Quebec – Law 25

What is it about?

Bill 25 consists of a set of provisions that aim to protect the privacy of Quebec residents. These new provisions are designed to update the rules and laws governing the collection, processing, management, and use of personal information in Quebec. They thus follow developments in technologies and practices in the digital field.

Who is affected by this law?

These provisions apply to all companies and all private and governmental bodies, which have legal obligations under these provisions. The impact of this law also affects individuals, who will have to benefit from better protection of their personal information.

When do the provisions come into force?

The new provisions are in addition to existing legislative obligations. They come into effect gradually over a period of three years:

Effective September 22, 2022

• Responsibility/point of contact:
  • Designate a person with responsibility for protecting personal information. The title and contact details of this person must be published on the company’s website (or otherwise if there is no website);
• Incident management :
  • Keep a record of incidents affecting the confidentiality of personal information.
  • Provide a copy of the register to the Commission d’accès à l’information du Québec if it requests it.
  • In the event of an incident:
    • Take reasonable steps to mitigate the risk of harm to affected subjects. These actions should be taken as soon as possible following each incident.
    • Take reasonable steps to prevent similar incidents from occurring in the future.
    • If the risk of harm is high:
      • Notify the Commission d’accès à l’information du Québec;
      • Notify anyone involved or affected by the incident;
• Disclosure of Personal Information:
  • Comply with the new framework applicable to the communication of personal information without the consent of the person concerned, whether in the context of a commercial transaction or for the purposes of study, research, or the production of statistics;
  • Perform a privacy impact assessment (PIA) before disclosing personal information without the consent of the persons concerned for the purposes of study, research, or the production of statistics;
• Use of biometrics:
  • Inform the Commission d’accès à l’information du Québec, beforehand:
    • Any identity verification process that uses biometrics;
    • Any identity confirmation process that uses biometrics;

Effective September 22, 2023

• Governance of Personal Information:
  • Establish policies and practices governing the governance of personal information and publish detailed information about them in simple and clear terms on the company’s website or, if it does not have a site, by any other appropriate means;
• PIA:
  • Perform a privacy impact assessment (PIA) when required by law, for example before disclosing personal information outside of Quebec;
• Personal Information Lifecycle:
  • Collection:
    • Comply with the new rules surrounding consent to the collection, communication, or use of personal information;
    • Respect the new rules surrounding the collection of personal information concerning a minor;
  • Communication :
    • Comply with the new rules for the communication of personal information without the consent of the person concerned (exercise of a mandate or performance of a service or business contract);
    • Comply with the new rules for the communication of personal information outside Quebec;
    • Comply with the new rules for communicating personal information to facilitate the grieving process;
  • Use :
    • Respect the new rules for the use of personal information;
  • Protection:
    • Provide, by default, the parameters ensuring the highest level of confidentiality of the technological product or service offered to the public;
  • Conservation :
    • Anonymize personal information to use it for serious and legitimate purposes, subject to the conditions and retention period provided for by law;
  • Destruction :
    • Destroy personal information when the purpose for which it was collected is accomplished;
    • Respect the right to cease dissemination, re-indexing, or de-indexing (or right to be forgotten);
  • Transparency:
    • Respect your new information and transparency obligations towards citizens;

Entry into force on September 22, 2024

• Respond to requests for the portability of personal information

Read also Personal Identifiable Information