Worldwide: Quebec Privacy Bill 64 (Law 25) – Requirements In Quebec's Privacy Law That Go Beyond GDPR And CCPA

This article highlights three incremental requirements in Quebec's new privacy Law 25 that organizations who previously prepared for the EU's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) should consider.

1. Data Protection Officer – According to Quebec's Law 25, the individual with the highest level of authority within the organization is responsible for ensuring that Law 25 is implemented and complied with.¹ The position can be delegated, in writing, to a member of the management personnel. ²

This Data Protection Officer (DPO) role under Quebec's Law 25 is responsible for reviewing and approving policies and procedures, participating in the development of Privacy Impact Assessments (PIAs), advising the organization during data breaches, and responding to privacy rights requests, including but not limited to, the right to be forgotten.

Quebec's Law 25 does not require the DPO to be located in Quebec, as such, we anticipate this role will fall to the organization's existing Chief Privacy Officer / DPO or organizations will appoint a Third Party DPO. The assumption is that the CEO will take on the DPO role unless otherwise delegated to another member of management or the Third Party DPO.

Organizations that collected personal information on residents of Quebec but did not meet the requirement to appoint a DPO under the EU's GDPR may find themselves in a position where they need to appoint a DPO regardless of the DPO appointment decision taken under their GDPR readiness program.

Action item: Organizations will likely need to appoint a DPO if its CEO does not want to assume the DPO role by default.

2. Privacy Impact Assessments – Quebec's Law 25 requires that organizations conduct a Privacy Impact Assessment "for any project to acquire, develop or overhaul an information system or electronic service delivery system involving the collection, use, release, keeping or destruction of personal information."³ Law 25 also requires that organizations conduct Privacy Impact Assessments before transferring personal information outside of Quebec.⁴

As Privacy Impact Assessments and/or Transfer Impact Assessments become more common and required by most major sovereign privacy laws, it is important to note that Quebec's Law 25 requires PIAs for "keeping or destruction of personal information." We highlight this requirement as incremental to Quebec's Law 25 because other privacy laws such as the GDPR or CCPA do not require PIAs to be conducted on data retention or minimization activities.

In terms of conducting a Privacy Impact Assessment on personal information transferred out of Quebec, the assessment is to confirm that the data transfer would receive adequate protection in accordance with "generally recognized principles" regarding the protection of personal information. ⁵

It is interesting to ponder if the U.S. Data Privacy Framework (DPF) certification will serve as a proxy for "generally recognized principles" for the transfer of personal information from Quebec to the United States.

Action item: Develop a data map and conduct privacy/transfer impact assessments on all data transfers leaving Quebec.

3. Automated Processing – Under Quebec's Law 25, an organization that uses personal information to render a decision based exclusively on automated processing must inform the person concerned of the personal information used to render the decision; the reasons, principal factors, and parameters that led to the decision; and the right of the person to have the personal information used to render the decision corrected.⁶

In this context, "Automated Processing" under Quebec's Law 25 may be broader than "Automated Decision Making" under the GDPR. The threshold for Automated Decision Making (AMD) considerations under the GDPR only apply if that processing activity carries a significant and/ or legal impact on the individual. Under Quebec's Law 25, we do not see that same high threshold for Automated Processing as for Automated Decision Making under the GDPR.

Action item: Evaluate the notification requirements in Quebec's Law 25 related to automated processing in the content of your existing Artificial Intelligence governance program.

The Quebec Privacy Law 25 carries many of the same requirements as other modern privacy laws; however, organizations should consider adjusting their privacy readiness program to account for the finer nuances discussed herein.

Footnotes

1. Quebec Bill 64. Page 7. Retrieved October 25, 2023: https://www.publicationsduquebec.gouv.qc.ca/fileadmin/Fichiers_client/lois_et_reglements/LoisAnnuelles/en/2021/2021C25A.PDF

2. Ibid.

3. Quebec Bill 64. Page 11. Retrieved October 25, 2023.

4. Quebec Bill 64. Page 19. Retrieved October 25, 2023.

5. Ibid.

6. Quebec Bill 64. Page 15. Retrieved October 25, 2023.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.