Quebec introduced An act to modernize legislative provisions as regards the protection of personal information (known as "Law 25" or "Bill 64") on September 22, 2022, to modernize personal information protection provisions. This legislation seeks to update the framework governing personal data protection, extending its reach to encompass various sectors, including the private industry governed by the Act respecting the protection of personal information. These changes have far-reaching implications, impacting not only public entities but also businesses within the private sector.
Who Is Affected by Law 25?
The reach of Law 25 is extensive, encompassing both public entities and businesses. For today's discussion, we'll delve into its implications primarily for businesses operating within the private sector.
Current Regulatory Framework
Since its enactment in September 2022, Law 25 has introduced several notable requirements for organizations:
Designate a person to be responsible for the protection of personal information
Report confidentiality incidences
Respect the new guidelines regarding the communication of personal information without consent for commercial transactions (exception)
Respect the new guidelines regarding the communication of personal information for educational, research, and statistical purposes (exception)
Comply with the amendments to the biometrics provisions of the Act to establish a legal framework for information technology
Designating a Privacy Officer
Law 25 mandates that the highest-ranking individual within an enterprise becomes, by default, the privacy officer responsible for data protection. However, this role can be delegated, either partially or wholly, in writing, to another individual, whether internal or a third party.
How Your Business Can Prepare
Conduct an assessment of in-house expertise in data protection and privacy regulations.
Consider seeking external consultation or hiring a dedicated data protection officer.
Clearly define and document the roles and responsibilities of the privacy officer.
Develop a training program for the privacy officer, tailored to the specific needs of your organization.
Publish the privacy officer's details, either on the organization's website or through alternative accessible means.
Reporting Confidentiality Breaches
Law 25 necessitates that organizations take reasonable measures to mitigate the risks associated with confidentiality breaches and ensure they do not recur. Confidentiality incidents encompass: access not authorized by law to personal information; use not authorized by law of personal information; communication not authorized by law of personal information; or loss of personal information or any other breach in the protection of such information. In the event of a breach posing a risk of significant injury, affected individuals and the Commission d'accès à l'information (the “CAI”) must be promptly informed.
How Your Business Can Prepare
Establish an incident register to systematically record and track confidentiality breaches.
Dedicate individuals within your organization to be responsible for the prevention, management, and response to security incidents
Review and update existing privacy policies, ensuring they align with the new breach reporting requirements
Guidelines for Communicating Personal Information Without Consent
For Commercial Transactions
Law 25 permits the communication of personal information during commercial transactions, contingent upon a formal agreement that outlines key terms, including:
To use the information only for concluding the commercial transaction;
Not to communicate the information without the consent of the person concerned, unless authorized by the Act [respecting the protection of personal information in the private sector];
To take the measures required to protect the confidentiality of the information; and
To destroy the information if the commercial transaction is not concluded or if using the information is no longer necessary for concluding the transaction.
A commercial transaction involves a transfer of ownership of all or part of an enterprise (s 18.4 of Law 25).
Once the commercial transaction is concluded, the other party must, within a reasonable time, notify the person concerned that it now holds personal information concerning them because of the transaction. In this case, the other party may only use or communicate the information in accordance with the Act.
How Your Business Can Prepare
Modify existing agreement templates to incorporate the necessary clauses for communicating personal information during commercial transactions
Consult with legal counsel to ensure that the agreements comply with the regulatory requirements.
For Educational, Research, and Statistical Purposes
Private sector organizations may share personal information for education, research, and statistical purposes, subject to conducting a privacy impact assessment (PIA) and entering into comprehensive agreements defining terms and conditions.
The privacy impact assessment must conclude: (1) the objective of the study or research or of the production of statistics can be achieved only if the information is communicated in a form allowing the persons concerned to be identified; (2) it is unreasonable to require the person or body to obtain the consent of the persons concerned; (3) the objective of the study or research or of the production or statistics outweighs the impact of communicating and using the information on the privacy of the persons concerned; (4) the personal information is used in such a manner as to ensure confidentiality; and (5) only the necessary information is communicated.
Furthermore, the person or body who wishes to use the personal information for these purposes must: (1) request it in writing; (2) enclose the research protocol with the request; (3) state the grounds supporting the fulfillment of the criteria set out in subparagraphs 1 to 5 of the second paragraph of section 21; (4) mention all the persons and bodies to whom or which the person or body is making a similar request for the purposes of the same study or research or production of statistics; (5) if applicable, describe the different technologies that will be used to process the information; and (6) if applicable, send the documented decision of a research ethics committee relating to the study or research or the production of statistics.
Before handing over the information, the enterprise and person or body who wishes to use the personal information must enter into an agreement that stipulates, among other things, that the information:
may be made accessible only to persons who need to know it to exercise their functions and who have signed a confidentiality agreement;
may not be used for purposes other than those specified in the research protocol;
may not be cross-matched with any other information file that has not been provided for in the research protocol; and
may not be communicated, published, or otherwise distributed in a form allowing the persons concerned to be identified.
The agreement must also
specify the information that must be provided to the persons concerned if personal information concerning them is used to contact them to participate in the study or research;
provide for measures for ensuring the protection of the personal information;
determine a preservation period for the personal information;
set out the obligation to notify the person who communicates the personal information of its destruction; and
provide that the person who communicates the personal information and the Commission must be informed without delay (a) of non-compliance with any condition set out in the agreement; (b) of any failure to comply with the protection measures provided for in the agreement; and (c) of any event that could breach the confidentiality of the information.
This agreement must be sent to the Commission and comes into force 30 days after it is received by the Commission.
How Your Business Can Prepare
Develop standarized templates for privacy impact assessments.
Implement procedures to govern research initiatives, emphasizing data privacy and compliance.
Establish a process for notifying the CAI of any required disclosures.
Biometrics
Employing biometric data for identity verification mandates prior disclosure to the Commission and explicit consent from individuals. The creation of a database of biometric characteristics and measurements must be disclosed to the Commission not later than 60 days before it is brought into service. Following this disclosure, the Commission may make orders determining how the database is to be set up, used, consulted, released, and retained, and how measurements or characteristics recorded for personal identification purposes are to be archived or destroyed.
How Your Business Can Prepare
Develop a comprehensive policy governing the use of biometric systems, addressing disclosure, consent, and usage.
Review all upcoming projects to determine whether biometric data will be used.
Conduct a thorough privacy impact assessment for projects involving biometric data.
Review third-party service provider contracts and policies to determine their approach to biometric data usage.
Penalties for Non-Compliance
Bill 64 ushers in significantly enhanced penalties for non-compliance with privacy legislation. These fines now span from $15,000 to a substantial $25,000,000 CAD, or an amount equivalent to four percent of global turnover from the preceding fiscal year—whichever figure proves greater.
Stay tuned for Part 2, where we'll explore forthcoming provisions slated to take effect on September 22, 2023.
Contact us today to ensure you're well-prepared to meet the requirements of Law 25 and safeguard your data privacy practices. We are ready to assist you in achieving compliance while optimizing your data protection strategy.
This blog post is not legal advice and is for general informational purposes only. Always speak with a lawyer before acting on any of the information contained herein.