Are you fully informed about the ramifications and regulatory obligations established by Law 25, which is currently in effect in Quebec, as well as the forthcoming Bill C-27 at the federal level in Canada?
Our latest annual report, the IT Trends, highlights a troubling lack of awareness regarding these new regulations among Canadian businesses. The findings indicate that nearly 30% of respondents are not familiar with Law 25, while 28% are unaware of the impending Bill C-27.
In this article, we encourage you to concentrate on ensuring your organization's compliance and safeguarding against potentially severe financial and reputational consequences.
Summary of Law 25 and Upcoming Bill C-27
How to Sum Up Law 25 and Upcoming Bill C-27 in a Few Lines?
Law 25, effective September 2022 in Quebec, focuses on safeguarding personal information and upholding individuals' privacy rights. Meanwhile, the forthcoming Bill C-27, introduced in the House of Commons on November 4, 2022, seeks to consolidate three existing laws:
- Consumer Privacy Protection Act
- Personal Information and Data Protection Tribunal Act
- Artificial Intelligence and Data Act
This bill aims to enhance consumer privacy protections and regulate the ethical use of artificial intelligence (AI). The IT Trends report indicates that nearly 50% of respondents express concerns regarding various aspects of these regulations, including data security, information management, and consent for data collection.
Frequently Asked Questions from our Customers
What Does Law 25 Require of us?
The question of compliance with Law 25 is both pertinent and commonly asked. Here is an overview of the key points to consider:
1. Adherence to Strict Standards for the Collection, Use, and Retention of Personal Information:
The implementation of Law 25 mandates enhanced transparency in the handling of personal data. Organizations are required to explicitly inform individuals about the purpose of data collection and the manner in which their information will be used.
Consent must be obtained formally, typically through a checkbox on a form that clearly outlines the terms of data collection and usage. For instance: 
Additionally, individuals have the right to withdraw their consent at any time, which requires you to cease any further use of their data. They may also request an inventory of their data and demand its deletion.
2. Obligation to Inform Affected Individuals in the Event of a Data Breach:
In the case of a security breach involving personal data, it is essential to promptly notify the affected individuals. This notification must detail the nature of the incident, the specific data that was compromised, and the measures taken, as well as those planned, to mitigate the associated risks.
It is crucial to maintain an incident log, recognizing that an incident is not limited to security breaches; it also encompasses unintentional actions, such as mistakenly sending an email containing personal information to the wrong recipient.
3. Reporting Privacy Incidents to the Commission d’Accès à l’Information (CAI):
Any security incident that may result in significant harm to affected individuals must be reported to the Commission d’accès à l’information (CAI) within 72 hours. This report must include details of the incident, identify the impacted individuals, and outline the corrective actions that have already been taken, as well as those planned to prevent future breaches.
What Exactly is Personal Information?
In a constantly evolving regulatory landscape, it is essential for companies to understand the significance of personal information and the necessity of its protection. Many organizations mistakenly believe they do not handle personal data and, as a result, feel exempt from the implications of Law 25. This perception is a critical error.
The most sensitive categories of personal information include:The most sensitive personal information includes:
- Biometric data: fingerprints, DNA, face characteristics used for facial recognition
- Medical information: physical and mental conditions, medical history
- Personal preferences: political opinions, religious beliefs, sexual orientation
Although not all companies may collect this type of data, it is crucial to understand that even information considered less sensitive can still qualify as personal information. This includes:
| First Name | Last Name | Email Address | Mailing Address |
| Age | Social Insurance | Driver's License | Bank Information |
| IP Address | Size | Weight | Password |
If your company holds this information, it is imperative that you recognize your responsibility to protect personal information and comply with the law.
When Do I Have to Comply with this Law?
This visual outlines the deadlines and associated responsibilities for compliance.
Are you up to date?
If you find that you are not up to date, we encourage you to contact a Blair expert for guidance!
Contact an Expert
Is my Company Subject to the Bill if it is Located Outside Quebec?
If your company is based outside Quebec but engages with clients in the province, you are indeed subject to Law 25. This legislation applies not only to businesses operating within Quebec but also to those that handle the personal information of Quebec residents. Therefore, it is crucial to comply with this law to ensure the protection of your clients' personal data and to mitigate the risk of potential sanctions.
How Can my Company Prepare for the Upcoming Bill C-27?
While you have time to prepare for the forthcoming Bill C-27, it is advisable to start implementing certain practices within your organization now to avoid a rushed approach later. The bill incorporates principles already established in the Generally Accepted Privacy Principles (GAPP), such as:
- Responsibility: Organizations must take responsibility for protecting the personal information they possess, designating and publicly naming a personal information security officer
- Identity: Companies are required to clearly articulate the reasons for collecting personal information
- Consent: Individuals must provide their explicit consent prior to the collection and use of their data
- Limitation of Collection: The collection of information should be restricted to the data necessary to fulfill the identified objectives
- Use and Disclosure: Data may only be used or disclosed within the specific context for which it was originally collected
And other requirements stemming from Privacy by Design (PbD):
- Security: You are required to implement robust security measures to protect personal data
- Visibility and transparency: You must establish transparent data management practices that allow users to understand how their information is used
- Respect for choices: You must provide individuals with the ability to exercise control over their personal data, including the right to give or withdraw their consent
These principles can be found in a privacy policy on your website, as here for Blair.
Discover Blair's Privacy Policies
Consequences of Non-Compliance with the Law
Law 25 imposes financial penalties for companies that fail to prioritize data protection. These penalties can amount to as much as $10 million in fines or 2% of the company’s global revenue, whichever is greater.
In terms of compliance delays, penalties can vary based on the nature and severity of the breach. They may range from minor fines or administrative measures to more significant penalties. Additionally, beyond these financial consequences, companies risk losing client trust and facing reputational damage.
Bill C-27 stipulates that organizations may incur a maximum fine of up to $10 million or 3% of the organization’s gross global revenue for the previous fiscal year, whichever is higher.
Furthermore, any organization that intentionally violates the law or obstructs the Commissioner’s work during an investigation may be held accountable and face severe repercussions:
- From a criminal offense, subject to a fine of $25 million or 5% of gross global revenue
- From an offense punishable on summary conviction, which may result in a fine of $20 million or 4% of gross global revenue
To safeguard your company's financial health and reputation, it is essential to comply with the requirements set forth by the Quebec government. Proactively anticipate the obligations of the forthcoming Bill C-27 by reviewing your current practices and implementing the necessary adjustments to ensure compliance. Taking these steps will help mitigate risks and position your organization favorably in the evolving regulatory landscape.
Blair Technology Solutions: Your Trusted Partner on the Path to Compliance
We recognize that the journey toward regulation and compliance can be complex and daunting. With numerous legal requirements to navigate, it’s easy to feel overwhelmed. That’s why Blair's experts are here to guide you through this process.
Here are some key steps we provide:
- Comprehensive Diagnosis: We conduct a thorough audit of your organization to assess all requirements mandated by the law
- Roadmap: We develop a detailed action plan to help you meet regulatory requirements based on our diagnosis
- Legal Compliance: Our team assists you in preparing for legal matters related to the law
- Data Governance: We implement stringent data governance practices, including:
- Discovery and Classification of Sensitive Data: Identify and categorize your data for optimal management
- Simplification of Data Privacy Compliance: Develop clear and effective strategies to ensure the protection of information
- Governance of Sensitive Data: Establish robust governance policies to ensure proper data management
- Risk Assessment Related to Data: Measure and mitigate risks associated with the management of personal data
- Automation of Data Subject Access Requests (DSAR), Privacy Impact Assessments (PIA), and Data Transfers (TIA): Streamline these processes to achieve appropriate compliance
- Active Data Governance: Implement continuous and proactive monitoring of data management to ensure ongoing compliance
Discover Blair’s Managed Security Services Provider (MSSP) solutions, strategically built on key pillars designed to maximize benefits while optimizing cost-effectiveness. Our offerings include compliance and data governance, ensuring that you meet regulatory requirements efficiently.
Learn how our MSSP can guide you through the complexities of compliance and help you establish robust data governance practices.
Let us support you in achieving your security and compliance objectives!
