Law 25 – Protection of personal information2023-12-21T10:32:22+01:00
Protection of personal information
Quebec’s Law 25, in force since September 2022, strengthens companies’ responsibility to protect personal data.
What is Law 25, and when does it apply?
Law 25, also known as “An Act to modernize legislative provisions respecting the protection of personal information”, aims to protect the population of Quebec. Its purpose is to make companies holding personal information on Quebec citizens more accountable.
Law 25 is being progressively implemented over a three-year period, starting on September 22, 2022. Most of its obligations came into force on September 22, 2023.
Who is affected by Law 25, and how do the fines work?
Law 25 applies to all private companies and public organizations that collect, process or share personal information. From September 22, 2023, this law requires all organizations to obtain explicit consent from individuals for the collection, use and disclosure of their personal information.
The reform introduces considerable penalties for companies for non-compliance with the legislation, similar to what happened with the General Data Protection Regulation (GDPR) in Europe. In the event of non-compliance with Law 25, companies risk fines and sanctions. The Commission d’accès à l’information (CAI – Commission for access to information) will have the option of imposing administrative monetary penalties of up to $10,000,000 or 2% of worldwide sales, as well as criminal penalties of up to $25,000,000 or 4% of worldwide sales.
What does a company need to do, and how can it comply?
With the new privacy responsibilities and obligations imposed on businesses, here are five key points to remember to ensure your company is compliant with the law:
1. Designate a privacy officer and make his or her contact details available on the company’s website or by other appropriate means.
2. Implement measures to prevent or reduce the impact of a privacy incident involving personal information, notify the Commission and the individuals concerned in the event of serious harm, and keep a register of incidents.
3. Identify the personal data stored by your company and evaluate their degree of vulnerability.
4. Inform the Commission in advance of any use of biometric techniques (e.g. fingerprint, facial or voice recognition).
5. Destroy personal information once the purpose of its collection has been fulfilled or anonymize it in order to use it for serious and legitimate purposes, subject to the conditions and retention period stipulated by law.
How can I protect citizens’ personal information?
The preparation of a data processing and retention plan is strongly recommended under Law 25. This plan sets a date by which the data collected must be destroyed or irreversibly anonymized.
Anonymization, a process that makes personal information irreversibly anonymous for various uses such as support, analysis, testing or outsourcing, is particularly emphasized under this law.
DOT Anonymizer offers an effective solution for complying with Law 25, while preserving data exploitability. The solution is compatible with a variety of platforms and databases, meeting the law’s strict criteria.