May 1, 2023

Bill 25

Personal Data: Significant Changes

If you are unaware that the second phase of an amendment to Bill 25 comes into effect in September, you are not alone. However, this change, and the one in the following phase, could greatly impact you!

In Quebec, Bill 25 essentially focuses on the protection of personal information. It’s not a recent development, with its first version dating back to 1993. The Bill has undergone some amendments, notably in 2001 and 2006, but these changes and their application went largely unnoticed by most entrepreneurs, mainly due to a lack of information. However, three new amendments are changing the landscape.

“The first phase, which came into effect in September 2022, requires every entrepreneur to appoint a personal information protection officer,” says lawyer Dani Ann Robichaud. “This officer must report any incidents related to citizens’ personal data to the government.”

Tight Control

In fact, the company must establish a policy outlining the practices it adopts to govern personal information and ensure its protection. “This process will remain in effect throughout the life cycle of the collected information, and the company must be able to address complaints or requests for information related to the personal information it holds,” adds Robichaud.

In the second phase, the entrepreneur will have to evaluate privacy factors for employees, customers, and suppliers based on its methods of collecting and using information (subscriptions, website, sharing, and destruction of information).

“Thirdly, in collaboration with the person responsible for personal information protection, the company must ensure regular updates to its database. The Bill 25 provides for a right to be forgotten, stating that after a certain time, data must be destroyed,” she concludes.

Questions

The implementation of these changes and the application of Bill 25 are not without raising questions:

  • Does the law aim to hold an employee personally accountable and subject to fines in case of non-application of personal information protection mechanisms?
  • Is the collection of information to establish a customer profile (e.g., age, gender) subject to this control?
  • Is the collection of video images by a security camera system exempt from Bill 25?
  • If a convenience store owner, a victim of theft, transmits images of the crime to the police without a warrant, does he commit an offense? Does he obstruct police work if he refuses to do so under Bill 25?
  • Does the government have the means to achieve its ambitions? Will it operate based on complaints or audits?

Uncertainty

Surprisingly, Bill 25 was not invoked by politicians during the Desjardins or Facebook-Cambridge Analytica scandals. Moreover, how is the sending of personal data to servers outside Quebec handled? Information online regarding the three phases of amendments from 2022 to 2024 is practically nonexistent. However, the government would benefit from publicizing the application of these amendments to allow entrepreneurs to comply. Note that a non-compliant company could face a fine of $10 million or up to 2% of its international revenue…

ADVISORY BOX

The establishment of a policy regarding the management and disposal of personal information should be undertaken as soon as possible, but with caution. From the collection of information to handling complaints, your company must be able to demonstrate that it acts diligently and efficiently in managing this type of information. An advisor from La Boîte Juridique can assist you in developing a plan that incorporates best practices, thus helping you avoid unpleasant surprises…

WARNING: The information contained in this article, while of a legal nature, does not constitute legal advice. It is recommended to consult with a professional for advice that will address your specific situation.