In September 2021, Quebec’s Parliament enacted Law 25, formerly known as Bill 64, (the Law), which updated Quebec’s data protection laws and added requirements for enterprises that do business within the province. The majority of the Law’s requirements become effective Sept. 22, 2023. Below is a brief list of compliance requirements and their effective dates.
Compliance Requirements Taking Effect Today
|
Item |
Timeline |
|
Collect and Process Personal Information Legally, including proper consent mechanisms if applicable[1] |
Sept. 22, 2023 |
|
Public Privacy Policy[2] |
Sept. 22, 2023 |
|
Company Data Protection Governance Policies[3] |
Sept. 22, 2023 |
|
Data Subject Request Responses[4] |
Sept. 22, 2023 |
|
Conduct Necessary Data Protection Impact Assessments[5] |
Sept. 22, 2023 |
|
Conform to Law and Regulations on Data Transfers Outside of Quebec[6] |
Sept. 22, 2023 |
|
Destruction or Anonymization of Data[7] |
Sept. 22, 2023 |
|
Monetary Penalties and Damages[8] |
Sept. 22, 2023 |
.
Previous and Upcoming Compliance Requirements
|
Item |
Timeline |
|
Appoint a Data protection Officer[9] |
Sept. 22, 2022 |
|
Incident (“Confidentiality”) Response Plan[10] |
Sept. 22, 2022 |
|
Disclosure to Commission of use of Biometric Information[11] |
Sept. 22, 2022 |
|
Collect and Process Personal Information Legally, including proper consent mechanisms if applicable[12] |
Sept. 22, 2023 |
|
Public Privacy Policy[13] |
Sept. 22, 2023 |
|
Company Data Protection Governance Policies[14] |
Sept. 22, 2023 |
|
Data Subject Request Responses[15] |
Sept. 22, 2023 |
|
Conduct Necessary Data Protection Impact Assessments[16] |
Sept. 22, 2023 |
|
Conform to Law and Regulations on Data Transfers Outside of Quebec[17] |
Sept. 22, 2023 |
|
Destruction or Anonymization of Data[18] |
Sept. 22, 2023 |
|
Monetary Penalties and Damages[19] |
Sept. 22, 2023 |
|
Right to Portability[20] |
Sept. 22, 2024 |
.
Penalties for Noncompliance
Administrative monetary penalties can result in fines up to CAD $10 million or 2% of the enterprise’s worldwide turnover, whichever is greater. Alternatively, general fines can be CAD $25 million or 4% of worldwide turnover, whichever is greater.
Entities subject to the Law should conduct a comprehensive review of their data privacy procedures and practices to ensure compliance and avoid large penalties that the Law provides.
* Greenberg Traurig is not licensed to practice law in Canada and does not advise on Canada law. Specific Canada law questions and Canada legal compliance issues will be referred to lawyers licensed to practice law in Canada.
* Special thanks to Mike Summers˘ for his valuable contributions to this GT Alert.
˘ Not admitted to the practice of law.
[1] Sections 4 and 8, among others depending on collection, Law 25.
[2] Section 3.1, 3.2, and 8.2, Law 25.
[3] Section 3.2, Law 25.
[4] Sections 30, 32, 33, 34, 35, and 39 of Law 25.
[5] Sections 3.2 and 17, Law 25.
[6] Section 17, Law 25.
[7] Section 23, Law 25
[8] Sections 90-93, Law 25.
[9] Section 3.1, Law 25.
[10] Section 3.5, Law 25.
[11] Section 45, Law 25.
[12] Sections 4 and 8, among others depending on collection, Law 25.
[13] Section 3.1, 3.2, and 8.2, Law 25.
[14] Section 3.2, Law 25.
[15] Sections 30, 32, 33, 34, 35, and 39 of Law 25.
[16] Sections 3.2 and 17, Law 25.
[17] Section 17, Law 25.
[18] Section 23, Law 25.
[19] Sections 90-93, Law 25.
[20] Section 27, Law 25.