By Karine Oct 10, 2023
In collaboration with Jean-Sébastien

Quebec’s Law 25 IT Insights: A Complete Guide

Since September 21, 2021, Law 25, focusing on the protection of personal information in Quebec, has garnered considerable attention within the province’s legal, economic, and technological sectors. Its influence extends well beyond administrative boundaries, impacting self-employed individuals, businesses of all sizes, public organizations, as well as non-profit entities such as foundations and unions, alike.

While this regulation has surfaced relatively recently, it doesn’t exist in isolation within the broader global data protection framework. For instance, in Europe, the General Data Protection Regulation (GDPR) was introduced in 2018, establishing fresh benchmarks for the handling and respect of personal data.

It comes as no surprise that, here in Quebec, a comparable initiative has emerged in response to mounting apprehensions regarding user privacy. In this ever-evolving digital era, it is crucial to grasp these significant legislative advancements, as they not only impact how we manage data but also how we utilize it in our daily lives. Our team of cybersecurity experts employs top-tier security strategies throughout the development of our technology solutions, spanning cloud services, Industry 4.0, connected devices, business intelligence (BI), and artificial intelligence (AI).

⚠️ Please note that this article is intended to provide information on Law 25 and should not be construed as formal legal advice. You are encouraged to consult a lawyer or legal advisor for advice specific to your situation and to ensure full compliance with the law.

What’s Law 25?

Law 25 applies to all companies that collect data from people living in Quebec. It also applies to anyone in Quebec using products or services from organizations located outside the province. This law introduces new rules for how both public and private organizations handle personal information.

Law 25 is gradually coming into force. Initial directives were announced in September 2022, followed by important provisions in September 2023, and more are still in the pipeline for September 2024. This gradual approach allows companies to prepare in advance. It encourages the implementation of compliance policies and practices, while recognizing the complexity of the adjustments required.

To ensure Law 25 is effectively enforced, Quebec has appointed the Commission d’accès à l’information (CAI) as the regulatory authority. The CAI’s main job is to watch over companies to ensure they respect people’s privacy rights in the province. As developers of digital solutions, we understand the importance of complying with Law 25 and respecting the privacy and data protection of our users, at every stage in the development of customized software solutions for your business.

Law 25 and personal information

In the context of data protection, the key question is: What counts as personal information?

Generally speaking, personal information is typically defined as ‘’any data that can identify a specific individual.’’ However, this definition goes beyond just that. For instance, the Personal Information Protection and Electronic Documents Act (PIPEDA), which applies in other Canadian provinces, includes a broad spectrum of data under the definition of personal information, going well beyond mere names and addresses!

The types of personal information considered sensitive under PIPEDA, and other regulations include, for example:

  • Demographic information: ethnic origin, religion, marital status, sexual orientation, and level of education. These data are often used to describe and categorize individuals.
  • Communication data: e-mail addresses, e-mail messages and IP (Internet Protocol) addresses fall into this category. This information is essential in our digital age, where electronic communication is omnipresent.
  • Biometric data: this can include information such as age, height, weight, medical records, blood type, DNA, fingerprints and even voice signature. This data is often used to identify and authenticate individuals.
  • Financial data: information on income, purchases, consumption habits, banking data, credit or debit card information, loan or credit reports, as well as tax returns are included in this category. This information is crucial for financial and commercial transactions.
  • Personal identifiers: this includes, for example, name, social insurance number (SIN) or other identification numbers used to uniquely identify each individual.

This list highlights the wide range of personal information that data protection laws can include. It’s important to note that the definition of personal information can vary across different jurisdictions, but in general, it includes any data that can identify an individual. This is why the protection of such data has become a major concern in today’s digital society.

Law 25 officially takes effect in Quebec

Impact of Law 25 on citizens and businesses in Quebec

Rules and requirements to be respected

With Law 25, Quebec establishes the following rules:

Governance

Every company will need to put in place a governance framework for effective management of confidential data used within the organization.

Transparency

Companies should have a clear policy on their website, establish internal procedures, and provide training to employees on the subject.

Compliance

This will make it possible to standardize best practices in terms of personal data processing and give meaning to the use of data.

Deadlines

As previously mentioned, Law 25 extends from 2022 to 2024, with a series of deadlines:

September 2022

  • Designate an individual in charge of the protection of personal information and display their contact information on the company website
  • Establish a comprehensive incident management and documentation plan
  • Report incidents to the relevant authorities (CAI) and third parties directly concerned

September 2023

  • Implement data anonymization measures
  • Develop a governance framework for the protection of personal information
  • Enforce the right to erasure (data destruction)
  • Conduct privacy impact assessments
  • Secure prior consent for the use of personal information in commercial prospecting activities

September 2024

  • Data portability (system adaptation): ensure the capability to generate a report containing all personal data retained by the company.
  • Provide training to all company staff members

It is essential for all relevant parties to adhere to these deadlines, as non-compliance can lead to significant penalties, as we will explain further.

Comprehensive analysis of the privacy impact assessment

As of September 22, 2023, organizations will be required to conduct a Privacy Impact Assessment (PIA), a structured process for assessing the privacy impact of projects involving personal information:

  • For all projects involving the acquisition, development or redesign of information systems or the electronic delivery of services involving personal information;
  • Before communicating personal information outside Quebec.

This will affect companies’ internal policies regarding the security of personal information. Customers will need to be included in the data evaluation process if they have not been involved previously.

PIAs should be proportionate to the sensitivity of the information, its intended purpose, quantity, distribution, and medium.”

Enforcement and Penalties under Law 25

Failure to comply with Law 25 can result in significant financial penalties, with fines of up to $25 million or 4% of the company’s total sales, depending on the severity of the violation.

For example, a company with $500 million in sales could face a $20 million fine in case of non-compliance with the law.

Damages can reach ‘’a minimum of $1,000 for deliberate or grossly negligent infringements causing harm.’’ Therefore, it is essential for every company, regardless of its size, to diligently adhere to Law 25. Doing so is not only a legal requirement but also reflects a commitment to professional ethics and care for the welfare of its customers.

Failure to comply with the provisions of this law not only has financial consequences for companies, but also has an impact on trust and the relationship between organizations and the individuals whose data is processed. As such, Law 25 is not just a regulatory instrument, but also a reflection of societal values around data protection and privacy, promoting a digital environment where transparency and accountability are key.

In the end, compliance with Law 25 goes beyond legal obligations. It’s a way of building your customers’ trust, protecting your reputation and, above all, ensuring that your users’ personal data is treated with the respect and security it deserves.

Law 25 therefore reminds us of our collective responsibility to protect personal information and underlines the importance of integrity and responsibility in all our digital interactions.

The impact of Law 25 on businesses

Case in point – Uzispace real estate company

Let’s consider the case of the Uzispace real estate company for the purposes of this article.

Uzispace is a privately-owned company in the real estate sector that acquired a cloud-based property management platform during its digital transformation. As a result, it regularly collects personal information on its customers, such as names, phone numbers, addresses and even financial data for transactional purposes as well as various documents like identification papers.

The implementation of Law 25 has had a significant impact on the way the company manages this data and interacts with its members:

  1. Governance: Uzispace had to appoint a person responsible for the protection of personal information within the organization. This individual is responsible for ensuring that all members’ personal data complies with Law 25 requirements and is assisted by a qualified lawyer.
  2. Identification: Uzispace performed a PIA to assess the different types of information collected across forms, documents, intranet storage and their real estate platform. During this evaluation, Uzispace also automated data cleansing processes and removed any unnecessary information.
  3. Transparency: The company has updated its privacy policy and made it accessible to all customers via its website. Customers can now easily consult information on how their data is used and protected.
  4. Compliance: Uzispace has conducted training sessions for its employees, especially administrative managers, to raise awareness about the new data protection responsibilities. Additionally, they have established procedures for reporting data security incidents and promptly notifying affected members in case of a breach.
  5. Data: Uzispace has implemented automated reporting features within its platform, allowing for the seamless provision of individuals’ data upon request, both for current and past customers. The company has also prioritized granting members the ‘right to be forgotten’ should they wish to exercise this option.

The Uzispace case shows how a private company must take steps to align with Law 25 and protect its members’ personal data. It highlights the importance of transparency and governance in the management of this sensitive information.

Conclusion

Law 25, currently in effect in Quebec, extends beyond regulations as it incorporates a significant ethical aspect. It embodies the legislative commitment to respect and protect the privacy and dignity of individuals, by placing their rights at the heart of personal data management. It serves as a legal framework emphasizing the need of responsible behavior and integrity when handling personal information within organizations.

Its recommendations regarding governance, transparency, compliance, and privacy impact assessment pave the way towards a future where the prioritization of personal data respect is evident. However, the strict deadlines and associated financial penalties emphasize the pressing need for companies, organizations, and individuals to adhere to comply to these standards.

By complying with Law 25, all of us as a company are helping to build a digital future where trust and respect for individual rights are at the forefront of our interactions. This commitment ensures a secure and privacy-conscious environment for everyone!

At Uzinakod, we incorporate cybersecurity principles in alignment with Law 25 to respect the privacy and data protection of our website users and in the creation of custom software solutions for our diverse clientele. Our dedication to legal compliance and data security is central to our approach, guaranteeing the needs of your IT requirements while respecting the integrity of your company’s information. Contact us today to talk to our experts!

Recommended Articles
Published on August 29, 2023

IT Project on the Horizon: Discover Your Options

To bring your IT project to fruition, your company has several options: hiring staff, using consultants or working with an IT partner.

Read more
Published on July 3, 2023

Navigating Recession with Business Intelligence: Key Strategies for Success

Our BI experts share with you a solution that will help you weather the crisis, as well as a few good ideas for navigating through the pitfalls of these troubled times.

Read more
Share on