Quebec Bill 25, An Act To Modernize Privacy Legislation

The following are the obligations effective as of September 22, 2022:

Recognition

Of the responsibility of public bodies to protect the personal information they hold
Of the autonomy of the person responsible for access to information and privacy
Of accountability of the highest authority within the public body

Public Organization

Implement a process for handling a privacy incident involving personal information
Implement the new procedure for the disclosure of personal information for the study, research, or statistical purposes
Establish an access to information and privacy committee

Access to Information Commission

Develop guidelines to facilitate the application of the Act

Two new obligations under Bill 25 already apply to businesses: the appointment of a privacy officer and the reporting of privacy incidents.

The primary responsibility of the chief privacy officer is to ensure that the company complies with and implements the Private Sector Privacy Act. This may include implementing measures to facilitate the right to data portability, managing privacy incidents and the notification process, as well as implementing policies and practices to govern personal information within the organization. If a company does not appoint a chief privacy officer, the most senior person in the company will hold the position. This person may delegate the function in writing.

With respect to reporting privacy incidents, companies will be required to notify the Commission d’accès à l’information and the individuals concerned of any privacy incident that presents a risk of serious harm involving personal information. A privacy breach presents a serious risk depending on, among other things, the sensitivity of the personal information, the consequences of its use and the likelihood of its use for harmful purposes.

Conclusion

The objectives of Bill 25, particularly for businesses, are to enhance the protection of personal information held by businesses, to increase public confidence in businesses and to support innovation by considering new technologies. The obligations of the Act will come into effect progressively until 2024 and in case of non-compliance with the Act, the Commission d’accès à l’information will be able to impose penalties that could amount to up to $25 million or 4% of the company’s worldwide turnover, in proportion to the seriousness of the breach and the company’s ability to pay.

The Quebec government wants to continue to find ways to improve the protection of Quebecers’ personal information and will continue to study the possibilities of adding measures to ensure this. Among these, it is possible that additional measures could be added to Bill 25 that would give more powers to the Ministry of Cyber Security and Digital (MCN). The MCN could potentially demand accountability from private and public organizations.

The first sitting of the 43rd Legislature in the National Assembly will be held on Tuesday, November 29, 2022. It may be possible to see in the first few weeks what the government will do to ensure better protection of Quebecers’ private data.