Quebec’s Law 25: Data Protection and Privacy Act Overview

1. Introduction

Data protection laws have taken center stage in several countries around the world. Governments are responding to the renewed need to secure their citizens' data. At the same time, users themselves now expect the organizations collecting their data to be proactive in protecting any collected data.

Enacted in 1994, the Act Respecting the Protection of Personal Information in the Private Sector (colloquially known as ‘Quebec Private Privacy Act’) is one of the three provincial data privacy laws in Canada that are substantially similar to the federal data privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA); other two provinces with similar legislations are Alberta and British Columbia. The Quebec Private Privacy Act regulates the collection, use, and disclosure of personal information by private organizations within the province of Quebec.

In 2021, Quebec Law 25, An Act to modernize legislative provisions regarding the protection of personal information (Law 25), brought major reforms to the Quebec Private Privacy Act. The amendments introduced by Law 25 came into effect in phases, with the last significant set of provisions coming into force on 22 September 2023. The only amendment yet to come into force relates to the right to data portability, which will become effective on 22 September 2024.

Read on below to learn more about who the law applies to, the major requirements of the law, and how organizations can remain compliant with them.

2. Who Needs to Comply with the Quebec Private Privacy Act

a. Material Scope

The Quebec Private Privacy Act applies to the collection, holding, use, or communication of personal information by the organizations operating in Quebec, whether an organization keeps the information itself or through the agency of a third person. The law covers all kinds of personal information irrespective of the medium or form in which the information is accessible, whether written, graphic, taped, filmed, computerized, or other.

The law defines personal information as any information that relates to a natural person and directly or indirectly allows that person to be identified. In addition, personal information is sensitive if, due to its nature, in particular its medical, biometric, or otherwise intimate nature, or the context of its use or communication, it entails a high level of reasonable expectation of privacy.

b. Exemptions

The law does not apply to the following:

• Journalistic, historical, or genealogical material collected, held, used, or communicated for the legitimate information of the public;
• A public body, within the meaning of the Act respecting access to documents held by public bodies and the protection of personal information;
• Information held on behalf of a public body by a person other than a public body.

Furthermore, the provisions of Division II and III of the law do not apply to:

• Personal information which by law is public;
• Personal information concerning the performance of duties within an organization by the person concerned, such as the person’s name, title and duties, as well as the address, email address and telephone number of the person’s place of work.

3. Obligations for Organizations Under the Quebec Private Privacy Act

a. Data Protection Officer

The law requires organizations to have dedicated personnel in charge of protecting personal information (DPO). The DPO must ensure that the organization implements and complies with the requirements of the law. The title and contact details of the DPO must be published on the organization’s website, or if the organization does not have a website, be made available to the public by any other appropriate means.

b. Privacy Policies and Practices

Organizations must establish and implement governance policies and practices regarding the protection of personal information, which must at least:

• provide a framework for the keeping and destruction of the information;
• define the roles and responsibilities of the personnel for the complete life cycle of the information;
• provide a process for dealing with complaints regarding the protection of the information.

The governance policies and practices must be proportionate to the nature and scope of the organization’s activities and must be approved by the DPO. Organizations are also required to publish the policies and practices on their websites, or if there is no website, make them available to the public by any other appropriate means.

c. Privacy Impact Assessments

Organizations must conduct a privacy impact assessment (PIA) while acquiring, developing, or overhauling an information system or electronic service delivery system that involves the collection, use, communication, keeping, or destruction of personal information. The PIA must be conducted in consultation with the DPO and must be proportionate to the sensitivity of the information concerned, the purposes for which it is to be used, the quantity and distribution of the information, and the medium on which it is stored.

d. Data Breach Requirements

In cases where an organization believes that a confidentiality incident involving personal information has occurred, the law requires the organization to undertake reasonable measures to reduce the risk of injury and to prevent any other incident of the same nature.

A confidentiality incident means:

• access not authorized by law to personal information;
• use not authorized by law of personal information;
• communication not authorized by law of personal information; or
• loss of personal information or any other breach in the protection of such information.

Where the confidentiality incident presents a risk of serious injury, the organization must promptly notify the Commission d’accès à l’information (CAI) as well as any person whose personal information is concerned by the incident in accordance with the Regulation respecting confidentiality incidents. Organizations must also maintain a register of confidentiality incidents.

e. Purpose Limitation and Data Minimization

Organizations must determine the purposes for collecting personal information before the collection and must only collect personal information necessary for the purposes determined before the collection of information. Organizations must not use the collected personal information for any purposes other than the ones for which the personal information was initially collected unless consented to by the data subject.

f. Privacy Notice

Organizations must provide a clear and simple privacy notice to the data subjects at the time of collection of personal information as well as subsequently at the request of the data subject. The privacy notice must contain the following information:

• the purposes for which the information is collected;
• the means by which the information is collected;
• the rights of access and rectification provided by law;
• the person’s right to withdraw consent to the communication or use of the information collected; and
• the possibility that the information could be communicated outside Québec.

In addition, where an organization collects personal information using technology that includes functions allowing the person concerned to be identified, located, or profiled, it must first inform the data subject:

• of the use of such technology; and
• of the means available to activate the functions that allow a person to be identified, located or profiled.

Organizations collecting personal information through technical means must also publish their privacy notice/ confidentiality policy on their websites.

g. Security Measures

Organizations must take appropriate security measures necessary to ensure the protection of personal information collected, used, communicated, kept, or destroyed. The security measures taken must be reasonable considering the sensitivity of the information, the purposes for which the information is used, the quantity and distribution of the information, and the medium on which the information is stored.

h. Consent Requirements

Under the law, organizations cannot use an individual's personal information for a purpose for which the individual has not provided his/her consent. Organizations must also seek the consent of the individuals for collecting their personal information from third parties as well as disclosing the personal information to third parties.

The consent provided by an individual for processing of his/her personal information must be clear, free, and informed and must be provided for specific purposes. The organizations must assist the individuals in understanding the scope of the consent, if requested, and must also provide the individuals with a right to withdraw their consent at any time. The consent sought for processing sensitive personal information must be express in nature, and in case the personal information relates to a minor under the age of 14, the organizations must also seek the consent of the minor’s parent or tutor unless collecting the information is clearly for the minor’s benefit.

i. Cross-Border Data Transfers

The law requires organizations to conduct an assessment of privacy-related factors before communicating personal information outside Quebec, commonly referred to as Transfer Impact Assessment (TIA). While conducting a TIA, the organizations must consider the following factors:

• the sensitivity of the information;
• the purposes for which it is to be used;
• the protection measures, including those that are contractual, that would apply to it; and
• the legal framework applicable in the State in which the information would be communicated, including the personal information protection principles applicable in that State.

Organizations must only proceed with the cross-border transfer of personal information if the TIA establishes that the personal information would receive adequate protection in the foreign jurisdiction. The cross-border transfer must also be the subject of a written agreement between the organization and the foreign entity receiving the personal information that takes into account, in particular, the results of the TIA and, if applicable, the terms agreed on to mitigate the risks identified in the TIA.

j. Communication of Personal Information to Third Parties

Organizations often rely on third-party vendors/service providers to assist in the processing of personal information which, in most cases, involves the sharing of personal information of individuals with those vendors/service providers. In such a case, the organization must enter into a written contract with the vendor/service provider, which must require the vendor/service provider to:

• Take appropriate security measures to protect the confidentiality of the personal information;
• Ensure that the information is used only for carrying out purposes agreed in the contract;
• Ensure that the vendor/service provider does not the information after the expiry of the contract;
• Ensure that the vendor/service provider notifies the organization without undue delay about any violation or attempted violation by any person of any obligation concerning the confidentiality of the information and allows the organization to conduct any verification relating to confidentiality requirements.

Similarly, if an organization communicates personal information to a third party for concluding a commercial transaction, it must enter into an agreement with the third party that stipulates, among other things, that the latter undertakes:

• to use the information only for concluding the commercial transaction;
• not to communicate the information without the consent of the data subject, unless authorized to do so by the law;
• to take the measures required to protect the confidentiality of the information; and
• to destroy the information if the commercial transaction is not concluded or if using the information is no longer necessary for concluding the commercial transaction.

k. Automated Processing of Personal Information

Organizations using personal information to render a decision based exclusively on automated processing must inform individuals about the use of automated processing no later than the time when the decision is informed. Organizations must also provide the following information, if requested, to the individuals:

• the personal information used to render the decision;
• the reasons and the principal factors and parameters that led to the decision; and
• the right of the person concerned to have the personal information used to render the decision corrected.

Organizations must also provide the individuals an opportunity to submit observations and requests for review of the decision.

4. Data Subject Rights

Like all other significant data protection regulations globally, the Quebec Private Privacy Act also guarantees individuals certain rights, known better as Data Subject Rights (DSRs), which include the following:

A. Right to be Informed

Data subjects have the right to obtain the following information:

• the personal information collected;
• the purposes of collection of personal information;
• the means by which information is collected;
• the rights of access and rectification;
• the right to withdraw consent to the communication or use of the personal information;
• the categories of persons who have access to the information within the organization;
• the duration for which the information will be kept; and
• the contact information of the person in charge of the protection of personal information.

B. Right to Access

Data subjects have the right to confirm the existence of their personal information, and obtain a copy of it in the form of a written and intelligible transcript.

C. Right to Rectification and Deletion

Data subjects have the right to get their personal information rectified if their personal information is inaccurate, incomplete, or equivocal, or if collecting, communicating, or keeping it are not authorized by law.

D. Right to be Forgotten

Data subjects have the right to stop the organizations from disseminating their personal information or to get the hyperlinks attached to their personal information, which provides access to the information, de-indexed. However, the data subjects can only exercise this right if the dissemination of the information by the organization contravenes a law or a court order.

E. Right to Data Portability

Effective 22 September 2024, the data subjects have the right to get their personal information in a structured, commonly used technological format, where the information is in computerized form. The data subjects can also request for the communication of their personal information to any person or body authorized by law to collect such information.

F. Right to Contest Automated Decision-making

Data subjects have the right to be informed of the fact that their personal information is used to render a decision based exclusively on automated processing and request further details regarding the automated decision-making. In addition, the data subjects also have the right to submit observations and contest the decision based exclusively on automated processing.

Exercising the DSRs

The request to exercise a DSR must be made in writing, and the person making the request must prove that he/she is the data subject or the representative, heir, or successor of the data subject, the liquidator of the succession, a beneficiary of life insurance or of a death benefit, the person having parental authority even if the minor child is deceased, or the spouse or a close relative of the deceased data subject. The DSR request must be addressed to the DPO.

Timeline to respond to a DSR request

The DPO must respond to a DSR request promptly and not later than 30 days from the receipt of the request.

Charges for Access Request

Organizations should provide free-of-charge access to personal information; however, they may charge a reasonable amount from the data subjects requesting the transcription, reproduction, or transmission of their personal information, provided the data subjects are informed about the intention to charge in advance.

Refusal of a DSR request

If an organization refuses to entertain a DSR request, it must provide the data subject with reasons for the refusal, an indication of the provisions of law on which the refusal is based, and the remedies available to the data subject.

5. Regulatory Authority

The Commission d’accès à l’information (CAI) is the primary regulatory authority responsible for enforcing the provisions of the law. CAI is tasked with, amongst others, entertaining appeals of the data subjects against the organizations, formulating implementing regulations, conducting investigations and inquiries of violations of the law and imposing administrative monetary penalties, or instituting penal proceedings for offenses in accordance with the law.

6. Penalties for Non-Compliance

Organizations can face a range of enforcement actions from the CAI if found in violation of the provisions of the law, as briefly described below:

A. Monetary Administrative Penalties

Organizations can be subject to monetary administrative penalties for different violations of the law including, but not limited to, collection, use, communication, retention or destruction of personal information in contravention of the law. The CAI must issue a notice of non-compliance before imposing an administrative penalty and provide an opportunity to the non-compliant organization to remedy the violations. If the organization fails to remedy the violation within the time specified in the notice, the CAI may issue a statement of offense and impose a monetary administrative penalty not exceeding $50,000 in the case of a natural person and, in all other cases, $10,000,000 or, if greater, the amount corresponding to 2% of worldwide turnover for the preceding fiscal year.

B. Penal Proceedings

The law specifies certain provisions of the law, the violation of which amounts to an offense, and the organization committing the offense can face penal proceedings and be liable to a fine of $5,000 to $100,000 in the case of a natural person and, in all other cases, of $15,000 to $25,000,000 or, if greater, the amount corresponding to 4% of worldwide turnover for the preceding fiscal year.

All penal proceedings must be instituted within five years of the commission of the offense.

C. Punitive Damages

Organizations can also be subject to punitive damages of not less than $1,000 in cases where the unlawful infringement of a right conferred by the law causes an injury and the infringement is intentional or results from a gross fault.

7. How an Organization Can Operationalize the Quebec Private Privacy Act

Organizations can operationalize the law by:

• Establishing and implementing governance policies and practices;
• Appointing a Data Protection Officer as required under the law;
• Developing clear and accessible privacy notices in compliance with the requirements of the law;
• Obtaining clear, free and informed consent of the data subjects before processing their personal information;
• Developing a robust framework for receiving and processing data requests and complaints from consumers; and
• Undertaking appropriate security measures and implementing a mechanism to avoid and manage confidentiality incidents.

8. How Securiti Can Help

Securiti’s Data Command Center framework enable organizations to comply with the Quebec Private Privacy Act by securing the organization’s data and enabling organizations to maximize data value and fulfilling an organization’s obligations around data security, data privacy, data governance, and compliance.

Organizations can overcome hyperscale data environment challenges by delivering unified intelligence and controls for data across public clouds, data clouds, and SaaS, enabling organizations to swiftly comply with privacy, security, governance, and compliance requirements.

Request a demo to learn more.