July 27, 2023

Understanding the New Phase of Quebec's Law 25

Privacy laws across countries, states, and provinces are constantly changing. It is crucial for business owners to be aware and well-informed regarding these dynamic shifts, as changes can impact not only the businesses themselves but also the customers they serve.

In September 2022, Quebec, Canada, implemented Law 25, a comprehensive privacy legislation that significantly updates the country’s privacy laws. Law 25, officially known as “The Act to modernize legislative provisions as regards the protection of personal information”, governs the protection of personal information in Quebec. It aligns Quebec's privacy requirements with European-style privacy regulations, such as the General Data Protection Regulation (GDPR). Initially introduced as Bill 64, Law 25 was adopted by the National Assembly of Québec in September 2021, and its last provisions came into effect in September 2022. New changes are coming into effect in September 2023 and again in September 2024.

Law 25 applies to both private and public entities and impacts not only Quebec-based organizations but also those who conduct business with Quebec residents or operate within the province. Any organization dealing with personal information from Quebec must comply with the law's provisions.

The law introduces several significant changes that have a substantial impact on organizations. Some key requirements include, but are not limited to:

• Privacy Officer: All organizations must have a designated Privacy Officer or an equivalent position responsible for privacy matters.
• Privacy Impact Assessment: Specific measures are outlined for conducting Privacy Impact Assessments to identify and mitigate privacy risks associated with projects and initiatives.
• Privacy Policies: Organizations must have publicly available privacy policies that outline their internal privacy practices.
• Privacy Breach Notifications: Mandatory reporting of privacy breaches to both the Commission d'accès à l'information (CAI) du Québec and affected individuals is required.
• Enhanced Consent and Transparency: Increased transparency is required for obtaining consent and collecting personal information, with clear disclosure of data rights and the purposes of data collection.
• Privacy by Design: Organizations must implement privacy by design principles in their technologies and systems.
• New Data Rights: Law 25 introduces data rights for individuals, including data portability, rights related to automated decision-making, data profiling rights, and the right to be forgotten.

Law 25 imposes more severe penalties for non-compliance compared to the previous regime. The penalties vary based on the size and type of organization, ranging from fines to criminal penalties. Private organizations may face fines of up to $10 million or 2% of their worldwide turnover, while public institutions face tiered fines between $3,000 and $150,000. Individuals responsible for violations may be subject to fines ranging from $5,000 to $100,000.

Regulatory Changes Taking Effect in September 2023

In September 2023, Phase 2 of regulatory changes will be implemented, which will introduce additional requirements. These include the need for organizations to have easily accessible privacy policies, practices for retaining and destroying personal information, privacy governance and program development, privacy impact assessments, and enhanced consent and collection practices. The law also emphasizes privacy by design principles and the right to be forgotten.

To adapt to the evolving privacy landscape, organizations should proactively evaluate their processes, policies, and technologies. Law 25 is stringent privacy legislation in Quebec that significantly enhances personal information protection. It also emphasizes the need to destroy personal information once its intended purposes have been fulfilled.

In cases where there is a legitimate reason to retain the information, anonymity should be considered. Confidential information contained in physical assets like paper documents and hard drives poses a threat both within and outside the office, with breaches potentially originating from external individuals or trusted employees. According to Verizon's 2022 Data Breach Investigations Report, 82% of data breaches involved a human element, and some breaches targeted physical materials. Therefore, it is crucial for organizations to implement measures such as professional paper shredding and hard drive destruction services to securely dispose of items that are no longer needed, ensuring the protection of sensitive information.

How Shred-it^® Can Help

While larger businesses may have more resources in the form of tools and staff, small businesses may struggle to understand and comply with the changing regulatory landscape. The 2022 Shred-it^® Data Protection Report (DPR) found that 58% of the small business leaders (SBLs) surveyed cannot keep track of shifting privacy regulations, and about 25% of SBLs do not understand the laws and how to comply with the rules that apply to them.

We offer resources to help our secure information destruction customers comply with applicable requirements, including:

• Personal Information Protection and Electronic Documents Act (PIPEDA) – Canada
• California Consumer Privacy Act (CCPA)
• Healthcare Insurance Portability and Accountability Act (HIPAA)
• Gramm-Leach-Bliley-Act (GLBA)
• General Data Protection Regulation (GDPR)

Organizations must make sure their employees are familiar with Quebec’s Law 25 and what their role is in ensuring compliance. Training should cover proper document disposal for electronic and paper documents and address what to do in the office versus when working from home.

How to Securely Destroy Personal Information

Businesses can use a trusted professional shredding service like Shred-it^® that offers a variety of shredding options:

• One-time shredding: Shred-it ^® will perform a one-time collection of documents.
• Regularly-scheduled shredding: Lockable containers are provided in addition to regularly scheduled pickups.
• Drop-off shredding: Drop off documents at a local Shred-it ^® office.
• Free shredding events: Bring a box of papers to a community shred event.
• Mobile shredding services: Shred-it ^® performs the shredding of documents on-site.
• Specialty shredding services: For businesses who require the secure destruction of non-paper items such as price books, media, medical records, exams, expired IDs, old uniforms, and more.
• Hard drive destruction: Data can be recovered from devices, even if it has been manually deleted. Shred-it ^® offers state-of-the-art technology to permanently delete hard drive data by physically destroying the device. Contact Shred-it ^® for availability.

Learn more about how Shred-it^® can help play a role in your physical data security efforts. Download our Law 25 Info Sheet for more information on the new regulatory changes coming into effect in September 2023 and 2024.