December 20th, 2023 | Mark Sward

Quebec Law 25: Considerations for Organizations

In September 2021, the Quebec legislature adopted Law 25 to modernize Quebec’s privacy laws. The law was implemented in phases, with most new obligations taking effect on September 22, 2023.

For private-sector organizations subject to Quebec law, now is an excellent time to review compliance activities and update them to ensure they meet the requirements implemented by Law 25. Not only does this law implement substantive changes to the private-sector privacy regime in Quebec, but also it gives the provincial privacy regulator (the Commission d’accès à l’information or “CAI”) significant new enforcement powers, including the ability to impose large financial penalties on non-compliant organizations.

Accountability

One of the longstanding principles of Quebec privacy laws is accountability. Organizations are accountable for their privacy practices and must take proactive organizational steps to ensure they handle personal information properly. Law 25 strengthens these requirements by obligating organizations to appoint a privacy officer. This officer (the top executive by default, unless someone else is appointed) must have oversight of their data-handling activities.

The law also requires organizations to develop, implement, and publish on their websites comprehensive policies and practices outlining how they protect personal information and ensure compliance with the law. Finally, the law imposes a new obligation to conduct formal privacy impact assessments when acquiring, developing, or overhauling systems that handle personal information. While some of these activities were already required, Law 25 imposes more detailed requirements, so many organizations will need to consider updates to their privacy programs.

In addition to the internal accountability steps organizations are required to take, they must exercise more oversight of their supply chains and cross-border data transfers. Law 25 imposes new obligations on organizations to put in place contractual terms with service providers who process personal data to ensure the data is protected. Where transfers to third parties cross a provincial or national border, additional assessments must be done to ensure the data will remain protected to the standard required in Quebec.

Transparency and Consent

Law 25 builds on existing requirements to notify individuals of why their personal information is being collected and how it will be used and disclosed. Organizations must now include more detail in these notices, all while keeping them accessible and understandable.

The law adds new clarity and detail about when consent can be implied and when it is not necessary at all. Generally, consent will be a key aspect of any approach to privacy in Quebec, and organizations will need to carefully consider whether the consent they are collecting from individuals is sufficient to meet the high bar set by Law 25. The CAI has released guidelines on consent to help organizations make these decisions.

In addition to basic notice and consent obligations, organizations now have heightened obligations to make individuals aware of automated decision-making, geolocation, and profiling of their activities, and they must seek explicit consent for certain activities, including handling of sensitive data like biometrics.

Individual Rights

Quebec’s existing privacy regime includes various basic individual rights, including the ability to access personal information held by an organization, correct it, and have it deleted in certain circumstances. Law 25 introduces an expanded right to deletion, as well as new rights to move data between organizations and to request information about how personal data has been handled. Organizations must have procedures in place to fulfill these requests when they inevitably arrive.

Data Breach Management

Organizations must also do more than just put in place security controls to prevent data breaches (not a new requirement, of course). Under the new requirements of Law 25, their obligations to respond to data breaches are more onerous, including taking steps to minimize harm, keeping a register of breaches which can be provided to the CAI on request, and providing notifications both to the CAI and to individuals if there is a serious risk of harm arising from a data breach.

Data Minimization

Law 25 further entrenches the concept known as “data minimization” or “proportionality,” which is well-established in privacy laws around the world. Personal information can only be collected if it is necessary to achieve the pre-established purposes for its collection. It must then be used only for those purposes (or, if it is to be used for new purposes other than a few exceptional ones outlined in the law, the individual must consent to those new purposes). Finally, it must be deleted or anonymized once it is no longer needed for those purposes.

Interestingly, Law 25 also introduces a minimum retention obligation: any information which is used to make a decision must be kept for one year following the decision to allow the individual to exercise their rights.

Considerations for Background Screening

Any organization which is subject to Quebec privacy laws and conducts or uses background checks should assess certain activities in collaboration with its background screening provider to ensure compliance with the new rules set out in Law 25.

Some questions to consider include:

• Does your organization have a privacy officer and documented privacy policies? Is a summary of those policies posted on the web?
• Has your organization conducted a privacy impact assessment on its screening program to ensure that screening takes into consideration (and properly protects) candidates’ privacy?
• Does your organization give proper notice to individuals that they will undergo a background check? Are they made aware of the types of data being collected, the purposes for which they are collected, and their other rights under privacy laws?
• Does your organization have a process in place to respond to individuals who wish to exercise their access, correction, deletion, portability, or other rights? If you use a background screening partner, does your partner have procedures in place for that as well?
• Do you have data processing terms in your contract with third parties who handle personal information on your behalf as part of the screening process, including your background screening partner?
• If data will be transferred outside of Quebec, do you understand those transfers, and have you taken the necessary steps to ensure the data remains protected to the same standard required in Quebec?
• Has your background screening partner, if you have one, registered with the CAI as a “personal information agent” as required by the new rules introduced by Law 25?
• Have you established a data retention policy for background check records based on your company’s legitimate business needs, including retaining records for at least one year to allow the exercise of individual rights? Does your background screening provider delete information after seven years to comply with new obligations imposed on “personal information agents”?

As always, all organizations are strongly encouraged to consult with their legal counsel or privacy officer on how best to comply with Quebec’s modernized privacy regime. Many law firms in Quebec have also made detailed information about compliance available to the public.

As a thought leader in the background screening industry, Sterling Backcheck is committed to helping employers stay up-to-date on compliance updates and regulatory changes around the world. Contact our experts to learn more about what we can do to help you build a background screening program.

This publication is for informational purposes only and nothing contained in it should be construed as legal advice. We expressly disclaim any warranty or responsibility for damages arising out this information. We encourage you to consult with legal counsel regarding your specific needs. We do not undertake any duty to update previously posted materials.