Top 5 Misconceptions about Québec’s New Personal Information Protection Legislation
Danielle Olofsson, PhD, LLB, BcL, CIPP.C
Certified Expert in Canadian and European data protection
With the first wave of amendments to?Québec’s personal information protection legislation?(“Law 25”) taking effect on September 22, 2022, we thought we would share the top 5 misconceptions we have encountered when discussing the effects that Law 25 will have on businesses operating in Québec.
Note: While Law 25 was passed one year ago, its provisions come into effect on a delayed basis in 2022, 2023 and 2024. For more information,?see our previous post.
1. “We are a B2B operation, so the legislation does not apply to us”
The legislation applies to any entity that holds “Personal Information”, which is defined as any information which relates to a natural person and allows that person to be identified directly or indirectly. It includes information such as a person’s name, address, date of birth, government issued identification number, or gender. It also includes an IP or MAC address of a device that can be linked to an individual as well as the individual’s browsing behavior. It is therefore difficult to imagine, given the broad definition of Personal Information, that a business does not collect, use, or disclose (“Process”) Personal Information in some way and that, consequently, Law 25’s requirements don’t apply to it.?
2. “I think somebody in HR looks after compliance with personal information protection legislation”
While the “somebody” in HR may be very competent, and indeed the best person to ensure compliance with Law 25, businesses Processing Personal Information will now be required to designate a specific person to ensure that Personal Information is protected. That person’s title and coordinates must be published on the business’ website or made available to the public by any other appropriate means.?As of September 22, 2022, if an entity has not designated a person, the role of Personal Information protection officer will automatically fall to the person with the?highest decision-making authority,?who can delegate it in writing to someone else in the organization.
3. “I think our IT department has an incident response plan”
Most IT departments do have an incident response plan. An IT incident response plan, however, is suited to the requirements incumbent on the IT department. It does not necessarily reflect the legal duties that a business faces following an incident involving Personal Information such as:
领英推荐
Having a separate incident response plan specific to Personal Information is vital for two reasons: first, an incident involving Personal Information does not necessarily have to involve IT. For example, a lost or stolen paper file containing employee names and salaries constitutes an incident and most likely will not be covered by an IT incident response plan. Second, the thresholds used to determine the levels of risk for a cyber incident are typically higher than those used to determine a risk of serious injury to an individual following a compromise of their Personal Information.
4. “We don’t share personal information with anyone. We store it on the cloud”
Unless the business is hosting its own cloud-based servers, storing Personal Information with an external cloud service provider is considered a disclosure of Personal Information. The business must therefore inform the individual of this disclosure. Additionally, as of September 2023, the individual’s consent to this disclosure will not be required but the business must have a data processing agreement in place in which the provider offers adequate security measures to protect the Personal Information it receives. If the provider is located outside of Québec, a privacy impact assessment will have to be conducted to ensure that the Personal Information will receive an equivalent level of protection.
5. “We can’t disclose that information because we don’t have the individual’s consent”
As of September 22, 2022, a business involved in a business transaction may disclose an individual’s Personal Information to its counterpart without the individual’s consent. This effectively extends the “business transaction” exception found in the federal?Personal Information Protection and Electronic Documents Act?to businesses operating in Québec. Law 25, however, requires the disclosing party to enter into an agreement with the receiving party in which they undertake to:
Once the transaction is concluded, the recipient of the Personal Information must only Process the information in keeping with Law 25 and must eventually inform the individual that it holds their Personal Information.
These 5 points touch on the most substantial changes that Law 25 introduces into the Québec Personal Information protection landscape. A year from now, additional, more onerous, requirements will take effect, leaving Québec businesses the next 12 months to prepare.
DISCLAIMER: This publication is intended to convey general information about legal issues and developments as of the indicated date. It does not constitute legal advice and must not be treated or relied on as such. Please read our full disclaimer at?www.stikeman.com/legal-notice.