This article is part of our Law 25 Blog Series, which provides readers with a 360° view on Law 25 (formerly known as Bill 64) and its sweeping amendments to Quebec’s Act respecting the protection of personal information in the private sector (the “Private Sector Act” or the “Act”). To view other blog posts in the series, please visit this page. We have also put together a comprehensive toolkit for organizations looking for resources to understand and ensure that they are compliant with Law 25. This toolkit can be found here.

As of September 22, 2023, organizations operating in Quebec or handling the personal information (“PI”) of Quebec residents are now subject to a host of new obligations. Compliance with these sweeping amendments brought by Act to modernize legislative provisions respecting the protection of personal information (“Law 25”) to the Private Sector Act require a deliberate and well-documented overhaul of policies, procedures and practices relating to how affected organizations handle Quebec PI.

The costs of not prioritizing compliance are high, with penal fines as high as the greater of $25 million or 4% of worldwide turnover for the preceding fiscal year (which amounts can be doubled for repeat offences) and monetary administrative penalties of up to the greater of $10 million or 2% of worldwide turnover for the preceding fiscal year. This article provides a brief summary of some of the key obligations that have just entered into force on September 22, 2023.

1. Documented and operationalized privacy framework

Organizations must now maintain governance policies and practices aimed at protecting PI that need to be proportionate to the nature and scope of their activities (article 3.3 of the Act). Such policies and practices must minimally (i) set out roles and responsibilities of personnel, (ii) provide a framework for retention and destruction (or anonymization) of such information and (iii) provide a process for dealing with complaints. These policies must be drafted in a clear manner and published by appropriate means by the organization, including on the organization’s website (articles 3.3 and 8.2 of the Act).

2. Additional transparency requirements

Private sector organizations are now subject to new disclosure requirements before or at the time of collection of PI. Such requirements include informing individuals of:

(i) their right to withdraw consent to the communication or use of the PI collected; 

(ii) if applicable, the name of the third person for whom the PI is collected, the name of the third persons or categories of third persons to whom it is necessary to communicate the PI, and the possibility that the PI could be communicated outside of Quebec (article 8 of the Act); and

(iii) If the organizations collects PI using technology which profiles, locates or identifies an individual, the organization must also inform the individual of the use of this technology and how to activate it (which could be interpreted as imposing privacy by default obligations on the organization with respect to such functionality; article 8.1 of the Act).

Additionally, organizations must not lose sight of the disclosure obligations that existed under the previous version of the Act, which continue to apply, including the requirement to transparently disclose the purposes (previously referred to as “object(s) of the file”) for which PI is collected and of the rights of access and rectification provided by law (article 8 of the Act).

3. PIA for communications of personal information outside of Quebec

Pursuant to article 17 of the Act, organizations have to conduct a privacy impact assessment (“PIA”) before PI collected in Quebec can be communicated outside of the province (including to another Canadian province). The same applies where the organization entrusts a person or body outside Quebec with the task of collecting, using, communicating or keeping such information on its behalf. The Act enumerates four specific requirements that must be taken into consideration for such PIAs:

(i) the sensitivity of the information;

(ii) the purposes for which it is to be used;

(iii) the protection measures, including those that are contractual, that would apply to it; and

(iv) the legal framework applicable in the State in which the information would be communicated, including the PI protection principles applicable in that State.

PI may only be communicated outside of Quebec if the PIA establishes that the PI would receive adequate protection, particularly in light of generally recognized principles regarding the protection of PI. The parties must also enter into a written agreement which takes into account the conclusions of the PIA.

Although the obligation entered into force on September 22, 2023, the way in which the provision is drafted has the effect of extending this obligation to transfers initiated before that date but which persist thereafter. This interpretation has also been confirmed by Quebec’s privacy commissioner - the Commission d’accès à l’information du Québec - in its recent PIA guidance document; see end of section 1.1.

Organizations must proactively map out their data flows and activities in order to accurately identify these continuous flows of PI, conduct cross-border PIAs and control unmitigated risks revealed by the PIAs.

4. PIA for new or updated IT systems that process personal information

Pursuant to articles 3.3 and 3.4 of the Act, organizations must also conduct a PIA in relation to the acquisition, overhaul or development of an information system or electronic delivery system involving PI. Such PIAs will need to ensure that the project in question is compliant with all other Law 25 requirements, including new requirements around transparency, consent, confidentiality by default, retention and destruction, and new privacy rights that individuals are now entitled to, including the right to request that organizations de-index or re-index their PI or cease dissemination thereof,  to submit observations about automated decisions, and to benefit from data portability (note that while PIAs need to consider portability as of September 22, 2023, the actual obligations relating to portability only enter into force on September 22, 2024).

PIAs conducted in the context of material IT implementation projects generally require significant alignment from multiple stakeholders (e.g. procurement, legal and IT). It is crucial for organizations to implement processes and training as regards such IT system implementation PIA obligations as soon as possible, if not already done.

5. Adequate privacy clauses in outsourcing agreements

Pursuant to article 18.3 of the Act, organizations may communicate PI to a service provider without obtaining prior consent, provided that the parties have concluded a contract in writing that includes a variety of privacy protections set out in the Private Sector Act (including clauses that ensure that the information is used only for performing the contracted services). Such statutory obligations may raise thorny negotiation issues, especially in relation to contracts with service providers that offer AI-powered services and solutions who may wish to use client data to “train” their models.

6. Privacy by default

Pursuant to article 9.1 of the Act, organizations that collect PI when offering technological products and services to the public are now required to have their privacy settings set to the highest level of privacy by default without any intervention of the person concerned. For example, organizations that offer mobile “apps” that contain a variety of privacy-related “toggle” options must by default set the privacy toggle to “off”. Importantly, this obligation does not apply to browser cookies.

Moreover and as mentioned above at Section 2 (Additional transparency requirements), organizations that collect PI using technology which profiles, locates or identifies an individual must inform the individual of how to activate such functionality (article 8.1 of the Act). This requirement could be interpreted as imposing privacy by default obligations on the organization with respect to such functionality. It is also possible that this requirement does apply to browser cookies (unlike the obligations set out in article 9.1).

7. Right to de-indexation or to cease dissemination

Individuals now have a right to control the dissemination of their PI by organizations subject to the Act (article 28.1 of the Act). Individuals can either request the organization cease dissemination of their PI or de-index any hyperlink providing access to the information if the dissemination contravenes the law or a court order, or causes serious harm to the reputation or privacy of an individual. Accordingly, organizations should implement processes to help them determine whether the continued dissemination of the information might result in an injury, whether that injury outweighs the public’s right to information and the freedom of expression of the publisher, and whether the remedy being requested is not excessive in terms of preventing the perpetuation of the injury. To make this assessment, the organization must consider a number of prescribed factors which include: the public status of the individual; whether the information concerns a minor; the accuracy and sensitivity of the PI, the context of its dissemination; the time elapsed since it was published; and lastly if the information is linked to criminal matters, the existence of a pardon or restriction on the access of criminal records.

8. Additional consent requirements

Consent is considered the keystone of the Private Sector Act. Subject to certain exceptions, some of which are new, organizations must obtain an individual's consent before they can collect, use and disclose their PI (article 14 of the Act). Under the current regime, only in a few limited circumstances can organizations process an individual's PI without consent.

The CAI recently released draft guidelines on valid consent. These guidelines advance the eight specific conditions which must be met in order for consent to be valid. Consent must be: clear, free, informed, specific, granular, understandable, separate, and temporary.

To read about each of these mandatory facets of valid consent in greater detail, you may also refer to our full blog post on this subject.

9. Automated decisions using personal information

New transparency and explainability requirements are also now in effect, pursuant to article 12.1 of the Act. If an organization is using PI to render decisions based exclusively on the automated processing of such PI, the organization must inform the individuals concerned that the decision was carried out exclusively through automated processing. Such notice must be provided at the same time that the individual is informed of the decision.

Individuals are now newly empowered with the right to request and receive information relating to the PI which was used to make the automated decision, along with the main parameters involved in the decision-making process. This requirement is particularly important for organizations looking to increase or incorporate the use of AI in their services and operations.

Organizations must ensure that they are operationally capable of explaining to affected individuals the reasons, principal factors, and parameters that led to each such decision. This new obligation requires coordination with an organization’s technical experts, legal department and client communications team in order to assess whether and how this explainability obligation can be met (in a readily understandable manner for your customers) without revealing trade secrets or confidential information.

10. Retention, destruction and anonymization

Once the purposes for which PI was collected or used are achieved, organizations must destroy PI, or anonymize it to use it for serious and legitimate purposes. Organizations must map out and create a current inventory their PI processing scenarios and establish retention periods with deletion protocols. This can prove to be a significant undertaking and requires ample time to complete and implement. Organizations may also plan to anonymize the data instead of deleting it; however, guidance concerning the exact requirements for anonymization is limited at the present. We know that anonymization differs from de-identification in that the process irreversibly no longer allows the person to be identified directly or indirectly. However, anonymization is subject to future regulation, the content of which is presently unknown.

Conclusion

A new era of privacy protection has entered into force in Quebec (and for all of those organizations who do business in Quebec). This new regime, brought about by Law 25, requires that meaningful steps be taken to achieve compliance. Moreover, the significant new obligations are backed by potential fines that cannot be ignored and which elevate Quebec privacy compliance to a key risk area for impacted organizations. If you have not taken concrete steps to comply with Law 25 already, the time to act is now.

To learn more about how our Cyber/Data Group can help you navigate the cyber and data landscape, please contact national co-leaders Charles Morgan and Daniel Glover.

For more details, you can also refer to McCarthy Tétrault’s Law 25 Compliance Toolkit.