The final phase of Quebec's Law 25 came into effect on September 22, 2023. Is your business complying?
What is Law 25?
Law 25 is the latest and most significant privacy legislation development in Canada. It follows the 2021 adoption of Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, which enacted significant changes to the requirements governing the collection, use, and communication of personal information.
Law 25 requires significant changes to privacy compliance frameworks, including mandatory PIA's for the transfer of personal information outside of Québec, mandatory provisions within all outsourcing contracts, the adoption of privacy by default mechanisms for new technologies, and many other significant changes.
Who does it impact?
With some exemptions, most organizations established in Québec and/or doing business in Québec that are collecting, using, or disclosing personal information of individuals located in the province will be impacted. Even the scenario of a Québec-based customer soliciting goods and services from a foreign website – in other words, most international online shopping scenarios – is potentially covered by the new legislation and may require compliance by the foreign company.
What are the penalties for noncompliance?
Law 25 increases the fines for non-compliance with privacy legislation, with private-sector entities subject to fines ranging from $15,000 to $25,000,000 CAD, or an amount corresponding to four per cent of worldwide turnover for the preceding fiscal year (whichever is greater).
An Act to modernize legislative provisions as regards the protection of personal information (also known as "Law 25" or "Bill 64") adopted on September 22, 2021, substantially modifies the protection of personal information regime for businesses and public organizations operating in Québec.