Quebec Has New Privacy Requirements Already in Place, With More on the Way in 2023

Bill 25 Requires Immediate Action and a Compliance Plan for This Year

In September 2021, Quebec's Parliament enacted Law 25 (formerly Bill 64) (the "Law"), which updated Quebec's data protection laws and added requirements for enterprises that do business within the province. Specifically, as of September 2022 companies should have 1) appointed a data protection officer, 2) disclosed to the Quebec data protection commission certain processing and uses of biometric data, and 3) updated incident response requirements. Starting in 2023, failure to comply may result in GDPR-like fines with monetary penalties potentially ranging from 2% to 4% of worldwide turnover.

Applicability

The Law subjects any enterprise, as defined by the Quebec Civil Code, that collects, holds, uses, or communicates personal information to its requirements.[1]

The law does not make the familiar distinction between "controllers" and "processors." Instead, some provisions apply only to "persons carrying on an enterprise," while others apply more broadly to any "person" or "person or body." As a result, the applicability of any given provision depends on what term is used.[2]

Additionally, the Law uses a broad definition of personal information, defined as "any information which relates to a natural person and allows that person to be identified."[3] 

Upcoming Requirements

The Quebec government opted for a three-year rollout of the Law. The table below outlines some compliance areas and the relevant timeframes for compliance, some of which have already passed[4]:

Penalties

The Law imposes two types of fines: administrative and penal. Administrative fines come from the Quebec data commission and can be up to $10 million CAD or, if greater, 2% of worldwide turnover.[15] Penal fines, on the other hand, can be between $15,000 CAD and $25 million CAD or, if greater, 4% of worldwide turnover.[16] Whether penal or administrative fines apply depend on the violation, the actor (business), and the history of such violations by the actor.

Key Takeaways

Companies subject to this law should consider immediately addressing any past-due 2022 requirements. One of the first items would be appointing a data protection officer in compliance with the law. If the company handles and uses biometric information to verify or confirm the identity of a person or creates a bank or database of biometric characteristics, notification to the Quebec data protection authority may be necessary. Lastly, a company may wish to create and implement a data breach response plan in accordance with the law to help avoid any delay if a breach does occur. Moving into 2023, companies subject to Quebec law may need to start complying with the more rigorous requirements prior to September.

• Greenberg Traurig is not licensed to practice law in Canada and does not advise on Canada law. Specific Canada law questions and Canada legal compliance issues will be referred to lawyers licensed to practice law in Canada.

[1] Section 1, Law 25.

[2] For example, the sections that contemplate data protection officers and data breaches (3.1-3.5) apply to any person carrying on an enterprise.

[3] Section 2, Law 25.

[4] This is not an exhaustive list as there may be other actions organizations need to take depending on the specific situation.

[5] Section 3.1, Law 25.

[6] Section 3.5, Law 25.

[7] Section 45, Law 25.

[8] Sections 4 and 8, among others depending on collection, Law 25.

[9] Section 3.1, 3.2, and 8.2, Law 25.

[10] Section 3.2, Law 25.

[11] Sections 30, 32, 33, 34, 35, and 39 of Law 25. 

[12] Sections 3.2 and 17, Law 25.

[13] Section 17, Law 25.

[14] Section 27, Law 25.

[15] Section 90.12, Law 25.

[16] Section 91, Law 25.