If you are a business owner in Quebec, you have probably heard about Bill 25. This law significantly changes the way businesses must handle and protect personal data of Quebec residents. Failure to comply with Bill 25 can result in hefty fines and legal repercussions.
At its core, Bill 25 aims to enhance the privacy rights of individuals and give them more control over their personal information. It introduces new rules for collecting, using, and storing personal data, and imposes stricter security requirements for safeguarding it. In this article, we will provide a comprehensive guide on everything you need to know about being compliant.
What is Bill 25, and why is it important?
Bill 25, also known as An Act to modernize legislative provisions as regards the protection of personal information, is a new data protection law that replaces Quebec’s previous privacy law, the Act respecting the protection of personal information in the private sector. The new law is part of Quebec’s efforts to align its data protection framework with international best practices, such as the European Union’s General Data Protection Regulation (GDPR).
Bill 25 is important because it significantly strengthens the privacy rights of Quebec residents and imposes new obligations on businesses that collect, use, or disclose personal information. It also gives Quebec’s privacy commissioner more enforcement powers and the ability to impose substantial fines for non-compliance.
Who does it apply to?
Bill 25 applies to all businesses operating in Quebec, regardless of their size or industry, that collect, use, or disclose personal information of Quebec residents. This includes businesses that are located outside of Quebec but offer goods or services to Quebec residents, or monitor their behavior.
What are the key provisions of the new law?
Bill 25 introduces several key provisions that businesses need to be aware of to ensure compliance. Some of the most significant provisions are:
- Consent requirements: The bill imposes stricter requirements for obtaining valid consent to collect, use, or disclose personal information. Businesses must obtain explicit consent, and the consent must be specific, informed, and freely given. The burden of proof for obtaining valid consent lies with the business.
- Data breach notification: The bill requires businesses to report data breaches to the privacy commissioner and affected individuals as soon as feasible. The notification must include details about the breach, its potential consequences, and the measures taken to mitigate the risk.
- Right to be forgotten: The bill gives individuals the right to request the erasure of their personal information, subject to certain exceptions. Businesses must comply with these requests, and ensure that the erased data is not disclosed or used for any other purposes.
- Data transfer restrictions: The bill limits the transfer of personal information to third parties outside of Quebec, unless the third party offers an adequate level of protection, or the transfer is necessary for the performance of a contract.
- Privacy impact assessments: The bill requires businesses to conduct privacy impact assessments when introducing new technologies or business practices that could have an impact on individuals’ privacy rights. This is designed to help businesses identify and mitigate potential privacy risks.
What are the penalties for non-compliance?
Businesses that fail to comply with Bill 25 can face substantial fines of up to 4% of their worldwide turnover, or CAD 25 million, whichever is greater. Individuals who violate the law can also be subject to fines of up to CAD 50,000.
Learn more about Bill 25 compliance by contacting an expert and learning more about the required steps.