Are you fully informed about the ramifications and regulatory obligations established by Law 25, which is currently in effect in Quebec, as well as the forthcoming Bill C-27 at the federal level in Canada?
Our latest annual report, the IT Trends, highlights a troubling lack of awareness regarding these new regulations among Canadian businesses. The findings indicate that nearly 30% of respondents are not familiar with Law 25, while 28% are unaware of the impending Bill C-27.
In this article, we encourage you to concentrate on ensuring your organization's compliance and safeguarding against potentially severe financial and reputational consequences.
Law 25, effective September 2022 in Quebec, focuses on safeguarding personal information and upholding individuals' privacy rights. Meanwhile, the forthcoming Bill C-27, introduced in the House of Commons on November 4, 2022, seeks to consolidate three existing laws:
This bill aims to enhance consumer privacy protections and regulate the ethical use of artificial intelligence (AI). The IT Trends report indicates that nearly 50% of respondents express concerns regarding various aspects of these regulations, including data security, information management, and consent for data collection.
The question of compliance with Law 25 is both pertinent and commonly asked. Here is an overview of the key points to consider:
The implementation of Law 25 mandates enhanced transparency in the handling of personal data. Organizations are required to explicitly inform individuals about the purpose of data collection and the manner in which their information will be used.
Consent must be obtained formally, typically through a checkbox on a form that clearly outlines the terms of data collection and usage. For instance:
Additionally, individuals have the right to withdraw their consent at any time, which requires you to cease any further use of their data. They may also request an inventory of their data and demand its deletion.
In the case of a security breach involving personal data, it is essential to promptly notify the affected individuals. This notification must detail the nature of the incident, the specific data that was compromised, and the measures taken, as well as those planned, to mitigate the associated risks.
It is crucial to maintain an incident log, recognizing that an incident is not limited to security breaches; it also encompasses unintentional actions, such as mistakenly sending an email containing personal information to the wrong recipient.
Any security incident that may result in significant harm to affected individuals must be reported to the Commission d’accès à l’information (CAI) within 72 hours. This report must include details of the incident, identify the impacted individuals, and outline the corrective actions that have already been taken, as well as those planned to prevent future breaches.
In a constantly evolving regulatory landscape, it is essential for companies to understand the significance of personal information and the necessity of its protection. Many organizations mistakenly believe they do not handle personal data and, as a result, feel exempt from the implications of Law 25. This perception is a critical error.
The most sensitive categories of personal information include:The most sensitive personal information includes:
Although not all companies may collect this type of data, it is crucial to understand that even information considered less sensitive can still qualify as personal information. This includes:
| First Name | Last Name | Email Address | Mailing Address |
| Age | Social Insurance | Driver's License | Bank Information |
| IP Address | Size | Weight | Password |
If your company holds this information, it is imperative that you recognize your responsibility to protect personal information and comply with the law.
Are you up to date?
If you find that you are not up to date, we encourage you to contact a Blair expert for guidance!
Contact an Expert
If your company is based outside Quebec but engages with clients in the province, you are indeed subject to Law 25. This legislation applies not only to businesses operating within Quebec but also to those that handle the personal information of Quebec residents. Therefore, it is crucial to comply with this law to ensure the protection of your clients' personal data and to mitigate the risk of potential sanctions.
While you have time to prepare for the forthcoming Bill C-27, it is advisable to start implementing certain practices within your organization now to avoid a rushed approach later. The bill incorporates principles already established in the Generally Accepted Privacy Principles (GAPP), such as:
And other requirements stemming from Privacy by Design (PbD):
These principles can be found in a privacy policy on your website, as here for Blair.
Discover Blair's Privacy Policies
Law 25 imposes financial penalties for companies that fail to prioritize data protection. These penalties can amount to as much as $10 million in fines or 2% of the company’s global revenue, whichever is greater.
In terms of compliance delays, penalties can vary based on the nature and severity of the breach. They may range from minor fines or administrative measures to more significant penalties. Additionally, beyond these financial consequences, companies risk losing client trust and facing reputational damage.
Bill C-27 stipulates that organizations may incur a maximum fine of up to $10 million or 3% of the organization’s gross global revenue for the previous fiscal year, whichever is higher.
Furthermore, any organization that intentionally violates the law or obstructs the Commissioner’s work during an investigation may be held accountable and face severe repercussions:
To safeguard your company's financial health and reputation, it is essential to comply with the requirements set forth by the Quebec government. Proactively anticipate the obligations of the forthcoming Bill C-27 by reviewing your current practices and implementing the necessary adjustments to ensure compliance. Taking these steps will help mitigate risks and position your organization favorably in the evolving regulatory landscape.
We recognize that the journey toward regulation and compliance can be complex and daunting. With numerous legal requirements to navigate, it’s easy to feel overwhelmed. That’s why Blair's experts are here to guide you through this process.
Here are some key steps we provide:
Discover Blair’s Managed Security Services Provider (MSSP) solutions, strategically built on key pillars designed to maximize benefits while optimizing cost-effectiveness. Our offerings include compliance and data governance, ensuring that you meet regulatory requirements efficiently.
Learn how our MSSP can guide you through the complexities of compliance and help you establish robust data governance practices.
Let us support you in achieving your security and compliance objectives!