Law 25 – What do you need to know about the Bill as enacted
and when it enters into force?

Vanessa Deschênes, Élisabeth Lesage-Bigras and Patrick Laverty-Lavoie [I]
Lawyers, Patent and Trademark Agents

On September 22, 2021, the National Assembly enacted Bill 64, An Act to modernize legislative provisions as regards the Protection of Personal information (“Bill 64”); the bill had been introduced on June 12, 2020, to modernize legislation including the Act respecting the protection of personal information in the private sector (“APPIPS”). The purpose of this modernisation was to establish a stricter regime, particularly in response to privacy breaches that had received widespread media attention in recent years, and to align Québec law with the higher standards established by the General Data Protection Regulation (“GDPR”) in Europe. In more concrete terms, the practical impact of this reform (“Law 25”) will be spread over three years, as it is gradually entered into force, the first deadline being September 22, 2022.

For more information about Bill 64, please consult our bulletin: “Bill 64—How Will Modernizing the Legislative Provisions on the Protection of Personal Information Affect your Company?”.

I. Provisions entered into force as of September 22, 2022

1. Appointment of a Privacy Officer

One of the first obligations to come into force in 2022 concerns the appointment of a person responsible for the protection of personal information. New section 3.1 of the APPIPS specifies that any enterprise that stores personal information is responsible for protecting it[1]. The privacy officer is, ex officio, the person “exercising the highest authority”[2] within the enterprise, unless that person delegates all or part of their duties in writing to another person. While Bill 64 only allowed for internal delegation, the final version enactedallows an enterprise to delegate to “any person,” thus making it possible for this responsibility to be outsourced.

What does this mean for the enterprise? If you have done business in the past in other Canadian provinces, there is a strong chance that your enterprise already has a person designated to deal with privacy issues, since that requirement already exists in federal legislation and in the provincial legislation of Alberta and British Columbia. Otherwise, you will have to appoint a person to be responsible for ensuring compliance with the enterprise’s obligations and for instituting various practices and policies governing the management and protection of personal information, but you will also have to publish the person’s title and contact information on your enterprise’s website or, if you do not have a website, make them “available by any other appropriate means”[3]. It is important to note that the person must be directly involved in the various activities of the enterprise that have an impact on personal information. For example, the new section 3.7 states that the person responsible for the protection of personal information must be consulted when the enterprise does the assessment of the risk of serious injury from a confidentiality incident. If you already have a designated person, it will therefore be important to ensure that you review that individual’s roles and responsibilities, as well as those of other key actors in your organization.

2. Confidentiality Incident Management Program

As is already the case in Alberta and under the Personal Information Protection and Electronic Documents Act (“PIPEDA”), Law 25 establishes a new notification regime for confidentiality incidents involving personal information if certain criteria are met. “Confidentiality incident” means access to or use or release of personal information not authorized by law, loss of personal information, or any other breach in the protection of such information.

The criteria to be considered in determining whether there is an obligation to notify obviously include the presence of personal information and the risk of “serious injury” from such an incident. If the incident relates to personal information and presents a risk of serious injury, the enterprise must notify the Commission d’accès à l’information (“CAI”) and the affected individual.

It is important to note that the federal and Alberta statutes use the expression “real risk of significant harm” rather than “risk of serious injury.” Note that the new proposed privacy incident regulations, published in the Official Gazette on June 22, 2022[4], do not define the term or provide specific guidance on assessing “risk of serious harm.”  It will therefore be interesting to follow how this new provision is applied, particularly through decisions or orders of the Commission d’accès à l’information,, in order to identify distinctions between the two formulations when risk is assessed.

What does this mean for the enterprise? In more concrete terms, an organization subject to PIPEDA should already have mechanisms in place to meet this new requirement. The proposed additions concerning the obligation to notify, to maintain a registry, and the involvement of the person responsible for the protection of personal information are very similar to the provisions that were introduced into the federal Act in 2018.

Otherwise, if your enterprise has not yet complied with PIPEDA, you must create a registry of incidents and internal procedures, not only for dealing with the incident, but also in order to develop criteria for determining the cases in which notification is required.

In all cases, the person in charge of the protection of personal information must work closely with the person responsible for information security in your enterprise to ensure that internal processes are consistent. There is a very good chance that your information security teams already have security incidents registries or action plans to be followed when an incident occurs.

II. Provisions Entering Into Force September 22, 2023

3. Implementation of Administrative and Criminal Penalties

The new administrative and criminal penalties will officially enter into force in 2023. This is probably one of the most drastic changes made by the reform, and enterprises that do not comply with the protection of privacy provisions may be subject to heavy administrative and criminal penalties. Administrative fines may now be as high as $10 million or 2% of the enterprise’s worldwide income, whichever is greater[5]. In criminal matters, the fines provided are even higher, and an enterprise could be forced to pay between $15,000 and $25 million or 4% of its worldwide income, whichever is greater[6].

Section 93.1 of the APPIPS also provides that an enterprise that violates the Civil Code of Québec in relation to privacy, whether intentionally or by what is referred to as gross negligence, could be ordered to pay punitive damages of at least $1,000[7].

It should be noted that in the case of monetary administrative penalties, the amendments brought by Law 25 will allow a person (including a legal person) to admit a violation of the law and to undertake to the CAI to take the necessary measures to “remedy the failure or mitigate its consequences.” In that situation, if the CAI accepts the enterprise’s undertaking, no monetary administrative penalty may be imposed on the enterprise for the acts or omissions described in the undertaking. This is reminiscent of compliance agreements under PIPEDA, which were introduced in 2014 by Bill S-4, in the most recent reform of that Act.

What does this mean for the enterprise? The heavy penalties created by the new regime call for compliance with privacy legislation to become a priority for all companies operating in Québec. In more concrete terms, it might be wise to review your enterprise’s risk assessments, since they could potentially have an impact on your insurance, or at least on the amount of insurance coverage you want to obtain. Companies will therefore have until September 22, 2023 to comply with the new law and adjust before they risk being subject to these penalties.

4. Obligation to Adopt Policies Governing Personal Information Protection

As we have stated in our previous articles[8], one of the important aspects of this reform relates to the need for an enterprise to adopt robust privacy practices and policies, and thus establish a governance framework that meets the best standards. We would note that section 3.2 of the APPIPS requires that policies dealing with the storing and destruction of personal information, the process for dealing with complaints, and the roles and responsibilities of employees regarding the governance of personal information held by the enterprise, in particular, be adopted[9]. Contrary to what was initially provided in Bill 64, the bill as enacted does not require that the policies and practices be published on the websites of companies, and rather refers to the need for the enterprise to publish “detailed information about these policies and practices.”

What does this mean for the enterprise? In addition to being approved by the person in charge of the protection of personal information, each enterprise’s personal information protection policies must be “proportionate to the nature and scope of the enterprise’s activities”[10]. Companies must also publish certain information on their website regarding these policies and practices, in what are called “clear and simple” terms by section 3.2, paragraph 1 of the APPIPS[11]. If an enterprise has no website, it must make this information available by any other appropriate means[12].

5. Obligation of Transparency and Information

As we observed earlier, companies will be required to publish detailed information on their websites regarding certain policies and practices, as well as a privacy notice[13]. However, that information is not all that must be provided to individuals.

The noteworthy amendments and sub-amendments to Law 25 include that it is now necessary for an enterprise to disclose, where applicable, “the name of the third party for whom the information is being collected, the names of the third persons or categories of third parties to whom it is necessary to disclose the personal information for the purposes in question […] and the possibility that the information could be communicated outside Québec.”[14]

What does this mean for the enterprise? In more concrete terms, companies will undoubtedly want to make some adjustments to their present privacy notice to reflect these new obligations. However, it must be noted that in some cases, it might be very difficult to put all of this into practice, if only because the teams that have this information do not interact. For example, if your IT teams decide to use a new service provider, which hosts data in a new jurisdiction, how will the team responsible for your website and for updating your privacy notice be informed? The reality is that you will undoubtedly have to do an assessment of privacy-related factors and will ordinarily have already identified the need to update. However, this example is a good illustration of how the legislation and compliance within your enterprise may be worlds apart.

6. Obligation to Do an Assessment of Privacy-Related Factors

As we said in our previous publication, the new regime will require that companies conduct assessments of privacy-related factors. Under section 3.3 of the APPIPS (as amended in committee), an assessment must be done with any new planned “electronic service delivery system involving the collection, use, release, keeping or destruction of personal information.”[15]

The assessment, which is to be completed before the project begins and under the supervision of the person responsible for the protection of personal information, may be “proportionate to the sensitivity of the information in question, the purposes for which it is to be used, the quantity of information, and the medium.”[16]

What does this mean for the enterprise? This assessment must be completed for any new project that falls into the categories set out in this section. In more concrete terms, this means that processes and procedures will have to be put in place in your organization to ensure, and show, that an analysis has been done and that the person in the organization appointed to be responsible for personal information protection is consulted from the start of the project so that they are able to step in at any time to suggest appropriate measures. It is also important to note that section 3.4 of the APPIPS allows the person responsible for the protection of personal information to implement certain protection measures that apply to projects at any stage of their development[17].

7. New Requirements Regarding Consent

Law 25 also makes a number of changes regarding consent and reiterates the legislature’s intention to make consent a fundamental principle. First, it will now be important to ensure that personal information of a child under the age of 14 is not collected or otherwise used, except with the consent of the holders of parental authority or of their guardians[18].

The new regime seems to allow for the use of implied consent in certain circumstances. Section 8.3 of the APPIPS provides that once users provide their information in accordance with section 8 of the APPIPS (see Section 4 of this publication), they “[consent] to its use for the purposes referred [to]”[19] in the policies adopted by the enterprise. However, it should be noted that an enterprise cannot simply rely on implied consent when the information in question is considered “sensitive” information[20].

Despite the industry’s many concerns about requesting a consent that is separate from any other information where the request is made in writing,[21] it is important to point out that this requirement has been present since the first draft of Bill 64, and has remained unchanged, and will therefore have to be given effect by companies.

Section 12 of the APPIPS provides that personal information may not be used within an enterprise for purposes other than those for which it was collected, unless the user consents[22]. However, the enterprise may use that information “for other purposes,” in some cases without the user’s consent[23].

What does this mean for the enterprise? In more concrete terms, in addition to the theoretical considerations, these changes require companies to adjust. They must not only ensure that their systems allow the right consents to be collected from the right people (that is, guardians, children over 14 years of age, or holders of parental authority), but they must potentially also ensure that implied consent or sharing of personal information without users’ consent takes place legally. A review of the relevant internal practices is therefore strongly recommended.

8. Strengthening of Requirements Regarding Cross-Border Transfers of Personal Information

Law 25 brings about major changes in relation to cross-border transfers of personal information. In fact, the new section 17 of the APPIPS requires that enterprises conduct an assessment of privacy-related factors before disseminating any personal information outside the province[24]. Once the assessment has been completed, the information may be communicated only if the results show that the information “would receive adequate protection, in particular having regard to generally recognized principles of personal information protection.”[25]

It is also important to note that Bill 64 as it was introduced in June 2020 provided that such transfers could take place only if the territory in question offered an equivalent level of protection. Due to the numerous concerns expressed by enterprises, the final version adopted refers instead to what it calls “adequate” protection, which is similar, in fact, to the terms used in the GDPR regarding the generally recognized principles of privacy protection.

What does this mean for the enterprise? Any communication of personal information outside the province must be analyzed by doing an assessment of the privacy-related factors and be documented in an agreement in writing setting out, among other things, the terms and conditions that apply in order to “mitigate the risks identified in the assessment.”[26] It is important to note that if the enterprise retains a subcontractor located outside Québec to collect, communicate or keep personal information on its behalf, the subcontractor is subject to the same obligations, referred to above[27].

9. Right to De‑Indexation

In addition to the rights of access and rectification that are already included in APPIPS, Law 25 introduces a new right to de‑indexation, re‑indexation and cessation of dissemination. Section 28.1 of the APPIPS will come into force September 22, 2023.

The right to de‑indexation is the first of its kind in Québec and shares similarities with the “right to be forgotten,” provided in the GDPR[28]. The right to de‑indexation allows an affected individual to require, when the dissemination of personal information contravenes a law or a court order, that an enterprise cease disseminating that personal information or de‑index any hyperlink attached to the person’s name that provides access to the information by a technological means[29]. In addition, a person may make a request to an enterprise for de‑indexation where “(1) the dissemination of the information causes the affected individual serious injury in relation to their right to the respect of their reputation or privacy; (2) the injury is clearly greater than the interest of the public in knowing the information or the interest of any person in expressing themselves freely; and (3) the cessation of dissemination, re-indexation or de-indexation requested does not exceed what is necessary for preventing the perpetuation of the injury.”[30] In practice, rather than providing for erasure of the content that is searched for online, this new right provides for erasure of the search result that links to that content. Similarly, Law 25 also gives the affected individual the right to require re‑indexation in the same circumstances as where the person may require that dissemination cease or that hyperlinks be de‑indexed.

What does this mean for the enterprise? In concrete terms, commencing when section 28.1 enters into force, enterprises will have to receive, process and respond to requests arising from this right to de‑indexation, re‑indexation and cessation of dissemination. Accordingly, sections 30, 32, and 34 of the APPIPS, which apply to the exercise of the right discussed above, with the necessary modifications, set out the conditions to be met by the affected individuals in submitting requests and for responses to those requests[31]. Under section 32 of the APPIPS, the person responsible for the protection of personal information in the enterprise must reply in writing to the request, promptly and no later than 30 days after the request is received. When the enterprise agrees to the request, the person responsible for the protection of personal information must also attest, in their written response, that dissemination of the personal information has ceased or that the hyperlink has been de‑indexed or re‑indexed[32]. In light of the foregoing, it would be wise for companies to establish internal procedures to ensure that requests made to them under the right to de‑indexation are dealt with properly.  

III. Provisions entering into force September 22, 2024

10. Adoption of a Right to Data Portability

By adding section 27 to the APPIPS, Law 25 introduces a right to data portability, which will come into force September 22, 2023. The new right to data portability, which may be interpreted as an extension of the right of access that exists under the provisions of APPIPS currently in force, allows affected individuals to request that computerized personal information be communicated to them, “in the form of a written and intelligible transcript.”[33] That information is communicated “in a structured, commonly used technological format,” where this does not raise “serious difficulties” and the personal information was collected from the affected individual, as opposed to information created or inferred from personal information concerning the person[34]. Section 27 provides: “Every person carrying on an enterprise which stores the personal information of another person must, at the request of the affected individual, confirm the existence of the personal information, communicate it to the individual and allow them to obtain a copy of it.”[35] Section 27 further provides: “The information must also be communicated, at the applicant’s request, to any person or body authorized by law to collect such information.”[36] This means that persons who submit a request to an enterprise for access may require, based on the right to portability, that the personal information be communicated, at their request, to any authorized person or body. Such communication will therefore allow for enhanced portability of individuals’ personal information.

What does this mean for the enterprise? In practice, enterprises will have to receive, process and respond to requests for communication made under the right to portability. Since the Québec legislature has provided a format to be used for communicating computerized personal information, we believe that companies should consider offering their employees structured training, in particular so they are better equipped to respond properly, in the appropriate format, to requests made under the right to portability. Ideally, the training should be conducted alongside the development and implementation of appropriate procedures and practices relating to access rights, in accordance with the APPIPS and the new provisions that will apply when Law 25 comes into force.

The changes brought about by this reform are certainly major ones and will call for some updating of most companies’ internal practices. However, the fact that the reform will not come into force all at once will give allow companies to benefit from a transition period. This means that they will have an opportunity to make the internal changes that are needed for compliance gradually. If you wish to be accompanied in the enhancement of your privacy practices, our Data Protection, Privacy and Cybersecurity Group is at your service!

[4] Projet de règlement sur les incidents de confidentialité, 29 juin 2022, Gazette officielle du Québec, Partie 2, pp. 3935 et suiv.