Law 25 represents a milestone for provincial privacy legislation. It marks a complete overhaul of Quebec’s privacy regime, strengthening privacy rights for individuals and updating organisational requirements. 

In this guide, we provide essential information to help support your journey towards achieving and maintaining compliance. We explain which organizations Law 25 affects and detail what each stage of its provisions include. 

What is Quebec’s Law 25?

Law 25 introduces several key concepts to modernize data protection practices in Quebec and strengthen privacy rights for individuals.

The legislation has been brought into effect in stages, over a three-year period, which has allowed organizations to adapt gradually to the new privacy requirements. By September 2024 organizations should ensure all provisions are fully implemented. 

Fines for non-compliance can range between CA$15,000 and CA$25,000,000 or 4% of worldwide turnover for the previous year, whichever is greater. 

Who does Law 25 apply to?

Law 25 applies to all businesses, including non-profits, operating in Quebec that collect, process, use or disclose the data of Quebec residents, regardless of size, revenue or location of the business. 

Quebec’s Law 25: A guide to support privacy compliance

Law 25 imposes a range of obligations on businesses, with the aim of striking a balance between privacy protection, individual rights, and business accountability. 

To ensure compliance with the new regulations, you should complete a gap analysis of your current privacy programs. This will identify any required updates that need to be made to policies, procedures and data handling practices. 

If you are operating within the province of Quebec and process personal data, these are the important aspects you should already have in place or need to address by September 22, 2024: 

Appoint a Data Privacy Officer 

The Data Privacy Officer role shares a similarity with the EU’s requirement for a Data Protection Officer (DPO). However, unlike the GDPR, the Privacy Officer role defaults to the highest-ranking individual in an organization, if one is not otherwise appointed. 

Many organizations may not be aware of the defaulting nature of the Privacy Officer role. Where a Privacy Officer is not explicitly appointed, the responsibility falls to the CEO or MD.  

What you need to do: It is crucial for organizations of any size or industry sector to recognize the importance of this role. A Privacy Officer should have the expertise and specialist knowledge to ensure compliance with privacy laws and understand the complexities of global data protection legislation. 

• Appoint an in-house Privacy Officer or outsource to an external professional 

For a comparison between in-house and outsourced options, see this link to download our infographic:

The infographic covers these important considerations for choosing between an in-house or outsourced Privacy Officer:

• Speed to hire,
• Scalability
• Experience and expertise
• Risk management
• Annual investment

Breach reporting  

Organizations must ensure that breach management processes are in place. Data breaches must be reported to the Commission d’accès à l’information (CAI) and all affected individuals as soon as possible. 

What you need to do: Create and test a data breach response protocol. When identifying a potential data breach, you must assess whether an incident poses a “risk of serious injury” based on information sensitivity, anticipated consequences and likelihood of harmful use. 

Your data breach response protocol should include: 

• Employee roles and responsibilities 
• Workflows 
• Template breach reporting document 

Biometrics disclosure 

Biometric data collection includes physical features such as fingerprints, facial features and iris patterns. 

What you need to do:  

• Express consent requirements – Obtain express consent from individuals and ensure it is specific to the purpose of collecting and using biometrics 
• Disclosure requirements – Inform the Commission d’acc`es ““““`a l’information du Québec (CAI) of your intention to use biometric processes at least 60 days before implementing the biometric system 
• Privacy by Design – Implement privacy-enhancing measures when handling biometric data and consider Privacy Impact Assessments (PIAs) to mitigate any potential harms 

Privacy Policy 

All organizations operating in Quebec must have a comprehensive Privacy Policy that outlines data handling practices. 

What you need to do: Create a Privacy Policy to include these important details: 

• Purpose – Clearly state the purpose of your privacy policy and outline how your organization collects, uses, discloses and protects personal information 
• Scope – Specify that the policy applies to all individuals whose data you process 
• Type of information – For example names, addresses, credit card numbers 
• Security measures – For example, encryption, access controls, regular audits, and employee training 
• Third parties and sharing – Explain the purpose of any such sharing and ensure transparency 
• Individual rights – Inform individuals of their rights and provide instructions on how they can exercise these rights 
• Contact information – For inquiries, requests and complaints related to privacy, include details of the designated Data Privacy Officer 
• Updates and accessibility – Commit to keeping the Privacy Policy up to date and ensure it is easily accessible and in a prominent place on your website 

Privacy Impact Assessment (PIA) 

A PIA is a systematic process to evaluate the impact of data processing activities on individuals’ privacy rights 

What you need to do: 

Under Law 25, organizations must conduct a Privacy Impact Assessment (PIA) for: 

• High risk data processing activities (e.g., large-scale data collection, profiling, biometrics) 
• Data transfers to other provinces, third countries, or international organizations 
• Implementation of new technologies (e.g., AI, IoT, facial recognition) 

Cross-border transfers 

These are transfers that involve moving personal data from Quebec to another jurisdiction outside Canada (or to another province). 

What you need to do: 

• Inform individuals about cross-border transfers in your Privacy Policy 
• Undertake a PIA (see details in the section above) 
• Enact contractual safeguards to ensure adequate protection in the jurisdiction of transfer 

Enhanced Consent 

Law 25 sets stricter rules for acquiring permission before using people’s personal information. Organizations must obtain explicit opt-in consent before collecting, storing, processing, and sharing personal information. Additionally, for children under 14, you will need the parent’s permission first. 

What you need to do:  

• Provide comprehensive information about why and how their data will be used 
• Ensure the consent request is prominant and stands out from general terms and conditions 
• Use clear and concise language with an opt-in requirement 
• Inform individuals of their right to withdraw consent at any time 
• List any non-Quebec third parties that you are sharing the personal information with 
• Maintain documentation of how and when consent was given 

Data minimization 

Law 25 emphasises the importance of collecting only the essential data for the intended purpose. Organizations must avoid excessive data collection and retain only relevant information. 

What you need to do: 

• Clearly define the purpose for which the data will be used in your privacy policy 
• Then only collect the minimum amount of data required to achieve that purpose  
• Define clear retention periods for different types of data 

Subject rights 

These rights came into effect September 2023, with the right to data portability effective in September 2024 (see below section). 

Subject rights include: 

• Right to be informed 
• Right to access 
• Right to rectification 
• Right to erasure 
• Right to withdraw consent 
• Right to restrict processing 
• Right to data portability 

What you need to do: 

• Ensure individuals are informed about your data practices 
• Privacy Officers should respond promptly to any access requests, within 30 days, and provide the relevant details (with redactions, as necessary) 

Data portability rights – comes into effect September 2024 

With this specific area of Law 25, individuals have the right to have their personal data seamlessly transitioned between service providers. 

What this means is that you are obliged to provide the requested information in a specified format. 

What you need to do: 

• You must provide the individual’s personal data in a structured, commonly used, and machine-readable format 
• Share the requested information with any authorized person or organization 

Summary 

The final stage of Quebec’s Law 25 comes into effect on September 22, 2024. 

Organizations operating within the province of Quebec must implement the necessary operational and procedural changes by that date to ensure compliance with the new regulations. 

We covered the key aspects of Law 25 in the above sections, but these are the main elements to consider: 

• All organizations must have a Privacy Officer in place 
• If you don’t specify a Privacy Officer, the CEO/MD will be automatically assigned 
• Complete a Privacy Impact Assessment (PIA) for all data transfers and new technologies 
• Implement a robust breach notification protocol with workflows and reporting documents 

The DPO Centre Canada 

From our offices in Toronto, Ontario, The DPO Centre Canada provides outsourced Canadian Privacy Officers to organizations operating across Quebec and other provinces.  

If you would like to discuss how our range of specialist services can support your organization’s privacy governance, please contact The DPO Centre Canada. 

The post Quebec’s Law 25: A guide to support privacy compliance appeared first on DPO Centre.

With the increasing complexity of global privacy legislation, it is vital for organisations to have the appropriate safeguards in place for these transfers. This ensures compliance with data protection laws, mitigates the risk of a data breach, and helps to maintain the trust of customers, stakeholders, and employees. 

There are several safeguarding options, depending on the nature of the data, where the individuals are located, and where the data is being sent. 

In this blog, we take a look at the EU Standard Contractual Clauses (EU SCCs), the UK Addendum, and the UK International Data Transfer Agreement (IDTA), explaining the suitability of each mechanism for EU and UK personal data transfers and the factors to consider. 

EU Standard Contractual Clauses (EU SCCs) 

EU SCCs are one of the most commonly used data transfer mechanisms. They are popular because they have pre-approval by the European Commission and a level of assurance for compliance with the General Data Protection Regulation (GDPR). 

The European Commission published new EU SCCs on 4 June 2021, allowing organisations to use these for data transfers from the European Economic Area (EEA) to third countries from 27 June 2021. 

UK Addendum

As the UK is no longer part of the EEA, UK organisations cannot rely on the new EU SCCs. Only the old EU SCCs were valid in the UK until the Information Commissioner’s Office (ICO) introduced their own solution in the form of an Addendum, which came into force on 21 March 2022. 

The UK Addendum allows organisations to use the new EU SCCs for UK personal data transfers, ensuring compliance with both EU and UK data protection laws. A helpful solution for organisations with locations across the EU and the UK. 

The old EU SCCs expired on 27 December 2022. Any existing UK contracts have until 21 March 2024 to transition to the new EU SCCs with UK Addendum or the IDTA. 

UK International Data Transfer Agreement (IDTA) 

The International Data Transfer Agreement (IDTA) was developed by the UK’s Information Commissioner’s Office (ICO) and has been in force since 21 March 2022. It is a legal framework for transferring personal data from the UK to countries outside the European Economic Area (EEA) not covered by adequacy decisions (these are known as UK Restricted Transfers). 

The IDTA is an alternative to the EU SCCs with the UK Addendum but is only suitable for transferring personal data from the UK. 

The IDTA sets out contractual obligations for both the data exporter (in the UK) and the data importer (in the third country) to protect the privacy and rights of individuals whose data is being transferred. It includes clauses on data handling, processing, security measures, and the rights of individuals. 

Should you use EU SCCs, UK IDTA or UK Addendum? 

There are fundamental questions you should ask when choosing the most appropriate data transfer mechanism for your organisation. These include understanding the type of data being transferred, the frequency and volumes, and the countries involved. 

Here’s a helpful list of questions to consider and an overview of which mechanism to use for EU or UK data:  

• Where do the individuals reside? EU, UK or both? 
• Are there any inter-company binding rules in place? If so, further mechanisms may not be required 
• Are you transferring data to an adequate country? If yes, the transfer can proceed, following the specific adequacy decision frameworks 
• Are you making a regular transfer to a non-adequate country? If yes, see EU SCCs or UK Addendum or IDTA  

The DPO Centre can help with your international data transfer queries 

• One of the largest teams of outsourced Data Protection Officers (DPOs) available 
• GDPR EU and UK Representatives 
• Specialist Advice Line offering a rapid response to important data protection queries 
• Highly cost-effective solutions 

We have worked with over 800 clients globally across the spectrum of industry sectors, supporting their data protection compliance and bringing peace of mind. 

The post International Data Transfers: Explaining EU SCCs, UK Addendum and UK IDTA appeared first on DPO Centre.