Law 25 Blog Series from McCarthy Tétrault’s Cyber/Data Group
This article is part of our Law 25 Blog Series, which will provide readers with a 360° view on Law 25 (formerly known as Bill 64) and its sweeping amendments to Quebec’s Act Respecting the Protection of Personal Information in the Private Sector (the “Private Sector Act”). To view other blog posts in the series, scroll down to the bottom of this article. This page will be updated regularly with the latest posts.
The passage of Law 25 (formerly known as Bill 64) (the Act to Modernize Legislative Provisions respecting the Protection of Personal Information) will overhaul Québec’s privacy regime and have major consequences for companies doing business in the province or that handle the personal information of Québec residents. Aimed at promoting transparency and enhancing data privacy, the significant changes to the existing Private Sector Act include more stringent obligations for businesses, greater accountability and tougher penalties for non-compliance.
So what does this mean for your business? Ensuring compliance requires careful planning and a thorough understanding of this uniquely “made in Québec” approach to privacy protection. McCarthy Tétrault’s Law 25 Blog Series gives you valuable insights on how the latest developments will impact your business so you can stay compliant and capitalize on opportunities in the evolving privacy and data landscape in Québec. Featuring posts from our multidisciplinary Cyber/Data experts, the series will cover key topics including consent, enforcement issues under Bill 64, automated decision-making, information governance requirements and much more.
McCarthy Tétrault’s Cyber/Data Group has immense regional and national experience in privacy, data protection and cybersecurity and a track record in advising key sectors on critical issues in novel and complex areas of law. Our team can help you navigate the privacy and data landscape so you can leverage the value of data, develop responsible AI practices, protect your organization’s assets and cement customers’ and clients’ digital trust.
Subscribe to our TechLex blog to receive the latest posts in the series.
Quebec Law 25 Update - Latest Obligations Effective September 2023
Today, the majority of Quebec’s Law 25 privacy reform enters into force, elevating Quebec’s privacy regime to a standard that resembles the GDPR and other new-age regimes. If your organization does business in Quebec and processes the personal information of Quebecers, it is crucial that you take meaningful steps to comply with the new obligations, as the fines for non-compliance could be significant.
Sweeping privacy reform comes into force in Quebec
As of September 22, 2023, organizations operating in Quebec or handling the personal information (“PI”) of Quebec residents are now subject to a host of new obligations. Compliance with these sweeping amendments brought by Act to modernize legislative provisions respecting the protection of personal information (“Law 25”) to the Private Sector Act require a deliberate and well-documented overhaul of policies, procedures and practices relating to how affected organizations handle Quebec PI.
Quebec’s Law 25 and Cookies: Not So Cookie Cutter
If you’ve recently visited a new website on your phone or computer, chances are you received a notification informing you that the page uses cookies and you need to decide whether to accept, reject, or manage cookies before you can access the page. Cookies are small text files that websites send to your device to remember certain information about you, such as what you put in your shopping cart, what your shopping preferences are, when you last visited the site, how long you were on the site, or your login information.
The Quebec Privacy Regulator’s Guide on Law 25-compliant Privacy Impact Assessments
On September 22, 2023, Quebec’s privacy regulator, the Commission d’accès à l’information du Québec (“CAI”), released its long-awaited guide (available in French only) on conducting privacy impact assessments (“PIAs”) as required by Law 25. The guide provides a roadmap for conducting PIAs and establishes a methodology for quantifying and addressing privacy risks. Alongside the guide, the CAI published a PIA template, which serves as a model that can be used by organizations to complete Law 25 compliant PIAs. The CAI states that using the PIA template is not mandatory and recommends adapting it to the context and scope of the assessment at hand.
Quebec’s Draft Regulation on Anonymization of Personal Information
On December 20, 2023, the draft regulation for the anonymization of personal information (the “Draft Regulation”) was published in the Gazette officielle du Québec. The Draft Regulation provides organizations with details regarding the requirements that must be respected to lawfully anonymize personal information (“PI”). This article provides an overview of the anonymization framework set out in the Act and then unpacks the new Draft Regulation.
Bill 64 Blog Series and Related Insights:
- Committee review completed for Bill 64: A step closer to a major reform of Quebec's personal information protection regime
- Bill 64 Committee Report Adopted by Québec National Assembly
- Bill 64 Receives Royal Assent: Major Québec Privacy Reform Bill Becomes Law
- Quebec’s Bill 64 Introduces Unique Cyber Incident Reporting Obligations
- Quebec’s Bill 64 Introduces New Operational Requirements for Cross-Border Transfers of Personal Information
- Quebec’s Bill 64 Introduces New Transparency and Consent Standards
- A Workspace by the CAI to assist with Bill 64 Compliance
- Quebec’s Bill 64 Introduces New Governance Obligations for Businesses Processing Personal Information
- Quebec’s Bill 64 Introduces New Contractual Requirements for Transfers of Data
- Bill 64 exposes businesses to significant new monetary penalties and gives increased powers to the Commission de l’accès à l’information
- Getting ready for Quebec’s Bill 64 privacy law impacts on outsourcing
- Quebec’s Draft Bill 64 Regulation On Confidentiality Incident Reporting and Record-Keeping Obligations
- Quebec Privacy Commissioner Releases Draft Guidelines on Valid Consent and Launches Public Consultation
- Key Operational Considerations Ahead of Major Law 25 Entry Into Force Phase
- Now this May Hurt: The CAI's General Framework on Monetary Administrative Penalties
To learn more about how our Cyber/Data Group can help you navigate the privacy and data landscape, please contact national co-leaders Charles Morgan and Daniel Glover.