Antoine Guilmain
Partner
Co-leader, National Cybersecurity & Data Protection Group
Report
51
The key provisions of Law 25, Québec's new privacy legislation, are scheduled to come into force in September 2023. Despite the fast-approaching deadline, many organizations – both inside and outside of Québec – remain concerned and unclear about many significant aspects of this new law.
In order to understand in detail how industry is feeling in the face of Canada's toughest privacy regime to date, Gowling WLG and IAB Canada recently surveyed over 100 organizations across various business sectors. The results revealed significant reservations and concern with respect to Law 25. Of the organizations surveyed:
Other concerns highlighted in the survey relate specifically to requirements governing data transfers and consent, as well as the implications of Law 25's sweeping "privacy by default" mandate.
"Despite Law 25 having come a long way since its introduction under Bill 64, unresolved questions of interpretation and implementation spell a challenging rollout of the legislation in September," said Antoine Guilmain, Co-Leader of Gowling WLG's national Cyber Security and Data Protection Group.
"With the survey findings top of mind – and as we await further guidance from the Commission d'accès à l'information du Québec – our first priority is to help clients understand precisely how Law 25 applies to them and, from that understanding, develop practical, cost-effective strategies for compliance."
"The results of this survey indicate a clear sense of urgency to implement appropriate and proven frameworks that will enable the industry to strike a balance between innovation in the important and growing Canadian digital advertising sector, with the protection of citizen rights to privacy," said Sonia Carreno, President of IAB Canada. "We are working with our members to help those in the digital advertising ecosystem comply with the complex requirements of this new law and the TCF Canada framework serves as an effective tool to provide enhanced transparency, meaningful consent and demonstrable accountability."
Québec's Law 25 (An Act to modernize legislative provisions as regards the protection of personal information) is the most significant privacy legislative development in Canada in decades. The vast majority of the amendments enacted by Law 25 will come into force on September 22, 2023.
For organizations operating in Québec – or that are collecting, using, or disclosing personal information of individuals located in the province – these amendments will require significant changes to privacy compliance frameworks and the way in which business is currently being conducted.
With a view to better understanding the most pressing concerns businesses have with respect to Law 25, as well as to assess their level of preparedness, Gowling WLG and IAB Canada conducted a 40-question survey. A diverse range of organizations were invited to participate, including 10 industry associations, which together represented a variety of sectors, sizes, industries and degree of privacy sophistication. Responses were received from more than 100 organizations, headquartered both inside and outside of Canada.1
In many cases, the survey was distributed to known individual contacts – primarily those responsible for privacy compliance within their respective organizations – although the survey responses themselves were anonymous. The survey was also distributed to members of both national and Québec-based trade associations in the advertising, retail, banking, automotive, insurance, and finance industries.
The survey was open for responses from June 6, 2023 until June 30, 2023. This period overlapped with the consultation period for the draft consent guidelines published by Québec's Commission d'Accès à l'Information (CAI) between May 16, 2023 and June 25, 2023.
A. Demographics: Profile of Organizations Interested in Law 25
B. Privacy Officers
C. Concerns and Uncertainties
D. Specific Insights
The majority of organizations that responded to the survey had significant operations in Québec, with 100 or more employees in the province. However, there were also participants that were not located in Québec, as well as a small subset not currently operating in Canada, speaking to the far-reaching application, implications and interest in this law.
All private sector respondents had an obligation to comply with legislation in jurisdictions other than Québec (such as the Personal Information Protection and Electronic Documents Act (PIPEDA)). 37 per cent of respondents were required comply with private sector privacy laws in jurisdictions outside of Canada, primarily the EU's General Data Protection Regulation (GDPR) and various US state laws.
The organizations that responded to the survey were generally well established in terms of existing privacy compliance measures. All respondents with more than a single employee had in place at least one or more formalized policies and practices in respect of privacy law compliance.
The survey was completed by one individual per organization, on behalf of their organization. These individuals represented a range of senior job titles, including legal counsel, managers, officers and executive (e.g., CEO, Vice President).
Notably, 54 per cent of survey respondents served as their organization's dedicated "Privacy Officer," as per the requirements of Law 25, despite only 26 per cent of respondents actually working in a professional privacy role. This underscores the fact that those chiefly responsible for ensuring their organization complies with Law 25 frequently have significant additional responsibilities.
Juggling these responsibilities can present a serious challenge, particularly considering the obligations Law 25 imposes on Privacy Officers – including consulting on privacy impact assessments and responding to access, rectification and deletion requests. It is not surprising, then, that many organizations' Privacy Officers do not conduct those activities personally, but rather supervise these activities.
The survey findings attest to this:
These numbers highlight the need for a realistic approach to implementing and enforcing Law 25 – one that accounts for the limitations and daily realities of organizations and their Privacy Officers.
Survey respondents were provided with a link to the relevant provisions of Law 25, grouped into the following categories:
Respondents were asked to review the provisions and (1) rate on a scale of 1 to 10 their level of confidence in understanding the provided provisions, with 1 being not at all confident and 10 being highly confident, and (2) identify sources of interpretive uncertainty impacting their confidence rating. For sources of uncertainty, pre-selected options were provided, but respondents were also provided an opportunity to identify further sources of uncertainty in an open field "other" option.
Law 25's "Privacy by Default" provisions were the cause of greatest interpretive uncertainty, according to the survey. 43 per cent of respondents gave their understanding of those provisions a confidence rating of 5 or below, with a mode of 4. The "Data Transfer" provisions were close behind with 40 per cent of respondents reporting a confidence rating of 5 or below.
50 per cent of respondents identified the "Data Transfer" requirements as among the most significant sources of concern for their organization with respect to Law 25.
Law 25's "Transparency and Consent" requirements followed closely behind, having been selected by 48 per cent of respondents as a source of most significant concern.
Further questions were then posed exploring the root cause of such concerns, including how they could be remedied. 54 per cent of respondents indicated a need for further interpretive guidance
69 per cent expressed a need for clarification on the practical requirements of the statute. This was further emphasized in the open field comments provided by respondents.
However, rather than any of the specific requirements of the law, it was the cost of implementing Law 25's requirements that was most frequently identified by respondents as a major source of concern, having been selected by 54 per cent of respondents.
This indicates that, while organizations are uncertain on how to interpret certain of Law 25's provisions, substantive and practical considerations are a potentially more significant source of concern.
Approximately 60 per cent of respondents ranked their agreement with the following statements at a 5 or below:
52 per cent of respondents indicated that they lacked sufficient resources within their organization to satisfy Law 25's requirements.
Many also said that they could use more time.
Throughout their responses, respondents also expressed concern over the feasibility and cost of satisfying the substantive requirements of the law. Practical concerns included:
Some comments also indicated that the burden imposed by Law 25, in conjunction with Bill 96 (imposing French language requirements), has resulted in organizations taking steps to leave the Québec market altogether, which could have a significant negative impact on those residing in Québec.
The concerns identified above appear to be exacerbated by significant concerns among organizations regarding penalties and sanctions under Law 25. 67 per cent of respondents reported concern about the risk of penalties and sanctions against themselves or their organizations for non-compliance with Law 25. Only 15 per cent of respondents reported that they believed that the penalties and sanctions capable of being imposed under Law 25 are fair.
Specifically, for each of the primary substantive areas of concern for organizations highlighted by the survey, the survey results revealed the following insights regarding the primary sources of interpretive uncertainty.
Generally, respondents were more confident than not regarding their understanding of the requirements of Law 25 for transfers of data outside of Québec (Section 17). With 1 being not at all confident and 10 being highly confident, 60 per cent of respondents ranked their confidence in their understanding of the data transfer requirements at 6 or above.
This suggests that the reported high level of concern among organizations regarding Law 25's data transfer requirements relates to issues other than basic understanding.
In particular, 35 per cent of respondents expressed it would not be feasible for their organization to conduct a data transfer impact assessment (i.e., privacy impact assessment focused on data transfer) for all transfers and all jurisdictions to which data is transferred. Currently, only 19 per cent conduct the soon-to-be required assessments, although 42 per cent said it would be feasible to do so.
However, despite respondents' reported level of confidence in interpreting the data transfer requirements, when respondents were asked to identify remaining sources of uncertainty impacting their confidence rating, the following were the most prevalently reported sources:
Respondents reported concerns with Law 25's consent requirements, but the majority of respondents were fairly confident in their understanding of the legislation's consent and transparency provisions. This suggests that the high level of concern over Law 25's consent requirements has mostly to do with uncertainty regarding the practical implementation of the requirements, as opposed to interpretive ambiguity. However, interpretive uncertainties still remain with respect to the consent and transparency provisions.
With 1 being not at all confident and 10 being highly confident, 75 per cent of respondents rated their confidence in their understanding of the consent and transparency requirements at 6 or above, with a mode of 8. Of the various Law 25 elements that the survey identified, this resulted in the highest interpretive confidence rating. Such confidence may be, in part, related to the release of the draft consent guidelines from the CAI. It may be related to the fact that 38 per cent of respondents interpret the consent requirements of Law 25 to be equivalent to those under PIPEDA.
Whatever the reason, it places the focus on organizations' practical concerns. In open field comments, organizations expressed that Law 25's express consent requirements will likely case major consent fatigue for individuals. Additionally, the consent and transparency requirements of Law 25 have a high degree of interface with, and are informed by, Law 25's other provisions, including those regarding privacy by default, and those applicable to confidentiality incidents, profiling and cookies. Despite a greater reported level of interpretive confidence in understanding the consent provisions, the higher level of interpretive uncertainty remaining as to these intersecting requirements is a key source of organizational concern. Further practical guidance on how different types of consent should be collected – particularly in the context of profiling, tracking, and cookies – was requested.
Nonetheless, uncertainties remain with respect to the interpretation of the consent and transparency provisions (Sections 8, 8.3, 12, 14). When respondents were asked to identify remaining sources of uncertainty impacting their confidence rating, the following were the most prevalently reported sources:
Description | Percent |
---|---|
Uncertainty regarding what would constitute "reasonable measures" to limit the risk of someone identifying an individual using de-identified information. | 62% |
Uncertainty regarding when personal information is "clearly used for the benefit" of a person, such that it may be used for a purpose without consent. | 47% |
Uncertainty regarding what may constitute a "direct and relevant connection" between purposes, such that a purpose would be considered consistent with the purposes for which it was collected, and therefore used without consent. | 43% |
Uncertainty regarding each of the following:
|
42% |
Uncertainty regarding each of the following:
|
40% |
Uncertainty regarding when a use may be "necessary" for a particular purpose (e.g., preventing and detecting fraud, providing or delivering a product or service, research purposes, etc.) | 36% |
Uncertainty regarding what may be considered "clear and simple language" with respect to requests for consent. | 34% |
Uncertainty regarding when personal information may be considered "sensitive." | 32% |
33 per cent (one third) of respondents provide services, and 36 per cent sell products. One self-identified Crown corporation and 5 non-profit organizations also responded. Not all organizations that responded were directly subject to private sector privacy legislation.
Most organizations surveyed currently operate in Québec. However, there were organizations that participated in the survey that were not located in Québec, and a small subset not currently operating in Canada, demonstrating national and international awareness and concern:
The majority of respondents were in the Advertising or Advertising Technology sectors (32 per cent), closely followed by the Finance and Insurance sectors (26 per cent).
The survey was completed by one individual on behalf of their organization. The individuals that completed the survey held a range of roles in their organization:
Responses were received from several public sector organizations who indicated that they were not required to comply with private-sector privacy laws. All private sector respondents indicated an obligation to comply with legislation in place in jurisdictions other than Québec.
Prior to Law 25, which of the following policies did your organization have in place, either independently or as part of one or more larger policies?
Surveyed organizations were generally fairly sophisticated in terms of existing privacy compliance measures. All respondents with more than a single employee had in place at least one or more existing formalized policies and practices in respect of privacy law compliance. 92 per cent of respondents had in place an external privacy policy. The same percentage had in place policies regarding at least two distinct data protection elements (i.e., collection, use and disclosure, cyber security incident response, and/or individual correction or complaint response).
There was a high level of awareness regarding Law 25 and its requirements among surveyed organizations. With 1 being strong disagreement, and 10 being strong agreement as to their level of awareness:
81 per cent of respondents rated their awareness of the new privacy rights that Law 25 will implement at between 6-10.
75 per cent of respondents rated their awareness of when each of the requirements of Law 25 come into force, and awareness of the penalties and sanctions that may be imposed under Law 25 at between 6-10.
Organizations are generally confident in their ability to comply with the requirements of Law 25; however, they do not agree that they have sufficient resources and personnel to do so in the time that has been provided.
With 10 being strong agreement and 1 being strong disagreement, 70 per cent of respondents ranked their agreement with the statement "I am confident in my organization's ability to comply with the requirements of Law 25" at a 6 or above, with a mode of 8.
60 per cent of respondents ranked their agreement with the following statements at a 5 or below:
While many organizations have a plan in place to achieve compliance prior to September 22, 2023, this is not the case across the board:
A majority of surveyed organizations (70 per cent) indicated that, to the extent that they are not yet compliant with all requirements of Law 25, this is because of a lack of clarity in the statute on the practical requirements to be implemented in order to comply with the provisions of Law 25. More than 50 per cent of respondents also attribute it to a lack of official guidance to assist with interpretation, and to insufficient resources.
The primary concerns of organizations regarding the requirements of Law 25 were:
Note that the timing for this survey aligned with the consultation period for the consent guidelines conducted by the CAI.
Costs of implementation and the requirements in the law regarding cross-border data transfers are the clear frontrunners for areas of most significant concern for organizations with respect to Law 25, having been selected by 54 per cent and 50 per cent of respondents respectively. Consent is close behind, having been selected by 48 per cent of respondents as an area of most significant concern.
When asked to select which additional measures or resources would be most helpful in increasing organizational confidence regarding compliance with Law 25, an extension of the period prior to coming into force of the new provisions was the clear frontrunner. It was selected by 52 per cent of respondents. An extension of the period prior to coming into force was preferred over an enforcement grace period following September 22, 2023 during which penalties and sanctions would not be imposed. This was selected by only 9 per cent of respondents as most helpful for their organization.
20 per cent of respondents indicated that additional guidance from the CAI on the practical steps to be taken by organizations in order to comply with Law 25's novel requirements would be most helpful for their organization.
Finally, 17 per cent of respondents indicated that additional guidance from the CAI on the appropriate interpretation of the language of Law 25 would be most helpful for their organization.
Respondents were also provided with an opportunity to identify further resources that would be helpful, beyond that which would be most helpful. Several respondents indicated that, in addition to their primary selection, delayed enforcement would be helpful. Other respondents specifically identified:
Despite reporting concern regarding the consent requirements, generally, respondents were fairly confident regarding their understanding of the consent and transparency provisions of Law 25.
With 1 being not at all confident and 10 being highly confident, 75 per cent of respondents ranked their confidence in their understanding of the consent and transparency requirements at 6 or above, with a mode of 8.
The following were the most prevalently reported sources of uncertainty:
Other reported sources of uncertainty included: how different types of consent should be collected online (e.g., on a website); what would qualify as being "presented separately from any other information provided to the person concerned"; consent requirements for profiling; application of requirements specifically to cookies; the distinction between "implied consent" and "express consent."
There was significant amount of reported uncertainty among organizations regarding the distinction between the relative requirements for meaningful consent under Law 25 and under PIPEDA.
25 per cent of respondents indicated that they were unsure whether the requirements for meaningful consent were the same under Law 25 as under PIPEDA. The remaining respondents were split near evenly between interpreting the requirements as being the same (38 per cent) and being different (37 per cent).
Generally, respondents were more confident than not regarding their understanding of the automated decision making and profiling requirements of Law 25.
With 1 being not at all confident and 10 being highly confident
62 per cent of respondents ranked their confidence in their understanding of the automated decision making and profiling requirements at 6 or above.
Of the respondents that indicated they used automated decision making processes, only 17 per cent stated that it would be feasible for their organization to notify individuals of all decisions made exclusively using automated processing. By contrast, 69 per cent indicated it would be feasible to notify individuals of those decisions based exclusively on automated processing that would have a material, direct or significant impact on an individual or their rights. 9 per cent indicated neither would be feasible, and 6 per cent indicated they were uncertain as a result of a lack of clarity regarding the requirements of the law.
The following were the most prevalently reported sources of uncertainty
Generally, respondents were more confident than not regarding their understanding of the requirements of Law 25 for transfers of data outside of Québec.
With 1 being not at all confident and 10 being highly confident, 60 per cent of respondents ranked their confidence in their understanding of the data transfer requirements at 6 or above.
Generally, respondents were fairly confident regarding their understanding of the privacy impact assessment provisions of Law 25.
With 1 being not at all confident and 10 being highly confident, 68 per cent of respondents ranked their confidence in their understanding of the privacy impact
assessment requirements at 6 or above.
The following were the most prevalently reported sources of uncertainty:
Respondents were divided regarding their confidence in their understanding of the privacy by default requirements of Law 25.
With 1 being not at all confident and 10 being highly confident, 57 per cent of respondents ranked their confidence in their understanding of the privacy by default requirements at 6 or above.
More than 50 per cent of respondents were not confident that implementing the privacy by default requirements would be feasible for their organization.
30 per cent of respondents were unsure whether it would be feasible for their organization to make the highest level of confidentiality the default for all privacy settings. 22 per cent reported that it would not be feasible.
Generally, respondents were fairly confident regarding their understanding of the confidentiality incident reporting requirements of Law 25. These requirements came into force in September 2022, likely resulting in increased familiarity with the requirements.
With 1 being not at all confident and 10 being highly confident, 72 per cent of respondents ranked their confidence in their understanding of the confidentiality incident reporting requirements at 6 or above.
Several respondents also indicated uncertainty regarding when use of personal information without authorization would constitute a confidentiality incident, and referred to example 16.2 of the CAI's draft consent guidelines as adding further ambiguity.
Respondents were fairly uncertain regarding the distinction between reporting standards under Law 25, where an incident presents a risk of serious injury, and under PIPEDA, were an incident presents a real risk of serious harm. 52 per cent of respondents rated their confidence in their understanding at a 5 or below, with a mode of 5.
70 per cent of respondents reported that it was a source of concern that the names of organizations that report confidentiality incidents to the CAI may be published.
15 per cent of respondents reported that they believed that the penalties and sanctions capable of being imposed under Law 25 are fair.
67 per cent of respondents reported concern about the risk of penalties and sanctions against themselves or their organizations for non-compliance with Law 25.
61 per cent of respondents reported a lack of confidence in their understanding of the circumstances in which monetary administrative penalties may be imposed under Law 25, as opposed to circumstances where penal proceedings may be brought. With 1 being not at all confident to 10 being highly confident, only 39 per cent reported a confidence level of 6 or higher.
Finally, respondents were provided with an opportunity to provide additional comments regarding Law 25 and their organization's concerns. In addition to repeating requests for guidance in each of the above identified areas, organizations expressed that:
Organizations also expressed a desire for Québec to align its framework with the future Federal framework to be adopted (ie. Bill C-27).
Gowling WLG provides clients with world-class legal acumen and multi-jurisdictional support in key global sectors, including technology, manufacturing, banking and finance, capital markets, infrastructure, and the life sciences. We are also home to one of the world's premier intellectual property practices, and a full suite of business law and dispute resolution services.
With more than 1,500 legal professionals around the world, we provide our clients with in-depth knowledge in key global sectors and a suite of legal services at home and abroad.
We see the world through our clients' eyes, and collaborate across countries, offices, service areas and sectors to help them succeed, no matter how challenging the circumstances. Our on-the-ground presence in Canada, the UK, Continental Europe, the Middle East and Asia means that we are able to provide our clients with the full-service legal support you need to succeed – at home and around the world.
Learn more about our Cyber Security and Data Protection Law Group & Advertising and Product Regulatory Group.
Comprised of leading privacy and data protection professionals, our team deploys our vast experience to create effective and valuable solutions for our clients. We provide practical advice and resources to help clients assess legal and strategic business implications across a broad spectrum of privacy and data protection matters, including Law 25. Our team of dedicated Gowling WLG professionals includes those who have held positions as senior political staff, held senior government positions or have contributed to the development of policy, legislative and regulatory regimes. This experiences helps us ensure that our clients understand every aspect of the Parliamentary process and can engage fully in the policy conversation.
Let us help you stay one step ahead in this evolving landscape. Explore our resources or contact a member of our team to begin a conversation.
The Interactive Advertising Bureau of Canada (IAB Canada) is the national voice and thought leader of the Canadian interactive marketing and advertising industry. We are the only trade association exclusively dedicated to the development and promotion of the digital marketing and advertising sector in Canada. As a not-for-profit association, IAB Canada represents over 250 of Canada's most well-known and respected advertisers, ad agencies, media companies, service providers, educational institutions, and government bodies. Our members represent a diverse range of stakeholders in the rapidly growing Canadian digital marketing and advertising sector and include small and medium sized enterprises.
As the only organization fully dedicated to the development and promotion of digital/interactive advertising in Canada, IAB Canada works with its members to:
Conduct original, Canadian digital/interactive research;
Establish and promote digital/interactive advertising standards & best practices;
IAB Canada is an independently organized and operated organization, and is neither owned, controlled nor operated by any other Interactive Advertising Bureau, Inc. and all trademarks and names are used under license. IAB Canada and global IABs work together closely on major projects and endeavours, but each country requires individual memberships. For more information visit www.iabcanada.com
1 All questions in the survey were optional to complete. Not all organizations surveyed responded to all questions. Unless otherwise stated, the percentages reported below were calculated based on the total number of responses received for each question, rather than the total amount of survey respondents. The sample sizes for each question ranged from 87 to 46.
NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.