Law 25 (formerly Bill 64), or the Law modernizing legislative provisions concerning the protection of personal information, has brought sweeping changes to the legislative framework for the protection of personal information in public bodies and private enterprises in the province of Quebec.
What Are the Objectives of Law 25?
Law 25 provides greater privacy for citizens by giving them more power over the handling of their personal data. It makes it possible for them to have a better understanding of the consequences of their choices.
Law 25 requires organizations to take concrete actions to ensure the security of the information they process.
Its goal is to prevent organizations from sharing or selling the personal information and sensitive data of individuals.
What Are the Changes Planned by Law 25?
Law 25 makes several changes for organizations, such as:
- The requirement to appoint a Privacy Officer
- The obligation to have a management plan and register of confidentiality incidents
- The obligation to disclose all incidents threatening the confidentiality of private information or a cyber-attack
Law 25 guarantees the right of citizens to use, disclose, share, and delete their own information at any time.
To Whom Does Law 25 Apply?
Law 25 applies to all businesses, whether they are SMEs, non-profit organizations, self-employed or any other form of business recognized by law in Quebec.
What Is Considered Personal Information Under Law 25?
According to Law 25, personal information is any information that relates to a natural person and allows that person to be identified, such as:
- Their name
- Their gender
- Their social security number
- Their online identifiers
- Their employee number
- Their address
- Their age
- Their family situation
- Their physical, physiological, genetic, financial, cultural, or social characteristics
What Is a Privacy Impact Assessment (PIA)?
A Privacy Impact Assessment (PIA) is a mandatory preventive measure under Law 25 to better protect personal information and ensure the privacy of citizens.
A business must complete a PIA for any information system acquisition, development, redesign or electronic service delivery project that involves personal information. A PIA must have been made before communicating any personal information outside of Quebec.
Privacy Impact Assessments must be proportionate to the sensitivity of the information concerned, the amount information, and the purpose for which it is to be used.
What Are the Penalties for Not Complying with Law 25?
The Commission d’accès à l’information (CAI) can impose significant penalties on companies that fail to comply with Law 25. Fines can be as high as $25 million, or 4% of a company’s revenue.
Penalties under the law are relative to the severity of the negligence as well as the organization’s ability to pay.
What Is the Timeline for Law 25?
Law 25 will become effective over a three-year period between September 22, 2022 and September 22, 2024.