Introduced in September 2021, Bill 25 was established to protect the confidential information of individuals and allow for better management of personal information for businesses. Any information concerning an individual and the storage of their personal information underwent legislative changes upon the enactment of Bill 25 in 2021. To gain a better understanding of personal data protection, the management of sensitive personal information, the impacts on private sector organizations, the provisions of the law modernizing collected personal information, the new challenges for your business, the general application of Bill 25, and much more, read on. Join us in this legal exploration!
A Brief History of Personal Information Protection Laws
In Canada, the first law related to information management and personal protection dates back to 1983. Originally created as a privacy policy for federal organizations, it wasn’t until 2001 that it was expanded to include new provisions. The General Privacy Protection Regulation falls under federal jurisdiction, but some provinces have implemented their own privacy measures, such as Quebec with Bill 64, aimed at modernizing personal information governance, and its subsequent reworked version. The current Quebec law, better known as Article 25, pertains to individual persons and provides increased protection for information related to identification elements and the proper handling of information to reduce privacy incidents.
Understanding Bill 25
The law governs the confidentiality of personal information and access to information in Quebec (in comparison to Canadian law). This measure governing information governance has been renewed to account for current technological realities. Businesses, public organizations, researchers, and citizens are subject to it. Information that an individual may be required to provide and that is considered personal includes race, nationality, ethnic origin, religion, age, marital status, information regarding your health/education or employability, financial transactions, DNA, identification numbers issued by the Quebec or Canadian government (driver’s license or social insurance number), as well as an employee’s individual views and opinions. Using personal information to be identified by these entities can be practical, but caution should be exercised in how it is disclosed. Some clauses also specify how information should be communicated. “The new Bill 25” also governs the personal information held and the use of personal information.
The Chronological Stages of Bill 25
Modernized multiple times, the law was divided into stages for the implementation of legislative elements related to the protection of individuals’ information. Three key dates are set for the modernization law to be fully completed. Each of these highlights the responsibilities of each party regarding individual protection, access to organization documents, new law provisions, the use of personal information, and more.
September 22, 2022
Although passed a year earlier, Bill 25 in Quebec came into effect on September 22, 2022. This first deadline mainly addressed obligations related to individual protection responsibilities, the formation of an information access committee and its management, the obligation to notify in the event of a breach of an individual’s protection, the communication of personal information without consent, and biometric data.
September 22, 2023
Under the law, most of the planned regulations come into effect in September 2023. This includes policies and practices governing governance, transparency, the publication of privacy policies, information for exclusively automated processing, information on the use of identification, location, or profiling technology, anonymization of personal information, integration of provincial political parties into the law, privacy impact assessments, consent, the right to erasure, the communication of personal information outside the province, the communication of personal information to expedite the grieving process, the collection of information for minors, the implementation of technological parameters ensuring the highest level of privacy, and the possibility of sanctions.
September 22, 2024
The last stage involves portability, which means the obligation to provide access to collected information to individuals who have provided their personal information.
Impacts on Legal Entities
The legislative provisions on personal information directly affect legal entities that must ensure they adopt secure behaviors to protect their information with various organizations (legal, governmental, entrepreneurial, etc.) when they need to provide it. In addition to these obligations stipulated by the law, civil individuals also have additional security measures ensured by the provisions of Bill 25 that are currently in effect. They have recourse when there is a breach of protection of a personal element concerning them and an obligation to report any breach to the privacy breach registry. As a legal entity, we are all responsible for protecting our valuable information.
Impacts on Entrepreneurs
What about entrepreneurs? Does Bill 25 pose additional challenges for them? In today’s world, it certainly does. This includes knowing how to securely dispose of information, safeguarding against cybersecurity attacks, being vigilant for any leaks, reporting any other breaches of protection, knowing how to communicate personal information without consent only when absolutely necessary, complying with the access to information commission, ensuring transparency, and informing your users about the type of technology used (identification, geolocation, statistics, etc.). Some provisions of Bill 25 may be more burdensome than others, but it is your credibility that is at stake, especially since legal action is possible. You must protect it to protect yourself, as simple as that!
Brief Conclusion
As the proverb goes, no one is expected to be ignorant of the law, especially when it concerns one’s own protection. It is equally crucial to be aware of your rights and safeguard yourself to the best of your ability. The framework established by the law clearly distinguishes and positively singles out entrepreneurs who know how to respect and protect their users from privacy incidents, including leaks from their websites, in contrast to other merchants who inadequately safeguard such information. The communication of personal information, on both sides, must be done in a manner that complies with Bill 25 to ensure the proper management of factors related to personal life. Respect and protection undoubtedly go hand in hand, serving both your personal and business interests.