All Collections
Best Practices
What is Quebec's Law 25?
What is Quebec's Law 25?

Those who do business with people who live or operate in Quebec must comply with new privacy legislation beginning in September 2022.

Samantha Postlethwaite avatar
Written by Samantha Postlethwaite
Updated over a week ago

⚖️ Amilia does not provide legal advice; this content was prepared for informational purposes only. We encourage you to speak with a law professional when interpreting Law 25.

Law 25 refers to Quebec's Act to modernize legislation provisions respecting the protection of personal information. The main purpose of this law is to regulate how personal information is handled, whether during collection, storage or consent to collect and share it. Law 25 applies to all Quebec organizations as well as those established outside of the province who have customers who use their services or products in Quebec.

When does Law 25 take effect?

Law 25 (previously Bill 64) came into effect on September 22nd 2022, with a gradual rollout of provisions over the course of three years. The majority enter into effect on September 22nd 2023. The following is a high level view of the requirements of Law 25.

Requirements in Year 1 (2022)

  • Appoint a Privacy officer: This person is responsible for the protection of personal information. They must properly document any incident in a log and take steps to quickly reduce the risk of another privacy incident (e.g., hard drive theft or malicious, unauthorized access). The privacy officer must be clearly identified on your organization's public website.

  • Breach notifications: Your organization is required to make data breach notifications to the Commission d'accès à l'information du Québec (CAI), as well as to any affected individuals in the event of a confidentiality incident. A breach notification must also be made when the unauthorized access of personal information is likely to cause a 'risk of serious injury' to the individual.

  • Biometric database registration: Organizations must notify the Commission d'accès à l'information du Québec (CAI) at least 60 days before biometric processes are implemented and a biometric database is created. Any process involving the use of biometrics to verify or confirm a person's identity must be disclosed to the CAI. In addition, the express consent of individuals is required to use biometric data for identity verification.

Requirements in Year 2 (2023)

  • Have a privacy policy: Your organization must have an easily accessible privacy policy, written in plain language and available on your website or via other public methods.

  • Privacy governance & program development: Develop and implement internal privacy policies to manage and appropriately protect personal information throughout your organization's activities. Your organization is obligated to provide the parameters to ensure the highest level of confidentiality of a technological product or service offered to the public (this provision does not apply to privacy settings for browser cookies).

  • Privacy impact assessments (PIA): A PIA is a risk management process that helps organizations ensure they meet legislative requirements and identify the impacts their programs and activities will have on individuals’ privacy.

  • Purpose, collection, and consent: Organizations must clearly define to individuals the purposes for collecting personal information, both at the time of collection and when individuals request information about your organization's purpose and collection practices. Organizations must obtain, beforehand, the person's consent to use their personal information for commercial prospecting purposes. There are exceptions to consent, such as where personal information is business contact information.

  • Destruction of personal information and the right to be forgotten: Personal information must be destroyed once the purposes for its collection are met. If a legitimate reason to keep the personal information exists, the information should be anonymized. Organizations must make accommodations to fulfill requests when an individual wishes to stop their personal information from being disseminated.

  • Automated processing of personal information: You must inform individuals if their personal information will be used to make a decision based solely on the automated processing of that information. They must be informed at the time of collection or before automated processing of their personal information occurs.

  • Source of personal information: Should an individual request it, organizations must disclose the source used to obtain their personal information and if it was collected from another person or organization.

Requirements in Year 3 (2024)

  • Data portability: You will be required to provide personal information about an individual in a structured, commonly used technological format to that individual upon request. You will also be required to disclose the information to another organization authorized to collect personal information at the individual’s request (for example, if an individual seeks to change service providers).

    The right to data portability is limited under Law 25 in two ways:

    • It does not cover information created or derived about the individual

    • It does not extend to instances that raise serious practical difficulties

Is Amilia compliant with Law 25?

As a digital and administrative partner of thousands of organizations, we've applied the necessary procedures for the compliance of Law 25.

Amilia is a Level 1 certified PCI-DSS service provider, the highest level of security compliance attainable in the payment industry. To meet the needs of the Canadian and American market, we've already undergone a process relatively similar to that of Law 25. We've obtained two important security certifications: Soc 2 and HIPAA, ensuring the secure management of your customer data. With more than 350 security checks certified by external firms, we're well acquainted with computer security!

It's important to note that while Amilia's User agreement, privacy policy and personal data management within SmartRec is in accordance with Law 25, your organization must ensure its privacy policies and external management of this data is also compliant.

What does my organization need to do?

Law 25's gradual implementation is intended to provide organizations with enough time to prepare for the new privacy requirements and make the necessary changes to their data protection practices.

  • This includes conducting a privacy audit, updating privacy policies and procedures, implementing security measures, training staff, appointing a privacy officer, and reviewing contracts with service providers.

  • We recommend speaking with a law professional to ensure what Law 25 entails for your organization specifically.

🔴 Organizations that fail to comply with Law 25 and its related regulations will face penalties based on the size of their business. Law 25 is enforced by the Commission d’accès à l’information (CAI) du Québec, the provincial organization responsible for access to information in Québec.

Glossary & Sources

1. What's the definition of personal information?

Personal information concerns a physical person and allows that person to be identified. It is confidential. Barring exceptions, it cannot be communicated without the consent of the person concerned.

Personal information relates to a person's identity such as their name (in some cases), age, ethnicity, address, phone number, email address, emails, IP address, education level, details about personal life, content from web searches, online user preferences, biometrics, medical file, health information, social insurance number (SIN), and other identification numbers that may be considered personal information in the context of the law.

Please note that the definition does not refer to information relating to a legal person (i.e. information concerning a business).

2. What's a confidentiality incident?

A confidentiality incident means:

  • Unauthorized access and/or use by law to personal information

  • Communication of personal information not authorized by law

  • Loss of personal information or any other breach of the protection of such information

3. What biometric data can be used identify or authenticate a person?

These are unique characteristics, resulting from biometric analysis, which make it possible to identify or authenticate a person.

There are 3 main categories of biometrics:

  1. Morphological biometrics - based on the identification of specific physical traits. It includes the recognition of fingerprints, the shape of the hand, the face, the retina and the iris of the eye;

  2. Behavioural biometrics - based on the analysis of certain behaviours of a person, such as the tracing of his signature, his voice, his way of typing on a keyboard, and so on;

  3. Biological biometrics - based on the analysis of a person's biological traces, such as DNA, blood, saliva, urine, and odours.

Sources

Did this answer your question?