Bill 25 Requires Immediate Action and a Compliance Plan for This Year

In September 2021, Quebec’s Parliament enacted Law 25 (formerly Bill 64) (the “Law”), which updated Quebec’s data protection laws and added requirements for enterprises that do business within the province. Specifically, as of September 2022 companies should have 1) appointed a data protection officer, 2) disclosed to the Quebec data protection commission certain processing and uses of biometric data, and 3) updated incident response requirements. Starting in 2023, failure to comply may result in GDPR-like fines with monetary penalties potentially ranging from 2% to 4% of worldwide turnover.

Applicability

The Law subjects any enterprise, as defined by the Quebec Civil Code, that collects, holds, uses, or communicates personal information to its requirements.[1]

The law does not make the familiar distinction between “controllers” and “processors.” Instead, some provisions apply only to “persons carrying on an enterprise,” while others apply more broadly to any “person” or “person or body.” As a result, the applicability of any given provision depends on what term is used.[2]

Additionally, the Law uses a broad definition of personal information, defined as “any information which relates to a natural person and allows that person to be identified.”[3] 

Upcoming Requirements

The Quebec government opted for a three-year rollout of the Law. The table below outlines some compliance areas and the relevant timeframes for compliance, some of which have already passed[4]:

ItemTimeline
Appoint a Data Protection Officer[5] September 2022
Incident (“Confidentiality”) Response Plan[6]September 2022
Disclosure to Commission of use of Biometric Information[7]September 2022
Collect and Process Personal Information Legally[8]September 2023
Public Privacy Policy[9]September 2023
Company Data Protection Governance Policies[10]September 2023
Data Subject Request Responses [11]September 2023
Conduct Necessary Data Protection Impact Assessments[12]September 2023
Conform to Law and Regulations on Data Transfers Outside of Québec[13]September 2023
Right to Portability[14]September 2024

Penalties

The Law imposes two types of fines: administrative and penal. Administrative fines come from the Quebec data commission and can be up to $10 million CAD or, if greater, 2% of worldwide turnover.[15] Penal fines, on the other hand, can be between $15,000 CAD and $25 million CAD or, if greater, 4% of worldwide turnover.[16] Whether penal or administrative fines apply depend on the violation, the actor (business), and the history of such violations by the actor.

Key Takeaways

Companies subject to this law should consider immediately addressing any past-due 2022 requirements. One of the first items would be appointing a data protection officer in compliance with the law. If the company handles and uses biometric information to verify or confirm the identity of a person or creates a bank or database of biometric characteristics, notification to the Quebec data protection authority may be necessary. Lastly, a company may wish to create and implement a data breach response plan in accordance with the law to help avoid any delay if a breach does occur. Moving into 2023, companies subject to Quebec law may need to start complying with the more rigorous requirements prior to September.

Greenberg Traurig is not licensed to practice law in Canada and does not advise on Canada law. Specific Canada law questions and Canada legal compliance issues will be referred to lawyers licensed to practice law in Canada.


[1] Section 1, Law 25.

[2] For example, the sections that contemplate data protection officers and data breaches (3.1-3.5) apply to any person carrying on an enterprise.

[3] Section 2, Law 25.

[4] This is not an exhaustive list as there may be other actions organizations need to take depending on the specific situation.

[5] Section 3.1, Law 25.

[6] Section 3.5, Law 25.

[7] Section 45, Law 25.

[8] Sections 4 and 8, among others depending on collection, Law 25.

[9] Section 3.1, 3.2, and 8.2, Law 25.

[10] Section 3.2, Law 25.

[11] Sections 30, 32, 33, 34, 35, and 39 of Law 25. 

[12] Sections 3.2 and 17, Law 25.

[13] Section 17, Law 25.

[14] Section 27, Law 25.

[15] Section 90.12, Law 25.

[16] Section 91, Law 25.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Tyler Thompson Tyler Thompson

Tyler J. Thompson advises clients on data privacy and protection, technology contracts and contract processes, websites and mobile apps, digital accessibility, social media, and direct to consumer marketing. Tyler offers clients practical and efficient legal counsel, striving to manage costs and risk with

Tyler J. Thompson advises clients on data privacy and protection, technology contracts and contract processes, websites and mobile apps, digital accessibility, social media, and direct to consumer marketing. Tyler offers clients practical and efficient legal counsel, striving to manage costs and risk with business-friendly strategies.

With deep experience in digital compliance, Tyler focuses on handling all aspects of a client’s website or mobile app to pursue compliance while maintaining the best user experience. His practice also focuses on creating enforceable digital agreements with platform users, whether that platform is a website, SaaS, mobile app, or video game.

Tyler has designed and implemented privacy programs for clients from Fortune 500s to start ups, ensuring those clients are compliant with U.S. and international privacy laws. Tyler also advises on data retention and minimization, privacy by design, data inventories, and privacy impact assessments. Tyler is certified as a Fellow of Information Privacy (FIP) by the International Association of Privacy Professionals. In addition, he is a Certified Information Privacy Professional for the United States (CIPP/US), Europe (CIPP/E), Asia, (CIPP/A) and Canada (CIPP/C) as well as a Certified Information Privacy Manager (CIPM) and Certified Information Privacy Technologist (CIPP/T). Tyler is also an ISACA Certified Data Privacy Solutions Engineer (CDPSE).

In the technology space, Tyler has provided guidance on open source software, digital marketing, software licensing, and SaaS agreements. He also works with clients to modernize commercial contracting processes and privacy practices, enabling in-house attorneys to function more efficiently and conserve resources.

Mike Summers ˘

Mike Summers is a law clerk in Greenberg Traurig’s Data Privacy & Cybersecurity Practice, based in the Denver office.

˘ Not admitted to the practice of law.