Quebec passes a new privacy law – Quebec Law 25

Privacy Policy

Quebec Bill 64

Photo of author

Donata Stroink-Skillrud

Co-founder and President of Termageddon

Quebec passes a new privacy law - Quebec bill 64

After much debate regarding whether Canada’s federal privacy bill, the Personal Information Protection and Electronic Documents Act (PIPEDA), offers sufficient privacy protections for consumers, Quebec passed a new privacy law, Quebec Law 25 (previously Quebec Bill 64). While Quebec already had a privacy law, the Act Respecting the Protection of Personal Information in the Private Sector, Canada’s legislature considered that law to be substantially similar to PIPEDA. In fact, the Privacy Policy disclosures that were required to be made, the privacy rights offered to individuals, and the enforcement mechanisms of both laws were essentially the same. However, with the passage of Quebec Law 25, quite a few changes have been made that diverge this law from PIPEDA. In this article, we will discuss who this new law applies to and how it will affect your business. 

Who does Quebec Law 25 apply to?

Quebec’s Law 25 applies to persons who collect, hold, use or share personal information in the course of carrying on an enterprise within the meaning of Article 1525 of the Civil Code. Article 1525 of the Civil Code defines “enterprise” as “the carrying on by one or more persons of an organized economic activity, whether or not it is commercial in nature, consisting of producing, administering or alienating property, or providing a service.” This new law will apply to anyone participating in an economic activity, even if that activity is not commercial, meaning that nonprofit organizations will need to comply with this law, as well as for-profit organizations. 

The fact that nonprofit organizations will need to comply with Quebec’s new privacy law is an important difference to PIPEDA, which generally applies to organizations that engage in commercial activity. While this means that nonprofit organizations are generally exempt from PIPEDA, they could be subject to PIPEDA if they engage in commercial activities such as the selling, bartering, or leasing of donor lists. 

Privacy Policy disclosures required by Quebec Law 25

Quebec’s Law 25 also diverges from PIPEDA by requiring the following disclosures to be made in Privacy Policies: 

  1. The purposes for which personal information is being collected; 
  2. The means through which the personal information is being collected; 
  3. The right of access, portability, and rectification of personal information; 
  4. The person’s right to withdraw consent to the communication or use of the personal information collected; 
  5. How privacy rights requests can be sent to the organization;
  6. If personal information is collected using technology that allows the person to be identified, located and profiled, the Privacy Policy must inform the person of the use of such technology and of the means available, if any, to deactivate the functions that allow the person to be identified, located, or profiled; 
  7. If personal information will be used for automated decision making, that fact must be disclosed;
  8. The possibility that the personal information may be communicated outside of Quebec; 
  9. The title and contact information of the person in charge of the personal information. 

In contrast, PIPEDA does not require Privacy Policies to disclose whether the personal information will be used for automated decision making, nor how users can deactivate functions that allow a person to be identified, located, or profiled.

Quebec’s privacy law enforcement

Perhaps the biggest and most important difference between PIPEDA and Quebec’s Law 25 is enforcement. Under Quebec’s new privacy law, if an individual has a complaint, the individual can make a complaint to Quebec’s Commission d’acces a l’information. If the individual is not happy with the resolution of the complaint, they can appeal to the Court of Quebec. The administrative penalties for failure to comply are also steep – a maximum of CAD $50,000 in case of an individual violating the law or a maximum of CAD $10,000,000 or, if greater, 2% of the worldwide turnover for the preceding fiscal year in case of an organization violating the law. Lastly, Quebec’s Law 25 even allows the prosecutor to institute penal proceedings for violations of the law. 

Quebec’s Law 25 effectively resolves the gripes about PIPEDA’s lax enforcement and penalties by allowing individuals to sue businesses directly, imposing heavy penalties, and even allowing the institution of penal proceedings for violations. Thus, if you are collecting the personal information of residents of Quebec, it is extremely important to comply with this law.

If you do not have a Privacy Policy or do not have a plan to keep it updated with Quebec’s privacy law, make sure to check out Termageddon’s Privacy Policy generator.

Photo of author
About the Author
Donata Stroink-Skillrud

Donata is the Co-founder and President of Termageddon and a licensed attorney and Certified Information Privacy Professional. She serves as the Vice-Chair of the American Bar Association's ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals.

Search the Site
Popular Articles
Browse by Category

Comparing Policy Generators

Cookie Consent Banner

Cookie Policy




How To's

Privacy Policy

Terms of Service

Subscribe for Updates
  • This field is for validation purposes and should be left unchanged.