs.

2. Establish Data Breach Reporting Mechanisms

Data breaches with the potential to inflict serious harm on individuals should be reported pursuant to Law 25.

A description of steps to inform the public or partners impacted by breaches and the steps to inform the regulatory body are preconditions to be in a position to respond to those loopholes functionally.

Utilize the breach notification templates in WP Legal Pages to service legal compliance matters in real time.

3. Update Privacy Policies and Notices

Privacy policies and data protection statements have to comply with the provisions of Quebec Law 25 and explain how the personal data is collected, used, manipulated, and stored while ensuring that such disclosed personal data is readily accessible.

With changing regulations, WP legal pages make compliance updates to privacy policies easier and enable active engagement in the compliance process.

4. Conduct Data Mapping Exercises

The effectiveness of data mapping in identification and categorization of personal data your organization receives, processes, and retains is vital. Still, greater attention needs to be given to sensitive data and adequate protective measures should be guaranteed.

You can streamline privacy-related impact assessments by utilizing effective data mapping to facilitate smooth data-handling processes.

5. Check Consent Requirements and Exemptions

Law 25 introduces additional complexity around consent that includes some exemptions. Ensure processes where consent is needed are caught and have proof of compliance.

WP Cookie Consent assists in user consent responses to cookies and tracking technologies for a website, which is necessary in Law 25 and GDPR.

6. Evaluate Data Transfer Practices

Your company needs to check these practices for Law 25 compliance if it makes international data transfers. Ensure there are adequate legal safeguards in place, including standard contractual clauses or binding corporate rules.

Make sure to regularly update your data transfer agreements and include these safeguards in your privacy policy.

7. Create a Data Subject Access Request (DSAR) Process

Access and correct data as required under Law 25. Implement an effective system to address the DSAR, including checking the identity of the requestors and responding within a reasonable time.

PH WP Legal Pages allows you to draft a users’ policy stating clearly the procedure for DSAR and providing relevant information required by the users.

8. Designate a Privacy Officer

All organizations have to adhere to Law 25 and should thus possess a privacy officer whose responsibility will be ensuring compliance. He or she has to be well-informed about the privacy laws and liaise with different teams in ensuring there is compliance.

Implementing plugins such as WP Cookie Consent and WP Legal Pages will assist in automating compliance processes, reducing management burden, and ensuring your website complies with the latest privacy requirements.

Comparison with GDPR and CCPA: Key Differences and Similarities

Here’s a detailed table comparing Quebec Law 25, GDPR, and CCPA, highlighting their key differences and similarities:

Aspect	Quebec Law 25	GDPR (General Data Protection Regulation)	CCPA (California Consumer Privacy Act)
Scope and Jurisdiction	This applies to businesses operating in Quebec that collect, process or store the personal information of Quebec residents.	Applies to all organizations operating in the EU or offering goods/services to EU residents, regardless of location.	This applies to for-profit entities doing business in California that meet specific revenue or data thresholds.
Personal Information Definition	Includes any information that allows identification of an individual.	Broadly includes any information relating to an identifiable natural person.	Personal information that identifies, relates to, or could reasonably be linked to a consumer or household.
Key Principles	Transparency, accountability, data minimization, informed consent, and security safeguards.	Lawfulness, fairness, transparency, data minimization, purpose limitation, and accountability.	Data privacy rights, including transparency, control over data use, and data access for California residents.
Consumer Rights	Right to access, correct, and delete personal data.New: Right to data portability and correct to de-indexation.	– Right to access, rectify, erase, and restrict processing.- Right to data portability and objection to profiling.	– Right to know, delete, and opt-out of data sale.- Right to non-discrimination for exercising rights.
Consent Requirements	Requires explicit consent for the collection and use of sensitive information.	Requires explicit consent in certain situations (e.g., special category data, cross-border transfers).	Requires opt-in consent only for children under 16; opt-out applies to data sales.
Children’s Data Protection	Parents must provide consent for minors under 14 years old.	Businesses must have parental/guardian consent for children under 13; opt-in is required for data sales for 13–16 years old.	This applies to businesses operating in Quebec that collect, process, or store the personal information of Quebec residents.
Data Breach Notification.	Special protections are available for children under 16, requiring parental consent for children under 13.	The affected individuals and the privacy authority must be notified without delay.	Businesses must notify affected consumers and the California Attorney General in case of a breach.
Data Processors and Controllers	Introduces obligations for both data controllers and service providers handling personal data.	Distinguishes between data controllers (who decide the purpose) and processors (who process data on behalf of controllers).	Mandatory notification to the supervisory authority within 72 hours of a breach.
Data Protection Officer (DPO)	Requires the appointment of a person responsible for privacy compliance.	Requires the appointment of a DPO in certain cases, e.g., large-scale data processing.	It does not explicitly distinguish between controllers and processors, focusing more on businesses and service providers.
Penalties for Non-Compliance	Fines up to $25 million CAD or 4% of annual global revenue.	Fines up to €20 million or 4% of annual global revenue.	There is no mandatory DPO requirement, but it requires a person responsible for managing privacy.
Data Transfers	Cross-border transfers are allowed if the recipient provides adequate protection and complies with Quebec law.	There are no specific restrictions on international transfers, but businesses must comply with California’s privacy standards.	Fines up to $7,500 per violation, with a private right of action for certain breaches.
Focus on Automated Decision-Making	Transfers outside the EU are allowed if the recipient ensures adequate data protection (e.g., Standard Contractual Clauses).	Strongly regulates automated decision-making and profiling, providing the right to explanation.	Does not explicitly address automated decision-making but focuses on transparency.

This comparison highlights how Quebec Law 25 aligns with GDPR regarding structure and principles but shares the consumer-oriented approach of CCPA in certain areas. Each framework reflects the unique cultural and legal priorities of its jurisdiction.

FAQ 

Conclusion 

To comply with Quebec’s Law 25, companies must fulfill all the requirements of the law, such as posting a privacy policy that complies with the law, obtaining opt-in consent from consumers where appropriate, performing privacy impact assessments where needed, and having a Data Protection Officer (DPO).

Moreover, companies need to respect contractual commitments to third-party providers who handle user data and allow users to enforce their privacy rights effectively.

With the WP Legal Pages privacy policy builder, you can comply more easily with legislation such as Quebec’s Law 25. It’s a cost-effective means of producing a professional, legally compliant policy and positioning your company for success.

If you found this article helpful, feel free to check out our other published articles for further insights and information.

• How to Create a Privacy Policy For Landing Pages
• Best Practices for Implementing a Cookie Consent Solution
• The Benefits of Using a Whitelist Approach for Cookies