Quebec: An overview of Law 25 - Part one
On 22 September 2022, various provisions of the Act to modernize legislative provisions as regard the protection of personal information, 2021, Chapter 25 ('Law 25') (formerly known as Bill 64) entered into force. Law 25's legal effect is staggered, with provisions entering into force in September 2022, September 2023, and September 2024. In part one of this series OneTrust DataGuidance provides an insight into the provisions of Law 25 which affect private bodies and entered into force on 22 September 2022. Part two will examine the provisions which will enter into effect in September 2023 and September 2024.
In general, Law 25 establishes a series of obligations from 22 September 2022, including:
- the appointment of a privacy officer;
- breach notification to the Quebec Commission on Access to Information ('CAI') where the breach presents a serious risk of harm;
- the ability to disclose personal information without the consent of data subjects in specific circumstances; and
- notification to the CAI on creation of a biometric database.
Privacy officer appointment
In particular, Law 25 amends Section 3.1. of the Act respecting the Protection of Personal Information in the Private Sector, CQLR c P-39.1 ('the Privacy Act') introducing a mandatory requirement for the appoint a privacy officer. Specifically, Section 3.1. of the Privacy Act states that anyone who operates a business is responsible for protecting the personal information in their possession, requiring that the person with the highest authority ensure compliance with such responsibility, which may delegated in writing, wholly or partially to a staff member. In addition, the title and contact details of the privacy officer must be published on the company website, or if no website is available, make such information accessible by other appropriate means.
Data breach notification
Law 25 requires a person carrying out a business, who believes that a confidentiality incident has occurred involving personal information in their possession, to take reasonable measures to reduce the risk of harm being caused and prevent new similar incidents from occurring. More specifically, Law 25 outlines that if an incident presents a serious risk of harm being caused, the CAI must be notified, along with any person whose personal information was affected by the incident (Section 3.5 of the Privacy Act).
Further, such organisations may notify any person or organisation likely to reduce the risk of serious harm being caused, by communicating to them only the personal information necessary, without the consent of the person concerned. Under such circumstances the privacy officer must record such communication (Section 3.5 of the Privacy Act).
In addition, the notification of a data subject of a confidentiality incident is not required, where the disclosure of personal information to a data subject may hinder an investigation carried out by the organisation which is responsible for preventing unlawful disclosure of personal information (Section 3.5 of the Privacy Act).
A 'confidentiality incident' under the Privacy Act is provided to include (Section 3.6 of the Privacy Act):
- access not authorised by law to personal information;
- use not authorised by law of personal information;
- communication not authorised by law of personal information; or
- loss of personal information or any other breach of the protection of such information.
Likewise, in assessing the risk of harm to a person whose personal information is concerned in a confidentiality incident, the factors to consider include (Section 3.7 of the Privacy Act):
- the sensitivity of the information concerned;
- the anticipated consequences of its use; and
- the likelihood that such information will be used for injurious purpose.
In such an assessment, the person in charge of the protection of personal information at the affected organisation must be consulted.
Finally, a register of confidentiality incidents must be kept, and a copy to the CAI at its request (Section 3.8 of the Privacy Act).
Processing without consent
Law 25 enables persons processing personal information to communicate personal information without the consent of the persons concerned to a person or body wishing to use the information for a study, research purposes, or for the production of statistics (Section 21 of the Privacy Act).
Such information may be communicated if a privacy impact assessment ('PIA') concludes (Section 21 of the Privacy Act):
- the objective of the study, research, or production of statistics can be achieved only if the information if communicated in a form allowing the persons concerned to be identified;
- it is unreasonable to require the person or body to obtain the consent of the persons concerned;
- the objective of the study, research, or production of statistics outweighs, with regard to public interest, the impact of communicating and using the information on the privacy of the persons concerned;
- the personal information is used in a manner to ensure confidentiality; and
- only necessary information is communicated.
Persons who do communicate personal information without the consent of the data subject, must first enter into an agreement with the person or body to whom the information is sent, stipulating the information (Section 21.02 of the Privacy Act):
- be made accessible only to persons who need to know it to exercise their functions and who have signed a confidentiality agreement;
- not be used for purposes other than those specified in the detailed presentation of the research activities;
- not be matched with any other information that has not been provided for in the detailed presentation of the research activities; and
- not be communicated, published, or otherwise distributed in a form allowing the data subjects concerned to be identified.
In addition, the agreement must also (Section 21.02 of the Privacy Act):
- specify the information that must be provided to the data subjects concerned if personal information concerning them is used to contact them to participate in the study or research;
- provide for measures for ensuring the protection of the personal information;
- determine a preservation period for the personal information;
- set out the obligation to notify the person who communicates the personal information of its destruction; and
- provide that the person who communicates the personal information and the CAI must be informed without delay:
- of non-compliance with the agreement;
- of any failure to protect personal information under the agreement; and
- of any event that could breach confidentiality of the information.
However, prior to the conclusion of such an agreement, the person or organisation wishing to use personal information for study, research, or statistical purposes must (Section 21.01 of the Privacy Act):
- enclose a detailed presentation of the research activities with the request;
- state the grounds supporting fulfilment of the PIA criteria above;
- mention all the persons and bodies to whom or which the person or body is making a similar request for the purposes of the same study, research, or statistics;
- if applicable, describe the different technologies that will be used to process the information; and
- if applicable, send the documented decision of a research ethics committee relating to the study, research, or production of statistics.
In addition, where the transfer of personal information is necessary for concluding a commercial transaction, the organisations may transfer such information without the consent of the person concerned. Although, an agreement must first be made which stipulates that the latter undertakes (Section 18.4 of the Privacy Act):
- to use the information only for concluding the commercial transaction;
- not to communicate the information without the consent of the data subject, unless authorised to do so by Law 25;
- to take the measures required to protect the confidentiality of the information; and
- to destroy the information if the commercial transaction is not concluded or if using the information is no longer necessary for concluding the commercial transaction.
Equally, where the other party wishes to continue using the personal information or to transfer it, the party may use or transfer it only in accordance with Law 25. It should be noted that the other party must also notify the data subject that it now holds their personal information owing to the transaction. 'Commercial transaction' is also taken to be the alienation or leasing of all or part of an enterprise or of its assets, a modification of its legal structure by merger or otherwise, the obtaining of a loan or any other form of financing by the enterprise or of a security taken to guarantee any of its obligations (Section 18.4 of the Privacy Act).
Biometric database notification
The Amendments Act also affects the Act to Establish a Legal Framework for Information Technology, CQLR c C-1.1 ('LCCJTI'), requiring the CAI to be notified within 60 days of the creation of a database containing biometric characteristics and measures.
As mentioned above, other provisions contained within Law 25 will enter into effect in September 2023 and September 2024.
Harry Chambers Privacy Analyst