Drive Law 25 sensitive data compliance

The Act to modernize legislative provisions as regards the protection of personal information, commonly known as Law 25, brings important modifications and modernization to laws that cover personal and sensitive information. The law was sanctioned by the Quebec National Assembly back in September 2021 and will have provisions coming into force in September 2022, September 2023 and September 2024. Law 25 aims to offer tighter control around individuals’ personal data and strengthens corporate obligations in terms of governance, transparency and compliance.

All organizations located in the province of Quebec, regardless of whether they are private or public, are required to follow the regulations outlined in Law 25. This applies to all types of organizations, from small startups to large enterprises, and includes any organization that handles, uses, or shares the personally identifiable information (PII) of its stakeholders. It is important for these organizations to ensure that they are in compliance with Law 25 in order to avoid potential consequences such as financial losses, damage to their reputation, and legal action.

Law 25 covers all personally identifiable information (PII) including sensitive data possessed by organizations in Quebec. Personal information is any information that can be used to identify an individual, such as a name, address, phone number, email address, or Social Security number. This can include demographic information, such as age, gender, race, or income level, as well as financial information, such as bank account numbers or credit card information.

Sensitive personal information is a subset of personal information that is particularly sensitive or private, and may be more vulnerable to misuse or abuse. Sensitive personal information requires additional protection and attention because it is more closely tied to an individual’s identity and may be more difficult to change or protect in the event of a data breach or other security incident.

Law 25 will give citizens more control over their personal information. The implementation of this law will require several actions over the next 36 months.

September 2022

• Designate a Privacy Officer
• Create or update policies and practices governing the governance of personal information
• Implement a privacy incident log and notification process
• Have an inventory of the organization’s personal information
• Implement a privacy training program

September 2023 

• Update policies and practices for the retention, destruction and de-identification of personal information
• Implement a privacy complaint process
• Publish policies and procedures governing the governance of personal information on the organization’s website
• Introduce a Privacy Impact Assessment (PIA) policy and process
• Implement a process for obtaining consent to collect, hold, use or disclose personal information
• Establish a process for destroying or de-identifying and implementing the right to be forgotten throughout the life cycle of that information

September 2024

• Implement measures to facilitate the right to data portability

If an organization fails to adhere to the regulations outlined in Law 25, they may face a variety of negative consequences including financial losses, damage to their reputation, and legal actions. The Quebec Commission on Access to Information (CAI) has the power to impose penalties on any organization that is not in compliance with Law 25. These penalties can take the form of administrative sanctions, which can reach up to $10 million or 2% of business revenues, or legal sanctions, which can reach up to $25 million or 4% of business revenues.