With the first wave of amendments to Québec’s personal information protection legislation (“Law 25”) taking effect on September 22, 2022, we thought we would share the top 5 misconceptions we have encountered when discussing the effects that Law 25 will have on businesses operating in Québec.
Note: While Law 25 was passed one year ago, its provisions come into effect on a delayed basis in 2022, 2023 and 2024. For more information, see our previous post.
1. “We are a B2B operation, so the legislation does not apply to us”
The legislation applies to any entity that holds “Personal Information”, which is defined as any information which relates to a natural person and allows that person to be identified directly or indirectly. It includes information such as a person’s name, address, date of birth, government issued identification number, or gender. It also includes an IP or MAC address of a device that can be linked to an individual as well as the individual’s browsing behavior. It is therefore difficult to imagine, given the broad definition of Personal Information, that a business does not collect, use, or disclose (“Process”) Personal Information in some way and that, consequently, Law 25’s requirements don’t apply to it.
2. “I think somebody in HR looks after compliance with personal information protection legislation”
While the “somebody” in HR may be very competent, and indeed the best person to ensure compliance with Law 25, businesses Processing Personal Information will now be required to designate a specific person to ensure that Personal Information is protected. That person’s title and coordinates must be published on the business’ website or made available to the public by any other appropriate means. As of September 22, 2022, if an entity has not designated a person, the role of Personal Information protection officer will automatically fall to the person with the highest decision-making authority, who can delegate it in writing to someone else in the organization.
3. “I think our IT department has an incident response plan”
Most IT departments do have an incident response plan. An IT incident response plan, however, is suited to the requirements incumbent on the IT department. It does not necessarily reflect the legal duties that a business faces following an incident involving Personal Information such as:
- Determining if the incident could cause a risk of serious injury;
- If the incident poses a risk of serious injury, notifying the individuals whose information has been compromised as well as the Commission d’accès à l’information; and
- Recording the incident in a register and maintaining a record of the incident for 5 years.
Having a separate incident response plan specific to Personal Information is vital for two reasons: first, an incident involving Personal Information does not necessarily have to involve IT. For example, a lost or stolen paper file containing employee names and salaries constitutes an incident and most likely will not be covered by an IT incident response plan. Second, the thresholds used to determine the levels of risk for a cyber incident are typically higher than those used to determine a risk of serious injury to an individual following a compromise of their Personal Information.
4. “We don’t share personal information with anyone. We store it on the cloud”
Unless the business is hosting its own cloud-based servers, storing Personal Information with an external cloud service provider is considered a disclosure of Personal Information. The business must therefore inform the individual of this disclosure. Additionally, as of September 2023, the individual’s consent to this disclosure will not be required but the business must have a data processing agreement in place in which the provider offers adequate security measures to protect the Personal Information it receives. If the provider is located outside of Québec, a privacy impact assessment will have to be conducted to ensure that the Personal Information will receive an equivalent level of protection.
5. “We can’t disclose that information because we don’t have the individual’s consent”
As of September 22, 2022, a business involved in a business transaction may disclose an individual’s Personal Information to its counterpart without the individual’s consent. This effectively extends the “business transaction” exception found in the federal Personal Information Protection and Electronic Documents Act to businesses operating in Québec. Law 25, however, requires the disclosing party to enter into an agreement with the receiving party in which they undertake to:
- Use the Personal Information only for concluding the commercial transaction;
- Refrain from communicating the Personal Information without the consent of the person concerned unless authorized to do so by law;
- Take measures to protect the confidentiality of the Personal Information; and
- Destroy the Personal Information if the transaction is not concluded or if the Personal Information is no longer necessary for concluding the transaction.
Once the transaction is concluded, the recipient of the Personal Information must only Process the information in keeping with Law 25 and must eventually inform the individual that it holds their Personal Information.
These 5 points touch on the most substantial changes that Law 25 introduces into the Québec Personal Information protection landscape. A year from now, additional, more onerous, requirements will take effect, leaving Québec businesses the next 12 months to prepare.