This September organizations in Quebec will face stiff penalties if found non-compliant with Law 25 (previously Bill 64). Passed in 2021, the Law has phased in annual amendments and requirements every September 22. Previous phases defined organizational and preparatory requirements; this September kicks off enforcement, where organizations found to be non-compliant could face fines up to $25 million, or four percent of annual turnover for privacy violations.
What is Law 25?
Law (or Bill) 25 is a provincial data privacy law which in practice looks and sounds like Canada’s federal data privacy law, Personal Information Protection and Electronics Act (PIPEDA). However, Law 25 modernizes the protection of personal information and better defines what qualifies as sensitive information (any information which relates to a person and allows that person to be identified).
A key difference is each law’s scope—PIPEDA focuses on private-sector organizations, while Law 25 applies to both private and public organizations operating in Quebec and collecting and handling sensitive information of Quebec residents.
The Law is designed to provide individuals with more control over their information and the ability to request and access their information from organizations who have it. If an individual requests specific information, your organization must provide it to them within 30 days or risk penalties.
It’s a practical approach to data privacy and an individual’s right to access information that sounds straightforward. Yet in practice, ensuring your organization can source, protect, deliver, and/or erase sensitive information within the Law’s parameters could get messy.
Many organizations struggle to understand what types of sensitive information they collect, store, and share, let alone the security risks based on those information types. The Law’s wide reach means that public and small businesses with limited budgets, teams, and data and asset management resources may struggle to institute the practices and processes necessary to demonstrate compliance.