Data privacy law is in effect in Quebec and businesses are confused about what it means

With the second phase of Quebec’s Law 25 in effect as of September 22, a new survey says there is still widespread confusion about what the data privacy law requires of businesses that process the personal information of Quebec residents.

According to an article in Canadian Lawyer Magazine, Gowling WLG conducted a survey of more than 100 organizations across sectors, operating both inside and outside Quebec, and found that the majority of respondents were desperate for clarity and worried about penalties as the province’s new regulations and requirements kicked in.

The additional requirements build on phase one of the law, implemented last year. Since September 22 of 2022, any business that processes the digital identity data of even a single person in Quebec is required to have a designated privacy officer, establish an incident management plan, build a privacy incident log, disclose any incidents to the Commission d’accès à l’information (CAI), and disclose any use of biometric processes to develop databases to the CAI at least 60 days in advance.

Now, there is a longer list of rules and policies that apply. Phase two makes it mandatory for businesses to, among other things, publish a privacy policy, develop an opt-in mechanism for the collection of personal information, destroy or anonymize personal information of customers claiming the right to be forgotten, and conduct a privacy impact assessment any time it sends personal information outside the province. (JD Supra has published a comprehensive list of Law 25’s requirements.)

For respondents to the Gowling WLG survey, it is all too much to handle. There are significant concerns about communication, with 69 percent saying that greater clarity on the law’s specifics are necessary. The cost of both implementation and non-compliance are also causing worry. More than half of respondents say they lack the resources to achieve compliance with Law 25’s key provisions. Not surprisingly, 67 percent are concerned about penalties and sanctions, which can reach $10 million Canadian (currently around US$7.4 million) or two percent of a business’s annual revenue. Just 15 percent of respondents think those numbers are fair.

For small-to-medium sized businesses, it is the law’s lack of a minimum threshold that irks the most: businesses that process the personal data of a single Quebecer are subject to the same requirements as those that process the biometric data of millions.

However, the law includes a number of provisions that might have caused survey respondents to label it stringent and too far-reaching. It is the only explicitly opt-in privacy law in North America, and notably provides a private right of action, allowing citizens to sue businesses that breach their legal privacy rights.

Antoine Guilman, the co-leader of Gowling WLG’s national cyber security and data protection group, put into formal language what respondents called a “serious problem.”

“Despite Law 25 having come a long way since its introduction under Bill 64,” he said, “unresolved questions of interpretation and implementation spell a challenging rollout of the legislation.”

Article Topics

biometric data  |  biometrics  |  Canada  |  data collection  |  data privacy  |  legislation  |  Quebec