Quebec, a Canadian province, has significantly changed its privacy legislation in recent years. In 2021, Quebec introduced Bill 64, which has now become Law 25, also known as the Privacy Legislation Modernization Act. Notably, prior to Law 25, Quebec had two separate laws governing privacy matters: Quebec Chapter P-39.1 for the private sector and Quebec A-2.1 for the public sector.
Law 25 has imposed stricter privacy requirements for both the private and public sectors, modernizing the entire privacy landscape of Quebec. Think of it as similar to changes at the federal level with Bill C-27 and the Consumer Privacy Protection Act (CPPA) or at the provincial level with British Columbia’s Freedom of Information and Protection of Privacy Amendment Act, 2021 (Bill 22). All these updates govern how data is collected and protected for individuals in Quebec and associated businesses. In this blog post, we will take a closer look at who must comply with Law 25, the new requirements for businesses, penalties, fines for noncompliance, and more.
What’s the Difference Between Law 25 and Bill 64?
In 2020, Quebec modernized its approach to the evolving data privacy landscape by introducing Bill 64. This bill was enacted into law in 2021 and is now officially known as Law 25, or the Privacy Legislation Modernization Act. Bill 64 and Quebec’s Law 25 are one and the same. The distinction is that Bill 64 was not enacted in Quebec in 2020. Quebec brought it into law on September 22, 2021. It was designed to revamp the province’s data privacy framework. Law 25 strengthens data privacy rights, imposes obligations on businesses, and expands penalties for noncompliance. The rollout occurred in phases, with the next provisions becoming effective as of September 2023 and again in September 2024.
When Does Quebec’s Law 25 Requirements Go Into Effect and What Are They?
Law 25’s requirements are being launched in a staggered rollout from 2021 to 2024:
Phase 1 – September 2021:
- Appoint a privacy officer
- Establish an incident response plan
- Disclose any breaches to the Commission d’accès à l’information (CAI)
- And more
Phase 2 – September 2023:
- Establish a governance framework for how they will handle and protect personal information
- Update privacy policies and conduct privacy impact assessments (PIA)
- Establish a process of opting in for the collection of personal information, a notice of collection, and the destruction of personal information upon request
- And more
Phase 3 – September 2024:
- Provide a portable format upon request
Who Needs to Comply with Quebec’s Law 25?
Law 25 casts a wide net, meaning both Quebec-based businesses and any business (regardless of location) that process the personal information of Quebecers must comply with Law 25’s requirements.
What are the Consequences for Noncompliance with Quebec’s Law 25?
It is imperative for all entities affected by Law 25 to thoroughly understand its provisions and ensure compliance, both for data protection and to avoid potential penalties.
Enforcement of Law 25 is overseen by the Commission d’accès à l’information (CAI) du Québec. Its enforcement mechanisms encompass the imposition of monetary penalties and the provision for civil actions. Individuals could face fines of up to $100,000, while businesses may be subject to penalties up to 4% of their global turnover or a range of $15,000 to $25,000,000.
Achieve Compliance with Canadian Privacy Laws Using Carbide
Carbide, equipped with its efficient compliance strategy and a specialized team of security professionals, is at your service. Our platform is tailored to expedite the compliance process and ease the burden of continuous compliance. This way, you can direct your energy towards excelling at your business operations. Get in touch with our team to discover more.