Quebec’s Data Privacy Law 25: What is it and how to comply with it

Author: Thierry Julien, CEO of TJC Group | Co-author: Laura Parri Royo, Marketing Director

Quebec, Canada’s federal region, became the latest region to introduce strict data privacy regulations In September 2021, with the enforcement of the Law 25 (“Loi sur la protection des renseignements personnels dans le secteur privé). The Law 25 is preceded by the Bill 64, which was originally passed by the National Assembly on September 21, 2021. The Law 25 extends its influence beyond provincial borders, affecting businesses in Quebec, but also those across Canada that interact with Quebec residents.

1. Quebec’s track record for data privacy control

In Quebec, Canada’s federal region, respect for privacy is governed by a number of laws, both provincial and federal, to protect the use of individuals’ personal information. These laws rule the collection, use and disclosure of personal information by organisations in the private and public sectors.

The Quebec region already has a longstanding commitment to protect personal information, with a robust legal framework in place that includes strict data privacy laws. These include the existing Personal Information Protection and Electronic Documents Act (PIPEDA) – LPRPDE acronym in French – that applies at federal level. However, the Canadian regulators believed that due to the rapid evolution of technology and increasing data privacy concerns, there was a clear need for tighter regulations, which culminated in the development of Law 25, the Act of Respecting the Protection of Personal Information in the Private Sector.

Loi 25 – Text in French

Law 25 – Text in English

2. Implementation of the Law 25

The implementation of the Law 25 adopted a phased approach, each phase adding up new requirements and responsibilities:

• Phase 1 – 22 September 2022: Designation of a person responsible for privacy protection, mandatory reporting of breaches, disclosure of biometric data.

• Phase 2 – 22 September 2023: Privacy policy, mandatory privacy impact assessments (PIAs), transparency and consent systems, anonymisation, right to erasure.

• Phase 3 – 22 September 2024: Right to portability.

In launching these regulations, Quebec brings into force robust regulations that share the stringency of the EU’s GDPR, whilst offering some new and unique elements.

3. What makes Law 25 special? 10 key features for
businesses to understand

The Canadian authorities have clearly reviewed existing privacy legislation in place, for example the GDPR, and have taken many of its features into consideration when developing Law 25. In addition, they have gone further, and incorporated other elements to make the rules even more enforceable.

Here are ten of Law 25’s key features:

• Phased roll out. Law 25 is being rolled out in three phases over three years. Having observed the impact of GDPR in Europe, the aim is to allow businesses the time to adapt to the new requirements. Rather than introduce a blanket change, the Quebec authorities are seeking to enable organisations to prioritise and implement the required changes more systematically.
• Breadth of scope. Law 25 is wide-reaching and its impact extends beyond the Quebec region, to affect any entity or individual that conducts business with Quebec based residents.
• Top-down accountability. Whereas GDPR places ultimate responsibility for compliance with the data processor, Law 25 reverses this emphasis. Once fully implemented it will be the CEO or person with the highest authority in an organisation that is ultimately responsible for compliance. This makes it a much fairer regulation and it emphasises how important data privacy is in the eyes of Quebec’s policy makers.  In addition, all organisations are required to have appointed a person responsible for privacy protection. This role includes ensuring compliance with the new law and managing privacy-related matters.
• Stringent consent requirements. Law 25 brings into effect very strict rules for consent. This law includes a requirement for separate requests for consent to be made by companies, using clear language and with special provisions in place for sensitive information, minors and people with additional needs.
• High penalty fines. In keeping with the penalty fines being levied for GDPR non-compliance, Law 25 is equally punitive. High fines will be imposed on violators, with the scale of penalties set to reach up to C$25 million or 4% of worldwide turnover for the preceding fiscal year, whichever is the greater figure. In spite of this limit, it may be possible for even greater fines to be imposed depending on the extent of violation committed.The stringent enforcement by the Commission d’accès à l’information highlights the seriousness of adhering to these regulations.
• Enhanced privacy rights for individuals. Recognising the rights of private individuals to privacy on their own terns, Law 25 allows Quebec residents the right to ‘data portability’ and the right to be informed about the automated processing of their personal information. Individuals are granted the right to request the deletion of their data, and businesses must anonymise personal data once its intended purpose is fulfilled. Effective September 22, 2024, individuals will have the right to obtain and reuse their personal data across different services, promoting greater control over personal information.
• Mandatory breach reporting. Law 25 ensures that data breaches cannot be concealed and organisations operating in Quebec will be required to report any data breaches that present a “risk of serious injury” to both the authorities and affected individuals.
• Privacy Impact Assessment (PIA) requirement. Law 25 goes beyond GDPR to require organisations affected to conduct a PIA before they can implement new technologies or transfer any personal data outside Quebec. This ensures proactive identification and mitigation of privacy risks.
• Biometric data protection. Biometric data is especially sensitive to data breaches and Law 25 acknowledges this with a specific requirement for organisations to pre-notify authorities whenever they are handling biometric information, including the creation of new biometric information databases.
• Emphasis on transparency. Law 25 requires that every affected organisation in Quebec publishes clear privacy policies and should provide regulators with detailed information about all its data collection and data usage practices.

4. Implications of Law 25 for Data Management in SAP systems

Law 25 requires that once the primary data function has been fulfilled and the objective for collecting the data achieved, the data must be destroyed or anonymised. Herein lies the compliance challenge, because many organisations using SAP have no internal mechanism for cleansing their data in this way, allowing it to persist indefinitely. This practice must now be corrected.

The enforcement of Law 25 lies with the Commission d’accès à l’information du Québec (CAI), which demonstrates how seriously the Canadian government is taking compliance with Law 25 and highlights the urgency of developing an automated and continuously evolving framework for data lifecycle management.

You might also be interested in this article about how to minimise non-compliance risks in SAP systems

4.1 What are the penalties for non-compliance?

As already mentioned, Law 25 introduces new financial penalties for non-compliance with privacy protection regulations. Private companies that fail to comply with this law face fines ranging from C$15,000 to C$25,000,000, or 4% of their total turnover for the previous fiscal year, whichever is greater.

Although the speed with which these penalties will be applied remains uncertain, if we draw a parallel with other Canadian laws such as the Canada Anti-Spam Act (CASL), it is clear that offenders will indeed be punished.

4.2 Data anonymisation and data deletion

One way to ensure compliance with Law 25 is implement a data anonymisation and data deletion project. Since September 2023, The anonymisation of personal information has been accepted as a way to comply with Law 25, offering an alternative to data destruction. However, certain rules and procedures must be followed in accordance with recognised best practices determined by Quebec’ government. Read the guidelines to keep or destruct personal information carefully or get in touch with us if you need help decrypting them.

Whereas data deletion is as described and involves the permanent destruction of data, data anonymisation involves using a set of irreversible techniques to make it impossible to identify person or data record by any means. Once data has been anonymised, it can be kept for an unlimited period of time.

Prior to deleting or anonymising data, it is essential to identify what information needs to be kept according to its relevance and what elements of the data need to be anonymised.

What data is really needed? For instance, a record could be anonymised for Date of Birth and Name, but transactional behaviour useful for commercial planning could be retained. This is because anonymous information is not regarded as personal data and data protection laws like Law 25 does not apply.

4.3 Data Management practices for robust compliance

Quebec’s Law 25 marks a pivotal advancement in data privacy, reflecting the growing emphasis on protecting personal information in today’s digital age. For businesses using SAP, it underscores the necessity of rigorous data management practices and compliance with enhanced privacy standards. As the law continues to unfold, its impact on privacy protection will be profound, fostering greater trust and security in the digital landscape.

Compliance with Law 25 can be complex; consequently, companies also have to implement an ongoing information lifecycle management programme. If you would like advice on how to proceed, speak to TJC Group we are experts in SAP data management for privacy compliance.

As mentioned previously, PIPEDA is Canada’s main law to protect individuals’ personal information in the private sector and establishes the rules to collect, use and disclose such information. Its application encompasses federal organisations and private sector companies in their interprovincial international activities.

  
5. A word about PIPEDA, Canada’s federal data privacy law

As mentioned previously, PIPEDA is Canada’s main law to protect individuals’ personal information in the private sector and establishes the rules to collect, use and disclose such information. Its application encompasses federal organisations and private sector companies in their interprovincial international activities.

The law is based on 10 fair principles that businesses must follow to guarantee personal information is duly protected. The Office of the Privacy Commissioner in Canada offers a useful overview of these 10 principles. Check this article: https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/p_principle/

  
6. Additional regulations to protect consumer data in Canada

PIPEDA sets the national standards for privacy practices in the private sector in Canada. Beyond that, a few provinces have passed their own provincial privacy, which are similar to PIPEDA but introduce some nuances and changes in several directions. In many circumstances, the provincial law applies instead of the federal law. Determining which law applies must be done on a case-by-case basis.

These are the provincial data privacy laws in Canada, which are considered equivalent to PIPEDA in terms of protecting personal data.

• Québec: Loi sur la protection des renseignements personnels dans le secteur privé (loi 25), which we are already familiar with.  https://laws-lois.justice.gc.ca/PDF/P-8.6.pdf.
• British Columbia: Personal Information Protection Act (S.B.C., 2003, c. P-63) (‘BC PIPA’);
• Alberta: Personal Information Protection Act (SA, 2003, c. P-6.5) (‘AB PIPA’);

  
7. Final say

Across all aspects of life, data privacy compliance is a critical issue for businesses to navigate. Its rise to political and social prominence is due to numerous factors. Data is incredibly valuable and is being collected continuously on an unprecedented scale.

Law 25 modernises the rules protecting personal information in Quebec so that they are better adapted to the new challenges posed by today’s digital and technological environment. It has clearly set a turning point for data privacy laws and shows the strong commitment of Quebec’s government to better protect the use of individuals’ personal information.

  
8. Additional resources

If you would like to go deeper, the below resources offer further information on Canada’s data privacy laws, as well as data protection practices such as anonymisation and pseudonymisation:

• Legis Québec. Gouvernement du Québec. Link : https://www.legisquebec.gouv.qc.ca/en/
• Commission d’accès à l’information du Québec. Principaux changements aux lois sur la protection des renseignements personnelS. Link https://www.cai.gouv.qc.ca/protection-renseignements-personnels/sujets-et-domaines-dinteret/principaux-changements-loi-25
• Office of the Privacy Commissioner in Canada. PIPEDA requirements in brief. https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda_brief/#business
• Information Commissioner’s Office. Introduction to anonymisation https://ico.org.uk/media/about-the-ico/consultations/2619862/anonymisation-intro-and-first-chapter.pdf
• Data Protection Commission Ireland. Anonymisation and pseudonymisation. Link: https://www.dataprotection.ie/en/dpc-guidance/anonymisation-pseudonymisation
• Agencia Española de Protección de Datos. Misunderstanding related to anonymisation. Link: https://www.edps.europa.eu/system/files/2021-04/21-04-27_aepd-edps_anonymisation_en_5.pdf
• CanLII, l’Institut canadien d’information juridique. Loi sur la protection des renseignements personnels dans le secteur privé, RLRQ c P-39.1. Link : https://www.canlii.org/fr/qc/legis/lois/rlrq-c-p-39.1/derniere/rlrq-c-p-39.1.html
• One Trust Data Guidance. Comparison between GDPR and PIPEDA. Link to PDR: gdpr_v_pipeda.pdf (dataguidance.com)

Sources of information: [TJ1] 

• Legis Québec. LOI SUR LA PROTECTION DES RENSEIGNEMENTS PERSONNELS DANS LE SECTEUR PRIVÉ. Link:  https://www.legisquebec.gouv.qc.ca/fr/document/lc/P-39.1
• Justice Laws Website. Government of Canada. Personal Information Protection and Electronic Documents Act (PIPEDA). Link: https://laws-lois.justice.gc.ca/eng/acts/p-8.6/
• Gouvernement du Québec. Loi 25 – Nouvelles dispositions protégeant la vie privée des Québécois – Certaines dispositions entrent en vigueur aujourd’hui. Link:https://www.quebec.ca/nouvelles/actualites/details/loi-25-nouvelles-dispositions-protegeant-la-vie-privee-des-quebecois-certaines-dispositions-entrent-en-vigueur-aujourdhui-43212
• Commission d’accès à l’information du Québec. Main changes to privacy legislation. Link : https://www.cai.gouv.qc.ca/protection-renseignements-personnels/sujets-et-domaines-dinteret/principaux-changements-loi-25
• Commission d’accès à l’information du Québec. Retention and destruction of personal information. Link:https://cai.gouv.qc.ca/protection-renseignements-personnels/information-entreprises-privees/conservation-destruction-renseignements-personnels#anonymisation

• Government of British Columbia: Personal Information Protection Act (S.B.C., 2003, c. P-63) (‘BC PIPA’);
• Government of Alberta: Personal Information Protection Act (SA, 2003, c. P-6.5) (‘AB PIPA’); and
• Gouvernement du Québec: Loi sur la protection des renseignements personnels dans le secteur privé (loi 25), which we are already familiar with.  https://laws-lois.justice.gc.ca/PDF/P-8.6.pdf
• One Trust. Quebec’s Law 25: What is it and what do you need to know? Link: https://www.onetrust.com/blog/quebecs-law-25-what-is-it-and-what-do-you-need-to-know/#:~:text=Law%2025%20requires%20businesses%20to,solely%20based%20on%20automated%20processing