Quebec Law 25 (Previously Bill 64): The Definitive Guide

In recent years, more than 10 million Canadian citizens have had sensitive data exposed and stolen due to various data leaks.

To combat rapid technological advancements putting the privacy of Canadian people at risk, Quebec introduced Bill 64. This law aims to modernize privacy regulations by increasing safety measures, transparency, and individual data control.

Bill 64 later became Law 25 when it was officially adopted in September of 2022, and it has been gradually getting implemented since then.

In this article, we’ll explore the specifics of Quebec Law 25 (still commonly referred to as Bill 64), and its key provisions and discuss its implications for your business practices.

KEY TAKEAWAYS:
  • Law 25, previously known as Bill 64, represents a significant effort to modernize and strengthen data privacy regulations in Quebec.
  • Law 25 provisions are being rolled out in stages, and some measures already took effect in September 2022.
  • Law 25 introduces substantial penalties for non-compliance imposed by the Commission for Access to Information.

PRO TIP: Don’t waste your time and take the guesswork out of the legal jargon with this personalized privacy policy generator trusted by over 200,000 businesses.

What Is the Quebec’s Law 25 (Previously Bill 64)?

Quebec’s Law 25 came into effect on September 22, 2022, to revamp and strengthen the legal framework for safeguarding your personal information in Quebec. It is officially known as “An Act to Modernize Legislative Provisions Regarding the Protection of Personal Information” and significantly impacts data handling.

It was formerly known as Bill 64 which first became available on September 22, 2021. This isn’t just a legislative makeover; it’s a milestone in Quebec’s privacy landscape, aligning it with the ever-changing digital era and the evolving global privacy standards.

Law 25 addresses the pressing need to protect your personal data in a world of technology and data sharing. It’s all about addressing the challenges surrounding how your information is handled, how your consent is obtained, and how it’s kept secure, whether in the public or private sphere.

One of its primary goals is to put more control in your hands, enhancing transparency in how your data is processed and imposing stricter safeguards to prevent breaches and protect your privacy.

If you run a business in Quebec, you’ll want to pay close attention. Law 25 introduces new responsibilities for businesses regarding protecting the personal information of Quebec residents.

This includes the appointment of Data Protection Officers (DPOs) and conducting privacy impact assessments (PIAs), among other important privacy requirements. The rollout of these provisions takes place over three years, with the majority becoming effective in September 2023 and the right to portability coming into play on September 22, 2024.

Law 25 also lays down rules for how public bodies and businesses handle incidents that could compromise the confidentiality of your personal information. It requires privacy impact assessments for certain projects involving your data and clarifies the rules for obtaining your consent before collecting, using, or disclosing your personal information.

What Are the General Definitions of Law 25?

Let’s break down the important terms and provisions introduced by Law 25:

  • Personal Information: This covers everything about you. Your personal information includes any data that’s about you and helps others figure out who you are.
  • Consent: Your say matters. Law 25 says consent is when you freely and knowingly agree to let someone use your personal information for specific reasons.
  • Data Protection Officer (DPO): The law introduces the role of a Data Protection Officer who’s responsible for keeping an eye on how organizations protect your data. Think of DPOs as your data watchdog.
  • Privacy Impact Assessment (PIA): This provision describes privacy impact assessments as organized processes employed to check how using your data might affect your privacy rights and freedoms. It’s like a privacy health check.
  • De-Indexing: This is the process of hiding or changing the accessibility of your personal information, especially online, like removing it from search engine results. You can think of it as making your info invisible online.
  • Confidentiality Incident: According to the law, a confidentiality incident refers to an unauthorized event involving your personal information, like someone getting access, using, releasing, or losing your information when they’re not supposed to. Simply put, this is when things go wrong with your data.

Who Does Law 25 Apply To?

Law 25 casts a wide net, and it affects all organizations in Quebec, whether they have customers, employees, or operations here. Specifically, this law applies to your organization if:

  1. Your business calls Quebec its home base, or
  2. Your business interacts with people living in Quebec.

Much like data protection laws worldwide, Law 25 kicks into action whenever there’s any interaction between your business and someone from Quebec.

It’s worth mentioning that Law 25 doesn’t cover certain situations. For example, it doesn’t apply to materials collected, used, or shared for legitimate public information purposes in journalism, history, or genealogy. It also doesn’t apply to information held by a public body or by someone else on behalf of a public body.

What Are the Data Subject Rights Under Law 25?

Law 25 is all about making sure you and your rights to your data are protected. Here’s what it means for you:

  • Right to Consent: You can decide if your personal information can be collected, used, and shared. Your consent must be clear and given freely. Organizations have to tell you how they plan to use your data.
  • Right to Access: You can find out what information organizations have about you. You have the right to know what data they’re using, why, and who they’re sharing it with. Just ask, and they have to give you this information.
  • Right to Rectify: If you spot mistakes in your personal data, you can ask to have them corrected. Organizations must update your information to make sure it’s accurate.
  • Right to Withdraw Consent: You can change your mind about letting organizations use your data. When you do, they must stop unless there’s a legal reason to continue.
  • Right to De-Indexing: You can request that links or references to your personal information online be removed or changed. This is especially handy for things like search engine results.
  • Right to Data Portability: You can ask for your data in a format that’s easy to use with machines. This way, you can move your data to other organizations if you want to.
  • Right to Object: You can say no to using your data for certain things, like marketing. Organizations must respect your choice unless they have a good reason not to.
  • Right to Be Informed: Organizations have to tell you in plain language how they’ll use your data, including why, who’ll see it, and how long they’ll keep it. You also have the right to know if they’re making important decisions about you using automated processes.
  • Right to Restrict Processing: You can limit how organizations use your personal information in certain situations.
  • Right to Lodge Complaints: If organizations don’t follow these rules, you can complain to the Commission d’accès à l’information du Québec (CAI) about privacy violations. They’ll help make things right.

These rights give you more control over your personal info and a way to protect your privacy. Law 25 ensures your data is handled with care, transparency, and respect in today’s digital world.

How Can Businesses Comply With Law 25?

Here are some practical steps and strategies for your business to fully comply with Law 25, safeguard personal data effectively, and foster a culture of privacy in your day-to-day operations.

1. Designate a Data Protection Officer

Law 25 mandates the appointment of a DPO within organizations to oversee compliance. While anyone can serve as a DPO, the responsibility defaults to the highest senior employee, typically, your company CEO.

If a different individual takes on this role, their name, title, and contact information must be published on the organization’s website.

 2. Ensure Prompt Breach Notification

Law 25 sets strict rules for reporting data breaches. When something goes wrong, organizations must act quickly to inform the relevant parties about it. This includes “confidentiality incidents” like unauthorized access, usage, sharing, or loss of personal info.

This duty becomes especially important if the incident could seriously harm those whose data is affected. These rules match the real risk of significant harm principle in PIPEDA (Personal Information Protection and Electronic Documents Act) and cover incidents related to sensitive personal data.

According to PIPEDA, real risk of significant harm can mean things like physical harm, humiliation, financial loss, identity theft, and more.

To make sure your business is fully compliant with the law, here are the things you need to note when it comes to reporting data breaches:

  • Immediate Reporting: If you have a good reason to believe a security leak could seriously harm someone, you must report it immediately. The responsibility for reporting falls on the organization that controls the personal information involved in the breach.
  • Keep Records: You must keep records of all security breaches involving personal information under your control. These records should include all the details about the leak, how it happened, and what you did to deal with it.
  • Notify the Commission d’accès à l’information du Quebec (CAI): The main authority you need to tell is the CAI. Any breach that fits the “risk of serious harm” definition in the law has to be reported to the CAI as soon as possible.
  • Tell Affected Individuals: You also have to directly tell the people whose personal information was affected. This means if there’s a big risk to their well-being, they need to know, too.

PRO TIP: It’s important to tell affected individuals without any unnecessary delay regarding data leaks and how they could affect peoples’ personal data.

3. Strengthen Consent Practices

Law 25 brings in some important changes when it comes to getting the green light before collecting, using, or sharing personal info. Let’s break it down for you:

Transparency in Data Collection 

Now, your business has to be transparent when it gathers personal info. This means you need to explain why you’re collecting data, and how you’re doing it, and provide contact info for the DPO in charge of protecting data within your organization. All of this is usually laid out in a privacy policy.

People also have the right to ask who can see their data in your business and request fixes if needed among other things. You may set up a data subject access request form to simplify this process for both – your customers and yourself.

Express Consent for Sensitive Data

Law 25 also says you have to get clear permission before using sensitive personal info for secondary stuff. This sensitive data includes private and sensitive things like medical or biometric info. If the data context needs privacy, it can be classified as sensitive.

Consent for Minors

For children under 14, you will need their parent or guardian’s consent to collect their data. There’s a catch, though. If the data is clearly for the child’s good (such as in emergencies, police investigations, or child safety concerns), you might not need that extra permission. However, the law does not explicitly define the criteria for such cases.

Enhanced Consent Rules

If you’re asking for consent in writing, it has to be separate from other info you give. Also, you need clear permission for certain uses or sharing of sensitive personal info. Here’s what valid consent should look like:

  • Free and Informed: Consent should be given freely and with full understanding, not because someone forced you.
  • Specific: Consent should pertain to a specific purpose and not some vague idea.
  • Clear and Simple Language: The information provided should be easy to understand.
  • Separate Request: Consent should be requested separately for each distinct purpose.
  • Express for Sensitive Data: For sensitive personal information, you need additional permission.

Additional Consent Reminders

Individuals should also be informed about their right to withdraw consent in the private sector and must be provided with the following important information:

  • Who outside Quebec might see their information.
  • Who inside an organization has access to their data.
  • How long is their data kept for.
  • Contact information for the person in charge or an organization’s Data Protection Officer.
  • Whether the request for consent is mandatory or optional (public sector only).
  • What are the consequences of refusing to respond or withdrawing consent (public sector only).

4. Enable Biometric Database Notification

Changes related to biometric database notifications bring a big shift in the Quebec IT Act. These changes mean that if your organization plans to create a biometric database, you have to follow a clear process.

Before you start building a biometric database, you must tell the Commission d’Accès à l’Information (CAI) at least 60 days in advance. This notice helps regulatory authorities stay in the loop about upcoming biometric database projects.

It allows them to keep an eye on things and make sure these databases follow the rules. It also gives them time to check the purpose of the database, the security measures in place, and how it might affect people’s privacy.

PRO TIP: In simple terms, it’s a heads-up to the authorities so they can make sure everything’s done right.

5. Provide Privacy Policies

Under Law 25, businesses are required to provide individuals with comprehensive information when gathering personal data through technologies that identify, locate, or profile them, including cases involving automated decision-making processes.

In short, you need to establish clear rules and practices to keep individuals’ personal information safe. Moreover, you need to effectively implement and publicly disclose these policies.

This means that you need to have a compliant privacy policy available on your business’ website, as approved by the Data Protection Officer.

You need to note that organizations are granted until September 2023 to provide a privacy policy on their website. This means that this is already in effect right now.

6. Conduct Privacy Impact Assessments (PIAs)

Under Law 25, organizations must conduct Privacy Impact Assessments (PIAs) in these specific scenarios:

  1. PIAs are mandatory when your business embarks on upgrades, acquisitions, or developments involving IT infrastructure or digital products.
  2. Your business must conduct PIAs before transferring data outside of Quebec. During this process, you must evaluate various factors, including the sensitivity of the data, its intended use, and the security measures employed during the transfer. Moreover, it should assess whether the data will receive adequate protection in line with the “generally accepted data protection principles” of the receiving jurisdiction.
  3. Your organization must conduct a PIA when disclosing covered personal information for research purposes without obtaining consent from the subjects.

Here are the essential elements that should be covered in the Privacy Impact Assessment:

  • How sensitive the data is
  • The reasons why the data is being used
  • The safety protective measures and contractual safeguards
  • What laws are in the place where the data is shared

7. Implement Transparency for Cookies and Tracking Technologies: 

Quebec’s Law 25 introduces significant changes regarding the use of technologies that can identify, locate, or profile individuals, including widely used tools like cookies and tracking technologies.

This amendment is a response to the growing concerns surrounding online privacy and the collection of personal information through these technologies. Businesses are mandated to be more transparent and proactive in their approach to user privacy.

Specifically, your business is required to:

  • Inform Individuals: You must notify users about using technologies that can identify, locate, or profile them. This notification should be clear, concise, and easily understandable, ensuring that individuals know how their data may be collected and used during online interactions.
  • Provide Opt-In Mechanisms: Apart from informing users, you must also provide an opt-in mechanism. This means that individuals should have the choice to consent or decline the use of these technologies. In other words, users should actively agree to having their data collected, rather than it being collected by default.

With the widespread use of cookies and tracking technologies for various online activities, it becomes essential to establish clear guidelines and safeguards to protect individuals’ privacy rights.

8. Set Contractual Agreements for Third-Party Data Sharing

This part of Law 25 says that a business can share personal information with outside groups as long as they follow certain rules and get permission from the people whose information they are sharing.

Because giving personal information is needed to complete a business deal, your company can give that information to another person or organization.

Your business must do the following for this deal to be legal under Law 25:

  • Make a deal with the other person that spells out all the specifics. These terms include only using the information for the planned transaction, not sharing it with anyone else without permission, keeping it secret, and getting rid of it if the transaction doesn’t go through.
  • Write down the contract and clearly state the steps to keep information safe and only use it for the agreed-upon job or contract. Should there be any breaches of secrecy, the person in charge of protecting personal information must be notified immediately.

It is important to remember that if the other party wants to keep using or sharing the information after the exchange, they must strictly follow the law.

9. Uphold Data Subject Rights

Law 25 grants individuals rights similar to those in the EU General Data Protection Regulation (GDPR). Most of these rights are already effective starting September 2023, with data portability becoming effective in September 2024.

Data Subject Rights in Quebec now encompass:

  • Right to be informed.
  • Right to access.
  • Right to rectification.
  • Right to De-indexing
  • Right to erasure.
  • Right to withdraw consent.
  • Right to restrict processing.
  • Right to data portability.

Data privacy officers must respond to requests within 30 days, with the possibility of an extension.

Who Enforces Law 25?

Enforcing Quebec’s Law 25 is the job of the Commission d’accès à l’information du Québec, often referred to as the CAI (Commission for Access to Information). This regulatory body has an important role in ensuring organizations follow the new privacy provisions in Law 25. Here’s what they do:

  1. Monitoring: They monitor things, ensuring everyone follows the rules about accessing and protecting personal info. They do investigations, inspections, and handle requests to access personal information for research.
  2. Jurisdictional: They deal with disagreements, especially when it comes to accessing or fixing info held by public bodies and businesses.
  3. Hearings & Mediation: They have judges who listen to both sides in arguments and try to solve things peacefully through mediation.
  4. Promotion & Awareness: They spread the word about the best ways to protect personal info. They share info, publish decisions, and offer resources to ensure everyone knows how to keep data safe.

If you’re worried about how your organization handles data or think someone’s privacy rights got violated, you can contact the CAI for help. They look into complaints and conduct audits to ensure compliance. In cases of non-compliance, the CAI can impose penalties.

What Are the Penalties for Violating Law 25?

Some serious penalties were introduced by Law 25 to ensure compliance. These penalties are designed to encourage individuals and organizations to take protecting data seriously.

It’s important to note that the severity of the penalties depends on the nature of the violation and who commits it. Here’s what you need to know:

  • For Individuals: If you, as an individual, break the provisions in Law 25, you could face fines between $5,000 and $50,000. So, it’s important to take data security seriously.
  • For Organizations: Now, when it comes to organizations, the stakes are much higher. Law 25 can penalize organizations up to a whopping $25 million or 4% of their worldwide turnover, whichever is higher. That’s a significant financial hit!

These penalties are in place to give everyone a good reason to protect personal data and ensure compliance with Law 25. It’s a clear message that privacy matters, and not taking it seriously can hurt your wallet big time.

How Does Law 25 Compare to Other Data Privacy Laws?

Quebec’s Law 25 (formerly Bill 64) made some significant changes that bring it up to global privacy standards. To help you grasp its importance, let’s do a quick comparison of Law 25 with other well-known privacy regulations like PIPEDA, CCPA, and GDPR.

  • PIPEDA (Personal Information Protection and Electronic Documents Act): Canada’s federal privacy law aims to protect your privacy rights and build trust in digital transactions. It’s got some similarities with Law 25, but the former takes things a step further, especially in terms of consent and reporting data leaks.
  • CCPA (California Consumer Privacy Act): If you’re in California, CCPA is the big privacy law you should know about. It’s all about being transparent, giving you more rights over your personal info held by businesses. While Law 25 and CCPA both want to empower individuals, CCPA mainly focuses on Californians, whereas Law 25 has a broader impact in Quebec.
  • GDPR (General Data Protection Regulation): The GDPR is a comprehensive data protection regulation with a global impact, particularly in the EU. It emphasizes individual rights, data security, and accountability. GDPR applies to organizations handling the personal data of people residing in the EU, no matter where the organization is. Law 25, while it shares some of the same principles, is specific to Quebec but aligns with GDPR’s ideas of consent, transparency, and reporting breaches.

Law 25’s introduction of new requirements for data breach notifications and enhanced consent practices brings it closer to the standards set by GDPR and other leading privacy laws. It emphasizes the importance of promptly reporting confidentiality incidents and real risks of significant harm.

This proactive approach to data privacy aligns Quebec with global efforts to safeguard personal information and promote transparency in the digital age.

Frequently Asked Questions

What is Quebec’s Bill 64?

Quebec’s Bill 64, known as Law 25 after its adoption in September 2021, represents significant data privacy legislation aimed at enhancing personal data security within the province.

Who does Bill 64 (Law 25) apply to?

Bill 64 (Law 25) applies to a wide range of entities, including businesses, public bodies, and organizations that process the personal information of Quebec residents.

Does Bill 64 (Law 25) apply to businesses outside of Quebec?

Yes, Bill 64 (Law 25) has extraterritorial reach. If a business processes the personal information of Quebec residents, regardless of its physical location, it is subject to compliance with the law’s requirements.

What are the key provisions of Bill 64 (Law 25)?

Bill 64 (Law 25) is founded on principles such as confidentiality, transparency, and accountability, encompassing aspects like consent, data breach reporting, and the appointment of Data Protection Officers (DPOs).

Who enforces compliance with Bill 64 (Law 25)?

Compliance with Bill 64 (Law 25) is overseen by the Commission for Access to Information established by Quebec’s privacy laws.

What penalties exist for violating Bill 64 (Law 25)?

Penalties for non-compliance with Bill 64 (Law 25) can be substantial and may include monetary fines up to 25 million dollars or 4% of the organization’s worldwide turnover, whichever is greater.

How can businesses comply with Bill 64 (Law 25)?

To comply with Bill 64 (Law 25), businesses must conduct thorough data assessments, establish consent mechanisms, address data subject rights, prioritize data security and breach reporting, and appoint a Data Protection Officer (DPO).

Gabriela Dascalescu
CS50L, FIP, CIPP/E, CIPM, CIPT
Gabriela is a privacy expert and data protection officer who focuses on translating legalese. She dedicates to staying updated on tech and digital law developments to help clients get compliant with privacy regulations and legal tech requirements. She provides clear and concise legal advice, considering business objectives and interdisciplinary expertise. She integrates knowledge from various legal fields to offer comprehensive solutions in today's interconnected world.