What are the key elements of the 25th Law?
The 25th Law , also known as the Act modernizing legislative provisions concerning the protection of personal information in the private sector in Quebec, was adopted in September 2021 and has been in effect since September 2022. It regulates the protection of personal information, drawing inspiration from European standards such as the GDPR, and introduces significant changes compared to current Canadian legislation. A survey by the FCCQ in June 2022 revealed a lack of awareness about its impact among nearly 40% of businesses.
Legislative Requirements
What information should you have?
The 25 th Law in Quebec imposes significant changes on organizations, including:
- The appointment of a privacy officer or an equivalent position.
- The establishment of public policies on the protection of personal information and requirements for internal practices related to data protection.
- Increased transparency regarding consent and the collection of personal information.
- The integration of privacy principles into technology and systems.
Penalties
Companies violating the provisions of the 25 th Law and its implementing regulations face more severe penalties compared to the current regime. Penalties vary and depend on the size of the company, but generally follow the guidelines outlined below:
- A fine of $10 million or an amount equivalent to 2% of the global turnover of the previous fiscal year will be imposed on private companies neglecting regulation enforcement.
- Private companies subject to criminal penalties may face fines ranging from 4% of their sales, within a range of $15,000 to $25 million.
- There are two categories of penalties for public institutions for non-compliance with regulations:
- A range from $3,000 to $30,000.
- A range from $15,000 to $150,000.
- Fines for violations committed by an individual range from $5,000 to $100,000.
Under the 25th Law , an organization subject to a pecuniary administrative penalty has the option to negotiate an agreement with the CAI, outlining the measures it plans to implement to remedy the violation or mitigate its consequences.
Under the 25th Law , citizens retain the right to initiate a civil lawsuit, including a class action, in case of intentional violation or gross negligence of their right to privacy, with damages starting at $1,000 per person. Organizations also face fines under the Quebec Civil Code, introducing specific sanctions absent from the federal legislation (LPRPDE).
Who is responsible for enforcing the 25th Law ?
The Commission des accidents du travail du Québec (CAI) is responsible for enforcing the 25th Law in the province.
When does the 25th Law take effect?
The 25th Law , adopted in September 2022, will be gradually implemented over three years, with requirements already in effect for the first year. The CAI plans to recruit technology experts and establish standards, guidelines, and publish a list of similar jurisdictions in the official Gazette of Quebec to inform businesses of their obligations to disclose personal information outside the province during this period.
Is your business ready for these changes?
The Cybersecurity and Data Protection team at MNP provides support for the internal analysis of your processes and technological solutions to determine your compliance with the 25 th Law . They also offer proactive assistance to enhance your information protection practices and data management in anticipation of future regulations, aiming to help you stay compliant and meet the evolving requirements of regulatory authorities and stakeholders.