Can Québec's Law 25 champion a more user-friendly approach to "valid consent"?

7 minute read
11 July 2023

Québec's Law 25, an Act to modernize legislative provisions as regards the protection of personal information, is the most significant privacy legislation development in Canada in decades.

This new law brings about significant changes to Québec's privacy legislation, with an emphasis on the requirements governing the collection, use and communication of personal information. Notably, these changes include the creation of new and comprehensive guidelines governing valid consent. The vast majority of the amendments enacted by Law 25 will come into effect on Sept. 22, 2023.

As part of its process of developing such valid consent guidelines, the Commission d'accès à l'information (CAI) embarked on a targeted consultation process seeking input from a cross-section of key stakeholder groups. Gowling WLG was honoured to be among a small handful of Canadian law firms invited to participate in these important consultations. This exemplifies our commitment to thought leadership in privacy law.

As part of our involvement, members of our Cyber Security and Data Protection Group submitted a brief detailing our thoughts, perspectives and recommendations on the draft guidelines. With a view to helping you understand the current direction of the CAI's guidelines, we are pleased to share our brief with you.

Our recommendations at a glance

Our recommendations to the CAI largely centre on questions of practicality, clarity and implementability. Below we highlight our feedback on some of the key provisions contained within the draft guidelines.

Precedence principle

In its draft guidelines, the CAI suggests an order of consent prioritization, with express consent being prioritized. In response to this proposal, we examined the proposed order, highlighting its lack of alignment with legal foundations and potential limitations on organizations.

Our recommendation: A more flexible approach, empowering organizations to choose the most appropriate basis for collecting, using or disclosing personal information depending on the circumstances.

Demonstrability principle

The CAI introduces a "demonstrability principle" in the draft guidelines, requiring organizations to demonstrate compliance with statutory obligations. However, in our brief, we raise concerns about the practical implementation of this principle, citing difficulties in documenting obtained consent, the validity of consent, and the status of the person giving consent.

Our recommendation: Avoid introducing this principle that in practice would lead to excessive practical and operational difficulties, while affecting the reach of other legal bases including implied consent.

Transparency principle

The CAI emphasizes transparency as an essential aspect of consent in the draft guidelines, but lacks clarity on its scope and creates inconsistencies in transparency requirements between presumed consent and other forms of consent. In our brief, we raise concerns about the practical implementation, potential confusion, and excessive transparency demands.

Our recommendation: Clearer definitions, reasonable information requirements and avoid double standards to reduce consent fatigue.

Read our complete brief

We invite all those invested in privacy protection to engage in this important consultation process by reviewing our brief, and to contact a member of our team to begin a conversation.

Read our brief

NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.