Have you heard of Quebec’s Law 25—the Privacy Law? In a nutshell, it was designed to increase personal data protection for Quebec-based customers. Businesses operating in Quebec must now be more transparent about how they collect, use, and share personal data. Many of the provisions came into effect in 2023, and others are following suit until September 2024.

While this is certainly positive, it does translate to more rules and regulations for entrepreneurs:

1. Data breach transparency
Under Law 25, businesses must notify Le Commission d’accès à l’information du Quebec—as well as any affected individuals—of any data breaches as soon as possible post incident. Additionally, keeping a record of all security incidents is a must.

2. A designated privacy officer
Businesses must designate a privacy officer responsible for Law 25 compliance. Although Law 25 defaults this responsibility to the highest senior employee—like a CEO, any employee can be chosen. In that case, their name, title, and contact information must be published on the business’s website.

3. Privacy Impact Assessments (PIA)
When acquiring, developing, or overhauling an information system or electronic service delivery system which entails the collection, use, release, storing, or destruction of personal data, businesses must conduct a Privacy Impact Assessment (PIA).

4. Privacy notices
When using technology to collect, identify, locate, or profile individuals, or when using personal data to render decisions solely via automated processing, businesses must disclose how their data is being used, inform them of their right to rectify their information and their right to be forgotten, and provide an opt-in mechanism for the collection of personal information.

5. Subject rights
Subject rights under Law 25 resemble those found under the EU General Data Protection Regulation (GDPR).

Quebec subject rights now include rights to:

  • Be informed
  • Access
  • Rectification
  •  Erasure
  • Withdraw consent
  • Restrict processing
  • Data portability

Additionally, privacy officers are expected to respond to such requests within 30 days.

6. Enhanced consent
Individuals’ consent –or the consent of a parental authority or tutor for minors under 14, is now required prior to the collection, use, or distribution of personal data. In cases concerning sensitive personal information, explicit consent is required.

While Law 25 introduces additional compliance requirements, it is an opportunity to enhance your reputation and build stronger relationships with your customers by committing to protect their data. If you have questions on how to navigate the legal nuances, we have a legal clinic open to all YES members; make an appointment at info@yesmontreal.ca!

*This article does not constitute legal advice.