Bill 25: New obligations for businesses in Quebec and Canada

Whether it is in Quebec, or anywhere else in the world, the digital and technological environment in which we operate brings its share of issues. These could include protecting personal information against cyber espionage, cyber attacks, and identity theft. Therefore, it became essential for the provincial and federal government to take concrete measures to ensure everyone’s privacy is protected.

    In light of this, two questions arise :

  • Does your company comply with the various laws regarding the collection, use, and disclosure of personal information, such as Law 25?
  • Additionally, does your company use a solution specifically designed to secure emails considering that 95% of employees claim to have already sent confidential documents this way?

At Secure Exchanges, ensuring the security of confidential document exchanges by email is at the very heart of our mission. In this article, the best practices to implement in the context of the new provisions of Law 25 in Quebec and other Canadian laws will be discussed.

Here is the list of topics that will be covered

Protection of personal information: a priority for companies

Financial impact

More than a quarter of Canadian businesses have already been victims of a computer attack, and that statistics is only increasing over time. Therefore, apart from complying with the law, there are many reasons why protecting personal information should be a priority for any organization.

Usually motivated by financial gain, these attacks are mostly focused on the acquisition of personal information which is commonly known as identity theft. In addition to creating operational slowdowns, this type of attack will have a definite impact on your organisation.

The cost of a security breach alone represents an average of $100,000 in costs for a Canadian company. On a global scale, experts estimate that the costs associated with cybercrime will reach some $10.5 billion annually by 2025*.

Reputational impact

In addition to keeping you away from this major expense, ensuring the protection of confidential documents actively contributes to a strong bond of trust you have built with your customers, partners, and employees. Maintaining customer relationships is crucial as it costs up to 10 times more to acquire a new customer than to keep an existing one.

What is Bill 25 and what are the current rules?

Managed by the Commission d'accès à l'information du Québec, Bill 25 is the result of Bill 64which was introduced in 2020. It is an act to modernise legislative provisions regarding the protection of personal information. Moreover, it is a strengthening of the current laws and addresses all private companies and public organisations in the province.

In September 2022, completely new provisions came into force. The objective was to increase the protection of personal information and to enhance the accountability and transparency of organizations and businesses. With respect to the management of personal information, businesses and organizations must:

  • Designate a person responsible for the protection of personal information and publish their title and contact information on the company's website.
  • Keep a record of all privacy incidents and take action to reduce the risk of harm to individuals. The Commission and the individuals concerned should also be notified of any incidents that present a harmful risk.
  • Disclose any verification or confirmation of identity using biometric features or measurements to the Commission in advance.
  • Comply with the new framework applicable to the disclosure of personal information without the consent of the person concerned in the context of a commercial transaction or for the purposes of a study, research or the production of statistics.
  • Public bodies have to form a committee focused on the access to and protection of personal information.

Consult the checklist developed by the Commission d'accès à l'information du Québec.

Law 25: a 3-year modernisation
All the changes made by Bill 25 are being made gradually over a period of 3 years, i.e. until 2024.

Next date to remember: 22 September 2023
Get a clear view of the schedule thanks to the timeline designed by the Government of Quebec

Non-compliance with Bill 25: a significant increase in fines

Prior to the new legislative obligations coming into force in September 2022, the penalties for non-compliance with the privacy law were up to $100,000, which is small relative to the revenue of a large business.

However, fines have been increased to $25 million or 4% of a company's worldwide revenue. These are dissuasive financial penalties that encourage greater effort and integrity in consenting to the collection, disclosure and use of personal data.

In Canada: Bill C-27 on privacy protection

At the Canadian level, another major legislative upheaval is underway. The introduction of Bill C-27 (the Digital Charter Implementation Act) will have significant implications for businesses. This bill, which is the second attempt at this after the abandonment of Bill C-11 in 2020, has as a main objective the creation of three new laws:

  • Consumer Privacy Protection Act
  • Personal Information and Data Protection Tribunal Act
  • Artificial Intelligence and Data Act

In this regard, I suggest you consult the Perspectives Series of the Canadian law firm McCarthy Tétrault, which closely follows Bill C-27.

Canadian and provincial privacy bills: stay up to date!

Three provinces have their own private sector privacy legislation: Quebec, Alberta, and British Columbia.

Four other provinces have provincial privacy health legislation: Ontario, New Brunswick, Nova Scotia, Newfoundland and Labrador.

All of these provincial laws are considered substantially similar to the Personal Information Protection and Electronic Documents Act (PIPEDA) governing the private sector.

Beware! A company may be subject to more than one privacy law, especially when the disclosure is made outside its territory.

Quebec Act respecting the protection of personal information in the private sector, administered by the Commission d'accès à l'information du Québec
Alberta Personal Information Protection Act, administered by the Office of the Information and Privacy Commissioner of Alberta
British Columbia Personal Information Protection Act, administered by the Office of the Information and Privacy Commissioner of British Columbia
Ontario Personal Health Information Protection Act
New Brunswick Personal Health Information Access and Protection Act
Nova Scotia Personal Health Information Act
Newfoundland and Labrador Personal Health Information Act

Learn more about provincial laws and their application

How to effectively secure your exchanges of confidential documents?

As an accountant, insurance broker, human resources manager, legal, or tax expert, the exchange of confidential electronic documents containing personal data is undoubtedly an integral part of your and/or your team’s daily life.

A critical transfer process in terms of cyber security. As email remains the main communication channel for companies and individuals, it is more than essential to ensure that the exchanges made via email are secure.

Are you looking for a simple, accessible and proven solution to position yourself as a trusted partner in the security of personal data exchanged?

Secure Exchanges offers a system for exchanging (sending and receiving) confidential information that works with your most common messaging tools. No need to migrate to a new solution: we strengthen yours with our military-grade encryption methodology.

Effectively secure your corporate and personal communications against cyber espionage and cyber attacks now, in minutes.

Try our solution for free for 30 days or schedule a demo directly with me!

Jonathan Tellier
VP - Strategy & Marketing

* This article is intended to provide general information on the various privacy laws in Canada. It does not constitute legal advice.

Share this Post: