The protection of personal information : Is your business compliant with Law 25?


by

The protection of personal information has become a major issue in recent years. The numerous data breaches in companies have, in a way, forced the government to act. Law 25 is the latest legislative measure aimed at better addressing these new technological challenges.

Law 25, known as An Act to modernize legislative provisions as regards the protection of personal information1, began to come into force on September 22, 2022. Most public bodies were already compliant with this legislation upon its enactment. However, while larger private companies have managed to comply thanks to their significant internal resources, it appears to be somewhat different for small and medium-sized enterprises (SMEs), which have more limited financial and human resources.

Reminder

Upon the law’s enactment in 2022, companies were required to comply with new obligations. They had to appoint a person responsible for protecting personal information. They also had to meet certain requirements regarding the management of confidentiality incidents and adhere to new regulations on the communication of personal information for study, research, or statistical purposes. Furthermore, companies were compelled to conduct a privacy impact assessment (PIA) and were required to disclose, in advance, any identity verification using biometric characteristics or measures to the Quebec Commission d’accès à l’information.

The following year, a series of new obligations emerged, including the establishment of policies and practices regarding the governance of personal information. From that point, companies were also required to conduct a PIA whenever specified in the law. New rules on the collection, communication, and use of data were established, and companies were required to destroy or anonymize information once it had served its purpose. Companies were also mandated to be more transparent with citizens and comply with several new rules surrounding the communication of personal information, the collection of information from minors, and the communication of personal information facilitating the grieving process.

Did You Know?

On May 30, a new regulation complementary to Law 25 came into force: the Regulation respecting the anonymization of personal information2. This regulation specifies how public bodies, businesses, and professional orders should handle personal information they wish to retain once its purpose has been fulfilled.

This regulation defines anonymization criteria, including oversight by a competent person, the removal of direct identifiers, and the analysis of re-identification risks. It also specifies techniques to ensure anonymized information remains non-identifiable, taking into account technological advancements and factors that could facilitate re-identification.

In September 2024, the latest provisions of Law 25 regarding the portability of personal information came into force. These provisions require businesses to provide anyone who requests it with a digital copy of all their personal information in a written and understandable format.

And that is not all: Starting January 1st 2025, the regulation will require maintaining a register containing all relevant details of the anonymization process, including techniques used, purposes of data use, and dates of risk analyses.

Conclusion

As a business leader, be vigilant and ensure you are aware of all your obligations under this new law. The protection of personal information has become a major issue, and the government is determined to take action: since September 2023, the Quebec Commission d’accès à l’information has the authority to engage in criminal proceedings against any business failing to comply with specific provisions of the law, with minimum fines of $15,000 for businesses, doubling in the case of repeat offenses.

Feel free to contact Bernier Fournier Avocats: we can assist you in implementing strategies to comply with the law and ensure protection against potential negative consequences related to non-compliance.

Written with the collaboration of Annie Gauthier-Allard, law student.

1An Act to modernize legislative provisions as regards the protection of personal information, S.Q. 2021, c. 25.
2Regulation respecting the anonymization of personal information, CQLR, c. A-2.1, r. 0.1.