( Law 25 SQ 2021, c 25; formerly Bill 64)

This new act, drafted to modernize legislative provisions affecting the protection of personal information, was passed by Quebec’s National Assembly on September 22, 2021, and comes into force on September 22, 2022. This reform, Law 25, puts Quebec at the forefront in terms of protecting individuals’ personal information.

In a social context of digitized personal information, compromised data and cybercrime, it is high time to pay strict attention to data use and management. This is particularly true in the wake of repeated data scandals such as the 2018 Facebook-Cambridge Analytica debacle. Starting in 2014, Cambridge Analytica used 87 million Facebook users’ data to spread pro-Trump and pro‑Brexit propaganda, thus gravely undermining the principles of individual security and confidentiality and freedom.

Law 25

What is this new legislation with Law 25?

As well, according to the legal firm Dubé Latreille, personal information held by organizations is potentially at high risk.

This new legislation respects (Law 25), protects and defends individuals’ personal information and enhances their privacy and their right to consent to the use of information about them.

In responding as effectively as possible to our society’s present needs, expectations and vulnerability, this act also significantly amends other legislation:

  • the Act respecting Access to documents held by public bodies and the Protection of personal information (ADPB); and
  • the Act respecting the protection of personal information in the private sector (AIPS).

To prevent any organization from exchanging or selling individuals’ personal information, starting on September 22, 2022, all organizations will be formally prohibited from using this information for prospection purposes without the individual’s consent. This means that organizations will have new responsibilities, and citizens will have new rights.

More information about Law 25

Applicability
This act applies to any organization that holds individuals’ personal information, including public bodies, private-sector businesses, and charities, regardless of size or sector of activity.Each organization must appoint a person to be in charge of the protection of the personal information of employees, clients and beneficiaries. This is information that has to do with individuals’ private lives and makes it possible to identify them, directly or indirectly. Sensitive data such as private, medical or biometric information will be subject to special attention and regulations.

Specifically, the organization’s Internet site must indicate the title and contact information of the person in charge of the protection of personal information. This responsibility may be delegated to another person, in writing, at any time.

All organizations are subject to the new act, and must comply with it starting on September 22, 2022. This legislation will promote transparency in public bodies, private-sector businesses and provincial political parties, and will give citizens greater control in managing information about them. Thus it will enhance data security and privacy in a way that is appropriate for our times.

Remember that the obligation to comply with the act has nothing to do with an organization’s size or sales figures: it applies to every organization, across the board.

What changes does Law 25 bring?

As of September 22, 2022

For citizens

  1.  The right to be informed
  2. The right to withdraw consent to release personal information
  3. The right to accessibility of personal information
  4. The right to correction of personal information
  5. The right to destruction of personal information

Individuals each now have the formal right to use, disclose, share or erase information about them at any time.

For organizations

  1. Obligation to appoint a person in charge of the protection of personal information. Although in most cases this responsibility will be exercised by the Chief Executive Officer, it may be delegated to another person within the organization. The person in charge is responsible for ensuring that the organization complies with the act, and for responding to inquiries, questions and complaints about the processing of personal data.
  2. Obligation to strike a committee on access to information and the protection of personal information

As of September 22, 2023

  1. Establish governance policies and practices regarding personal information. (AIPS, s. 3.2)

  2. Be transparent about collecting and using personal information: on Internet sites,  publish governance of personal information. (AIPS, s. 63.3)

  3. In all cases where personal information is collected using technological means, publish a confidentiality policy drafted in clear and simple language. (AIPS, s. 63.4; ADPB, s. 8.2)

  4. Inform individuals when they are subject to a decision based exclusively on automated processing (that is, with no human intervention) of personal information about them. (AIPS, s. 65.2) (ADPB, s. 12)

  5. Inform individuals when they are subject to identification, location or profiling technology. (AIPS, s. 65.0.1; ADPB, s. 8.1)

  6. Offer anonymization and destruction of personal information (AIPS, s. 73; ADPB, s. 23)

  7. Subject provincial political parties to the ADPB. (ADPB, s. 1)

  8. Conduct an assessment of privacy factors, particularly before communicating personal information outside Quebec. (AIPS, s. 63.5, 64, 68, 70; ADPB, s. 3.3, 17)

  9. Obtain clear, free and informed consent to the use and processing of personal information. (AIPS, s. 53.1, 65.1; ADPB, s. 12, 14)

  10. Offer de-indexing (cessation of dissemination) (ADPB, s. 28.1). Individuals may change their mind and ask organizations to cease dissemination of personal information about them.

  11. Apply the rules governing communication of personal information concerning a deceased person that could help in the grieving process. (AIPS, s. 88.0.1; ADPB, s. 40.1). If necessary, and unless the deceased had refused in writing, organizations may communicate certain personal information to the family of the deceased.

  12. Apply the rules governing communication of personal information about a minor under 14 years of age. (AIPS, s. 64; ADPB, s. 4.1) Personal information may not be collected without the consent of the minor’s parent or tutor.

  13. Include the obligation to provide the highest level of confidentiality, by default, when products and services are offered. (AIPS, s. 63.6.1; ADPB, s. 9.1)

  14. Bear in mind the possibility of administrative penalties imposed on organizations by the Commission d’accès à l’information. (ADPB, s. 90.1 ff.)

As of September 22, 2024

Ensure the right to accessibility of personal information (AIPS, s. 84; ADPB, s. 27) Individuals may ask organizations to provide personal information about them in an intelligible format. Thus, between 2022 and 2024, organizations will need to prepare themselves to comply with this rule.

Penalties

Since this legislation is designed to ensure respect of individual privacy, non‑compliance has serious consequences. Monetary penalties can reach $10M or 2% of sales figures, and criminal penalties can be as high as $25M or 4% of sales figures. As well, non‑compliance will adversely affect an organization’s legal liability, reputation, goodwill and business development.

Exceptions

All that said, there are some exceptions. Under section 110 of the new act, personal information may be obtained without consent in certain cases:

  • if its use is consistent with the purposes for which it was collected;
  • if its used is for the benefit of the person concerned;
  • if its use is necessary for study, research or statistical purposes.

As well, under section 115 of the new act, in order to conclude a commercial transaction, an individual’s personal information may be communicated to a third party without consent. Under subsection 18.4(4) of the ADPB, a commercial transaction means “the alienation or leasing of all or part of an enterprise or of its assets, a modification of its legal structure by merger or otherwise, the obtaining of a loan or any other form of financing by the enterprise or of a security taken to guarantee any of its obligations”.

However, this procedure requires the parties to enter into a prior agreement stipulating that the person carrying on an enterprise will:

  • use the information only for concluding the commercial transaction;
  • not communicate the information without the consent of the person concerned, unless authorized to do so by the act;
  • take the measures required to protect the confidentiality of the information; and
  • destroy the information if the commercial transaction is not concluded or if the information is no longer necessary.

When the commercial transaction is concluded, the new holder of the personal information may use it only in accordance with the act, and must notify the individuals concerned that it now holds this information. As well, if there is a further commercial transaction, each use of personal information must receive the consent of the individual concerned. In Alberta and British Columbia, there are no similar exemptions.

Don't hesitate to contact us

We are available to draw up essential legal documents with you about Law 25,
and to help set up all the procedures your organization will need.
Make an appointment with an expert