Quebec’s Law 25 (formerly Bill 64): An Overview of Key Changes for 2023 to Quebec’s Privacy Regime.
On September 22nd, 2023, several key provisions of Law 25, Quebec’s privacy law (formerly referred to as Bill 64), came into effect. This article provides an overview of five major changes in effect as of September 22nd, 2023, but is not an exhaustive or complete list. We previously provided a high-level overview of Law 25 and the key changes that came into effect in September 2022, which can be found here. As previously noted, organizations with a presence in Quebec (including those collecting or using personal information of Quebec residents) should seek legal advice on compliance with Quebec’s updated privacy regime.
Key Changes for 2023
The changes in effect as of September 22nd, 2023 include the following, which are further outlined below:
- Legal Penalties
- Automated Decision-Making
- Organizational Governance
- Transparency and Consent Requirements
- Outsourcing and Transfers Outside of Quebec
1. Legal Penalties
Law 25 now provides for three mechanisms to enforce compliance:
- Administrative monetary penalties will be administered by Québec’s privacy regulator, the Commission d’accès à l’information (“CAI”). Penalties can carry a maximum fine of $10 million or 2% of worldwide turnover for the previous year, whichever is greater.
- New penal offences for non-compliance which can be applied by the CAI and which can carry a maximum penalty of $25 million or 4% of worldwide turnover, whichever is greater.
- Punitive damages may be claimed by individuals in certain circumstances (i.e., where an infringement of their privacy rights has occurred).
2. Automated Decision-Making
Law 25’s 2023 implementations introduced new obligations for organizations using personal information to make decisions about individuals using exclusively automated processing. This may include use of artificial intelligence like OpenAI and other technologies which make decisions about, for example, an individual’s eligibility for a program, candidate selection, or provisions of services based on assessments of the individual’s situation.
Organizations subject to Law 25 that employ such technologies need to inform individuals when their personal information is used to render an exclusively automated decision. Upon an individual’s request, organizations must provide the personal information used for the decision and the reasons and parameters leading to the decision, and permit the individual to correct the personal information used to make the decision.
3. Organizational Governance
Organizations are now required to establish and implement certain governance policies and practices related to personal information. These include retention and destruction of personal information, establishing and tracking the responsibilities of personnel handling the personal information, and the establishment of a formal process for addressing inquiries from owners of the personal information.
Further, organizations are now required to complete privacy impact assessments (“PIA’s”) in certain situations. The CAI has published a guide on PIA’s (available in French only), which can be found here.
In addition, organizations collecting personal information are now required to ensure that, when offering a product or service to the public through which personal information is collected, privacy settings are set by default to the highest level of confidentiality.
4. Transparency and Consent Requirements
Law 25 now requires organizations to provide information regarding their privacy practices in clear and simple language, and to be transparent through disclosure of certain details to individuals, such as the purpose and the means by which personal information is collected, and an individual’s right to withdraw consent to the organization’s use of personal information.
These obligations may arise at the time of collection, upon an individual’s request, or upon an organization’s use of certain technologies (i.e., technology with functions allowing an individual to be identified, located, or profiled).
The 2023 changes also clarify requirements for the proper form of consent that must be used by organizations, as well as the necessary criteria for ensuring an individual’s consent is validly obtained. The changes also impose requirements for obtaining valid consent from minors.
5. Outsourcing and Transfers Outside of Quebec
Organizations will now be required to disclose to individuals that their personal information may be disclosed outside of Quebec, and will be required to conduct a PIA for such transfers. If a PIA shows that personal information will be sufficiently protected, the organization must then enter into written agreements with the receiving party to ensure contractual protection of the personal information while it is under control of the receiving party.
Further, Law 25 now requires organizations to disclose the names or categories of third parties to whom personal information may be disclosed. Organizations disclosing personal information to certain third parties (i.e., its service providers) may do so without consent if such disclosure is necessary for performing the organization’s mandate or contractual obligations.
Finally, subject to limited exceptions, service providers receiving personal information from organizations subject to Law 25 will be required to notify the organization about breaches and even attempted breaches of personal information, and must permit the organization to conduct audits of the service provider’s confidentiality obligations.
The Law 25 provisions that came into force on September 22nd, 2023 represent significant changes to Quebec’s privacy regime. Given the steep non-compliance penalties now in effect, organizations would be prudent to determine whether they are subject to Law 25 and to assess their compliance obligations.
Note: LaBarge Weinstein LLP lawyers are not qualified to provide legal advice in the Province of Quebec. The above summary is for informational purposes only. If you feel the foregoing requirements might apply to you or your organization, please consult qualified Quebec legal counsel.