The reform of Quebec’s Privacy Laws: What companies need to know

On September 22nd, the first part of the provisions of the Act to modernize legislative provisions as regards the protection of personal information[1], also known as Bill 25 (“Bill 25”), which, among other things, modernizes the Act respecting the protection of personal information in the private sector, came into force.  An excellent summary about the new obligations coming into force for this first phase was prepared by my colleague Mélanie Masson and published on February 25th[2].

It is now time to look at some of the obligations that will come into force on September 22, 2023.

  1. Privacy Policy

Bill 25 will require companies to establish rules for the governance of personal information.  The policy must ensure the protection of personal information, including providing a framework for the retention and destruction of personal information, establishing the roles and responsibilities of its employees throughout the lifecycle of such information and providing for a complaints process.  Bill 25 also includes a proportionality test, so that the confidentiality rules set in place are proportionate to the nature of the information collected and the importance of the company’s activities.

Companies must publish and disseminate on their website, in simple and clear terms, detailed information on the policies and practices governing the management of personal information, including details about the above-mentioned information.

  1. Privacy Impact Assessment (PIA)

Bill 25 introduces a requirement to conduct a Privacy Impact Assessment (“PIA“) when the circumstances of the data collection so require.  It should be noted that PIAs are a concept enshrined in federal privacy legislation and have been implemented for several years through the Office of the Privacy Commissioner of Canada.

In short, PIAs are intended to mitigate the risk of inappropriate or unauthorized collection, use, release, keeping or destruction of personal information.  This risk management process is designed to ensure that private sector organizations comply with the requirements of Bill 25 and to identify the potential privacy impact of their activities.

Among other things, Bill 25 states that any project to acquire, develop or overhaul an information system or electronic service delivery system involving the collection, use, release, keeping or destruction of personal information requires a PIA.  The release, if any, may be made if the PIA demonstrates that the information would still be adequately protected.  This assessment must be overseen by the Privacy Officer (a requirement effective as of September 22, 2022) and be documented in a written agreement to detail the results of the PIA and the measures to mitigate the risks identified by the PIA.

  1. The right to cease dissemination, the right to re-index or de-index (the right to be forgotten).

Any person may, if personal information concerning him is inaccurate, incomplete or equivocal, require that the said information be rectified.  An individual may also require that unlawful collection, communication or keeping of personal information be carried out in accordance with the law.

An individual may also require that the dissemination of information or the indexing or re-indexing of any hyperlink attached to his name cease disseminating that information, when it contravenes the law or a court order.  Any person may also require the company to cease disseminating that information when the following three criteria are met:  (i) the dissemination causes serious harm to the individual’s reputation or privacy; (ii) the harm clearly outweighs the public interest in knowing the information or the interest of any person’s free expression; and, (iii) the release, re-indexing or de-indexing requested does not exceed what is necessary to prevent the harm from continuing.

In addition to these three new provisions, private companies will have to comply with new requirements for consent prior to collection, destruction, release and use of private information.  The Commission d’accès à l’information has published a “Checklist” to assist companies in complying with the new provisions of Bill 25, effective as of September 22, 2023, and September 22, 2024.

By Catherine Demers

[1] 2021, Chapter 25.