The majority of the Amendments Acts provisions will enter into force in September 2023, including the obligation to publish a privacy policy, inform data subjects when they are being subject to automated decision-making, and when identification, location, or profiling technology are used. Likewise, Law 25 requires processors of personal information to anonymise personal information, carry out privacy impact assessments, and provide parameters ensuring the highest level of confidentiality for technological services. Furthermore, Law 25 also establishes new conditions for the transferring of personal information in circumstances relating to death, and the collection of personal information concerning minors under 14 years of age.

Finally, in September 2024, Law 25 establishes a the right to data portability for data subjects.

September 2023

Governance of personal information

In particular, Law 25 requires that companies establish and implement governance policies and practices regarding personal information that ensure the protection of such information. More specifically, the policies and practices must include (Section 3.2 of Law 25)

• rules applicable to the retention and destruction of personal information;
• the roles and responsibilities of staff members throughout the life cycle of personal information; and
• a process for handling privacy complaints.

Furthermore, the policies and practices must be proportionate to the nature and scope of the company's activities and be approved by the person in charge of personal information protection (Section 3.2. of Law 25)

Detailed information about those policies and practices, must be published in simple and clear language on the enterprise’s website or, if the enterprise does not have a website, made available by any other appropriate means (Section 3.2 of Law 25).

Transparency

Law 25 also establishes obligations designed to promote transparency, which includes the publishing of a privacy policy. In particular, any person who collects personal information through technological means, must publish on the company's website, a confidentiality policy, which uses clear and simple language, and disseminate such a policy by an appropriate means to reach the persons concerned. The same process must also be followed for any amendment to the policy (Section 8.2 of Law 25).

In addition, a company which uses personal information to render a decision based exclusively on automated processing must inform the person concerned no later than at the time it informs the person of the decision. Further, the company must inform the person concerned of (Section 12.1 of the Law 25):

• the personal information used to render the decision;
• the reasons, factors, and parameters used in the decision; and
• the right of the data subject to have the personal information used in the decision corrected.

In addition, the person concerned must be given the opportunity to submit observations to a member of the personnel of the enterprise who is in a position to review the decision.

Likewise, organisations which collect personal information from data subjects using technology, which allow them to be identified, located, or profiled, must inform data subjects of the use of such technology. Importantly such technology must be turned off by default, and data subjects informed of the possibility of activating functions that allow a data subject to be identified, located, or profiled (Section 8.1 of the Law 25).

Anonymisation

Notably, Law 25 requires that where the purpose of personal information collected or used has been achieved, the responsible organisation must destroy the information, or anonymise it for potential use in serious and legitimate purposes. Information concerning data subjects is considered to be anonymised where the information no longer allows the person to be identified directly or indirectly (Section 23 of the Law 25).

Information anonymised under Law 25 must be anonymised according to generally accepted best practices and according to the criteria and terms determined by regulation (Section 23 of the Law 25).

PIAs

Law 25 lays out that any organisation must conduct a Privacy Impact Assessment ('PIA') for any project, to acquire, develop, or overhaul and information system or electronic delivery system involving the collection, use, communication, keeping or destruction of personal information. The relevant person in charge of personal information should be consulted at the outset of such a project (Section 3.3 of Law 25).

Moreover, the PIA must be proportionate to the sensitivity of the information concerned, its purpose, the quantity and distribution of information, and the medium in which it is stored. The person must also ensure that the project allows computerised personal information collected from the person concerned to be communicated to them in a structured, commonly used technological format (Section 3.3 of Law 25).

Further, it should be noted that before transferring personal information outside Quebec, organisations must conduct a PIA, taking into account (Section 17 of Law 25):

• the sensitivity of the information;
• the purposes for which it is to be used;
• the protection measures, including those that are contractual, and would apply to it; and
• the legal framework in the applicable State to which the personal information is being transferred, including the personal information protection principles applicable in the State.

Personal information may be transferred if the assessment establishes it would receive adequate protection, with particular regard given to data protection principles. The communication of the information must be the subject of a written agreement that takes into account, in particular, the results of the assessment and, if applicable, the terms agreed on to mitigate the risks identified in the assessment (Section 17 of Law 25).

Please note the requirements above applies where a company entrusts a person or body outside Québec with the task of collecting, using, communicating, or keeping such information on their behalf.

Privacy by default

Organisations, following Law 25, must ensure that the privacy settings of products and services offered, ensure the highest level of confidentiality of personal information, without requiring intervention by the data subject. However, Law 25 clarifies that privacy by default does not apply to the privacy settings of cookies (Section 9.1 of the Law)

Consent

Unless the person concerned gives their consent, personal information may not be used by an organisation except for the purposes for which it was collected. Such consent must be given expressly when it concerns sensitive personal information (Section 12 of Law 25).

Law 25 has introduced new conditions surrounding consent and that personal information may be used for another purpose without consent, when (Section 12 of Law 25):

• it is used for purposes consistent with the purposes for which it was collected;
• it is clearly used for the benefit of the person concerned;
• its use is necessary for the purpose of preventing and detecting fraud or of assessing and improving protection and security measures;
• its use is necessary for the purpose of providing or delivering a product or providing a service requested by the person concerned; or
• its use is necessary for study or research purposes or for the production of statistics and if the information is de-identified.

However, Law 25 notes that to be consistent with the purpose for which it is collected, the new purpose must have a direct and relevant connection with the original purpose. Please note, commercial or philanthropic prospection is not considered a consistent purpose (Section 12 of the Act).

Right to erasure/de-indexing

The right to erasure under the Privacy Act has also been amended by Law 25, with data subjects to whom personal information related, holding the right to request organisations to cease processing their personal data. Equally, data subjects may request that organisations de-index any hyperlink attached to their name which provides access to personal information, if the dissemination of personal information contravenes the law or a court order. This may be requested or re-indexed, where the following conditions are met (Section 28.1 of Law 25):

• the dissemination of the information causes the person concerned serious injury in relation to their right to the respect of their reputation or privacy;
• the injury is clearly greater than the interest of the public in knowing the information or the interest of any person in expressing themselves freely; and
• the cessation of dissemination, re-indexation or de-indexation requested does not exceed what is necessary for preventing the perpetuation of the injury.

In assessing the criteria above, the following must be taken into account:

• the fact that the person concerned is a public figure;
• the fact that the information concerns the person at the time is a minor;
• the fact that the information is up to date and accurate;
• the sensitivity of the information;
• the context in which the information is disseminated;
• the time elapsed between the dissemination of the information and the request made under this section; and
• where the information concerns a criminal or penal procedure, the obtaining of a pardon or the application of a restriction on the accessibility of records of the courts of justice.

Deceased persons

Following changes implemented under Law 25, organisations may communicate personal information they hold concerning deceased persons to the spouse or a close relative if the knowledge of the information may help in the grieving process and the deceased person did not record in writing their refusal to grant right of access (Section 40.1 of Law 25).

Minors

Similarly, the personal information of a minor under 14 years of age may not be collected from them without the consent of the person having parental authority or of a tutor, unless the collection of personal information is clearly for the minor's benefit (Section 4.1 of Law 25).

September 2024

Data portability

The final obligation imposed by Law 25, which will enter into force in September 2024 is the right to data portability. Specifically where a person so requests, organisations must communicate to them, in a structured and commonly used technological format, computerised personal information collected from them. Furthermore, Law 25 adds that this communication may be made to a person or organisation authorised to collect information at the request of the person concerned (Section 30 of Law 25).

Harry Chambers Privacy Analyst
[email protected]