In an era dominated by digital advancements, the paramount concerns of privacy and data protection have prompted governments to establish laws safeguarding personal information. Quebec’s proactive response to this imperative is Law 25. This legislation ushers in a new era of data protection and compliance.
This guide aims to provide businesses and stakeholders with a comprehensive understanding of the profound implications of Law 25, while also highlighting how Borealis Stakeholder Engagement Software can seamlessly facilitate compliance.
Understanding Quebec’s Law 25
On June 12, 2020, the legislative journey of Law 25, previously known as Bill 64, “An act respecting the protection of personal information in the private sector,” was initiated in Quebec. This transformative legal framework aimed to modernize the province’s private and public sector privacy laws; a groundbreaking legislative endeavor that reshaped data privacy norms. After gaining adoption by the National Assembly on September 21, 2021, Bill 64 was officially designated as Law 25.
Law 25 introduces stringent privacy requirements for businesses within Quebec, including enhanced transparency, robust data protection measures, and stringent consent mechanisms. Non-compliance carries the potential for significant fines, accompanied by increased regulatory authority for the Commission d’accès à l’information (CAI) du Québec (Quebec’s Commission for Access to Information). The immediate focal points of this law are as follows:
Disclosure of biometric data processing
Designation of a Responsible Individual
Mandatory reporting of incidents
- take appropriate steps to minimize potential harm to the individuals involved and to prevent the recurrence of similar incidents;
- inform the CAI and the affected parties (using the form provided);
- maintain a record of confidentiality breaches and security breaches, and furnish a copy to the CAI upon their request;
- adhere to the updated regulations regarding the disclosure of personal data without explicit consent from the relevant individual, particularly in the context of research, analysis, statistics, or commercial transactions;
- conduct a Privacy Impact Assessment (PIA) before disclosing personal information without the consent of the affected individual, specifically for research, analysis, and statistical purposes; and
- prior to conducting any identity verification or confirmation using biometric characteristics or measurements, notify the CAI by completing the form provided.
Implementation phases and requirements
Law 25 extends its influence beyond provincial borders, impacting businesses within Quebec as well as businesses across Canada that interact with Quebec residents. Implemented in three phases, the core of this multi-phased rollout will occur on September 23, 2023. Each of these three phases introduces new requirements and responsibilities:
- By September 22, 2022: Appoint a Privacy Officer, Mandatory Breach Reporting, Biometrics Disclosure.
- By September 22, 2023: Privacy Policy, Mandatory Privacy Impact Assessments (PIA), Transparency and Consent Systems, Anonymization, Right to Erasure.
- By September 22, 2024: Right to Portability.
The expansive impact of Law 25’s privacy changes
Applicability of Law 25
Defining “personal information” under Law 25
Addressing transborder data flows, data lifecycle, and enforcement
Within Law 25, transborder data flows take center stage, compelling businesses to ensure that data protection transcends provincial boundaries. It is imperative for individuals to be informed about the destination(s) of their data. Businesses that transfer personal information beyond Quebec’s borders must ensure that the standard level of security is maintained. Merely exporting personal data to a jurisdiction with less stringent privacy regulations is not an acceptable approach; it’s crucial to reveal how data will be utilized.
Furthermore, once its intended purpose is fulfilled and the intended objective accomplished, the law mandates destruction or anonymization of the data. Most organizations lack a mechanism to cleanse data in this way, which allows data to persist indefinitely. However, this practice must now be addressed. Enforcement of Law 25 rests with the CAI, underscoring the urgency of compliance and the evolving landscape of data lifecycle management.
Significance and implications
Law 25 reshapes power dynamics, empowering individuals with unparalleled control over their personal data. A range of rights, including access, correction, and the ability to revoke consent, are bestowed upon individuals. For businesses, this paradigm shift necessitates recalibrating data management practices to align with the law’s elevated standards. Law 25 highlights the value of transparent data collection and utilization as a foundation for building trust between businesses and stakeholders, rather than stifling data usage.
The significance of Law 25 goes beyond surface-level legislative changes; it necessitates a fundamental shift in how businesses manage and protect personal information. Key provisions within this legislation have far-reaching operational impacts:
Heightened privacy requirements
Law 25 encompasses mandatory impact assessments (PIA) to evaluate privacy-related factors, cross-border communication assessments to ensure sufficient protection, a requirement for specific and detailed consent, and the establishment of new individual rights, including data portability. The importance of obtaining informed consent has grown significantly.
Seeking permission is now the primary approach. Businesses are obligated to ensure that individuals have a comprehensive understanding of how their personal information will be used, collected, and disclosed. Express consent is required for certain uses or disclosures of sensitive personal information.
For consent to hold legal validity under Law 25, it must adhere to the following criteria:
- it must be freely and adequately given;
- it must be requested for each specific purpose;
- it must be granted for distinct purposes; it must be presented in clear and easily comprehensible language;
- it must be solicited separately from any other information; and
- it must be expressly and proactively obtained for sensitive personal information, barring the use of pre-selected checkboxes that automatically share the information.
Additionally, individuals must be informed about: their right to withdraw and revoke consent (applies to private organizations), also known as “de-indexation”; the identities of third parties within and outside Quebec with whom their personal information may be shared; categories of individuals within the business who can access their personal information; the duration for which their data will be retained; contact details of the responsible individual, such as the Privacy Officer; whether the consent request is obligatory or voluntary (exclusive to the public sector); ramifications of declining to respond or retracting consent (exclusive to the public sector).
The legislation provides individuals with expanded rights concerning their personal information. Individuals have more authority over their personally identifiable information (“PII”). They will possess the rights to deletion, data portability, and limitations on automated decision-making.
Businesses utilizing algorithms and technology to identify or profile individuals will be mandated to disclose their engagement in such activities, along with instructions on activating or deactivating their profiling technology. This empowers individuals who wish to avoid profiling to opt out of personalized experiences. Notably, this includes monitoring within workplaces, necessitating clear communication to employees about monitoring practices.
Notification of data breaches
Financial penalties
Readiness of Quebec businesses for law 25 compliance
To assess the readiness and awareness of businesses regarding Law 25’s changes, PwC Canada, in collaboration with the Canadian Life and Health Insurance Association and the Fédération des chambres de commerce du Québec, conducted a comprehensive survey in May 2021. This survey targeted around 75 senior decision-makers responsible for privacy and data concerns across various sectors and businesses of varying sizes in Quebec.
Survey results and key insights
- Limited Full Compliance Anticipation: Only 35% of businesses anticipate being fully compliant.
- Challenges for SMEs: Many companies, especially small to medium-sized enterprises, lack robust privacy programs and struggle to grasp the full extent of Law 25’s impact.
- Resource Reallocation: Businesses anticipate needing to double the size of their privacy teams to accommodate the evolving demands.
- Impact of Data Transfers: Data transfer obligations across Quebec’s borders are expected to have the most significant impact.
The survey conducted by PwC Canada underscores the readiness gap among businesses regarding Law 25. Despite the willingness to comply, only 35% of businesses are fully prepared. This statistic highlights the urgency for comprehensive knowledge and strategic adaptation.
Preparation strategies
While larger businesses are proactively setting up preparatory programs, numerous small to medium-sized enterprises are grappling with the financial implications of compliance in an already challenging economic landscape. Drawing from lessons learned from the General Data Protection Regulation (GDPR), prioritizing customers over mere compliance through data discovery, governance, protection, and minimization can enhance the customer experience, foster trust, and unlock data’s potential for innovation and growth. However, this approach requires a strategic mindset, executive support, and dedicated resources.
Compliance facilitated: leveraging Borealis stakeholder engagement software
Law 25 compliance mandates that businesses review and update their privacy policies, conduct PIAs, assess all personal data intake flows, and institute suitable security procedures.
As organizations navigate the intricate landscape of privacy compliance, Borealis Software emerges as an indispensable solution. The platform aligns seamlessly with Law 25’s requirements, helping organizations streamline data protection practices while improving stakeholder engagement with data-driven insights. Borealis helps organizations efficiently manage:
- Stakeholder Data: Borealis acts as a secure, centralized repository for stakeholder data, even allowing organizations to restrict access to information on a need-to-know basis through the Team Data Segregation add-on. Information can also be submitted anonymously through the online feedback portal. This aligns seamlessly with Law 25’s amplified data protection mandates.
- Consent Tracking: The software streamlines consent documentation, ensuring meticulous adherence to Law 25’s stringent consent criteria.
- Incident Reporting: Borealis simplifies the process of prompt data breach reporting, a cornerstone of Law 25’s robust mandatory disclosure framework.
- Custom Workflows: Borealis facilitates privacy impact assessments through tailored workflows, fostering accountability across organizational levels.
- Auditing and Reporting: Borealis’ advanced auditing features empower organizations to provide a comprehensive view of their commitment during regulatory audits.
Insights from Law 25
Conclusion
Law 25 represents more than a mere legal framework; it serves as a dynamic catalyst propelling transformation within privacy regulations. As businesses adapt to meet these new responsibilities, Borealis Stakeholder Engagement Software emerges as an indispensable cornerstone for compliance, illuminating the path toward seamless adherence to this revolutionary legislation.
Businesses stand at a crossroads, compelled not only to embrace these changes but to fortify data protection, foster trust, and flourish within an era where privacy takes center stage. The dynamic capabilities of Borealis Stakeholder Engagement Software empower organizations on their compliance journey, offering a robust tool to navigate the intricate labyrinth of Law 25.
In the tapestry of Law 25, it becomes evident that knowledge and collaboration are the keys to empowerment. This legislation symbolizes a seismic shift in how personal data is handled, underscoring the paramount significance of preserving privacy rights for both individuals and businesses. With the evolving landscape of privacy regulations, Law 25 marks a transformative juncture, propelling Quebec’s businesses into an era where data protection and compliance pave the way forward.
DISCLAIMER: The information provided in this article is for general informational purposes only and does not constitute legal advice. Organizations should consult with qualified legal professionals to ensure compliance with specific laws and regulations.