Updating Privacy Measures: How to Meet the Standards of Quebec’s Law 25

Canada’s electronic intelligence agency recorded 137 separate privacy incidents at businesses across the country last year.¹ While these incidents range from small events, such as mislabelled data, to more significant infractions, like a major data breach, these occurrences have drawn the attention of lawmakers.

In 2021, Quebec passed legislation that modernized its privacy laws to better protect Canadians’ personal information. Inspired by the European General Data Protection Regulation (GDPR), the most stringent privacy statute in the world, Law 25 will require Quebec businesses to take greater safety precautions and increases the authority of the province’s privacy commission.

Modern Privacy Legislation for a Modern World

Today, with so many tasks and transactions taking place online, safeguarding private information is even more important. In mirroring the GDPR, Law 25 creates higher standards for any Quebec organization that collects sensitive information, which includes medical, biometric or other highly personal data, and may include financial information, though it is not specifically listed in the legislation.

Provisions of the law began to take effect in September 2022, but the majority will take effect September 2023. As of today, to comply with Law 25, organizations that collect and retain sensitive information should:

• Employ a privacy officer to lead privacy management efforts at the organization.
• Maintain a plan to manage privacy incidents and procedures for employees to follow.
• Record any privacy incidents in a dedicated log.
• Report any privacy incidents to the Commission d’accès à l’information du Québec.

Beginning September 2023, organizations must also:

• Create a governance framework for protection of personal information.
• Set up a process for handling complaints.
• Assess privacy risks and destroy any unnecessary personal information.
• Obtain consent from individuals to use their personal information, if necessary.
• Create a data retention schedule.

Companies that do not comply with the mandate will be subject to stricter guidelines and steep fines. These penalties can require payouts of $5,000 to $50,000 for the privacy breach of an individual. In bigger instances of privacy breaches, companies could be on the hook for up to $25 million or 4% of company’s prior year revenues.

Best Practices to Protect Your Business

With so much at stake, organizations need to establish a framework for risk management related to privacy practices in the organization. Of course, meeting the requirements is critical, but companies that go one step further will gain the confidence of their leaders and protect the organization at large.

Here are several steps businesses operating in Quebec should consider:

1. Determine what’s necessary. Skip collecting unnecessary data that adds an additional burden. For example, if employees enter the building using their fingerprints, the organization is responsible for protecting that data. Consider other ways to ensure security on site and avoid that challenge.

2. Educate yourself on the nuances of the law. Some of the unique aspects include the requirement that information that is no longer subject to a retention period or in use must be either destroyed or anonymized in a way that makes it impossible to directly or indirectly identify the person that the information concerned.

3. Develop a plan for assessing the seriousness of an incident and how to report it. This should include an assessment of the injury that could result from a confidentiality breach, potential consequences and a plan for reporting privacy violations to the commission.

4. Assess your technology. Make sure your technology is set up in a way that protects the personal data of individuals. For example, using cookies on your website that allow individuals to be profiled or identify their location could qualify as a privacy incident if that data is breached.

5. Protect your leaders. Sometimes a privacy breach leads to greater risk for business owners and other leaders. Review your D&O insurance policy and ensure the corporation indemnifies all directors and officers. If the worst happens, no one wants to lose their personal assets in a payout.

6. Secure cyber insurance. If you don’t already have a cyber policy, now is the time to consider it. Cyber insurance provides financial coverage in the event of a privacy breach or cyber attack. Policies can be pricey, but taking steps to minimize risk can help you secure a policy with better terms and conditions.

7. Consult with a lawyer. The easiest way to comply is to ensure you fully understand the requirements of the law. Discuss the implications of the new law with an expert in privacy law. The expert can review your company practices and help you determine ways to comply. Staying on top of changing regulations is the best way to minimize the risk and avoid a gap in coverage.

Contact HUB International’s cyber experts to learn more about complying with Law 25.

¹ Government of Canada, “Communications Security Establishment Annual Report 2022-2023,” accessed July 25, 2023.