Catégories :

Bill 25: What is it and how to prepare?

First, why did the Quebec government decide to pass this law? Even before today, but even more so as the years go by, we live in a digital world. Everyone depends on technology, whether for leisure or work, it surrounds us and creates a dependency that means we can’t work without access to the Internet. That said, it’s not without its dangers! All this technology comes with risks, which we can call cybercrime; hackers seizing and using company or even individual data to commit crimes and ransomware attacks. Many such incidents have been reported in recent years by the media (we can’t forget the Desjardins data leak in 2019). To prevent further incidents of this kind as much as possible, the government had to intervene. In Europe, with the RGPD (General Data Protection Regulation), they were the first to take control of the situation; Quebec decided to follow suit. Indeed, the government wanted to put some order into the management of personal information, because before Bill 25 was introduced, companies were storing individuals’ information without protection (or at least, a minimum of protection), without obtaining their clear consent, without specifying the reasons for which this information was being collected, and without being exposed to sanctions in the event of a privacy incident. Obviously, not all companies acted in this way, but it goes without saying that most of them did. Companies that fail to comply and protect personal information adequately will face severe administrative and penal sanctions.

In Quebec, the Commission d’accès à l’information is the authority responsible for ensuring compliance with Bill 25. What distinguishes this law from what was already in force is the penalties for non-compliance. As mentioned above, Quebec is taking its inspiration from the European regulation and will henceforth oblige all companies, both public and private, to assume obligations and ensure respect for certain rights for individuals that they did not previously enjoy.

September 2022

Before starting on the important dates, do you know that companies must ensure that the third-party suppliers with whom they do business for the processing of personal information subscribe to confidentiality obligations (written agreement). These third parties agree to take the necessary steps to use the information only for the purposes for which it was collected and for no other purpose, to destroy it once the use for which the information was collected has been fulfilled, and in no case to pass it on to a third party. The company is responsible for its supplier, even if they have an agreement. If the supplier is from outside the province, the company must enter into an agreement and carry out a privacy impact assessment to analyze the risk and ensure that, in doing business with this supplier, it will adequately meet the objectives of Bill 25.

As a first step, companies must designate a person to be responsible for the protection of personal information; this responsibility falls to the person with the highest authority in the company only if a person has not been named as responsible, and this designation must be in writing. Following the designation of the Privacy Officer, all companies must report all privacy incidents to the Commission (any threat, or any incident involving the compromise of personal information, even unsuccessful attempts). From now on, it will also be mandatory to keep a record of all privacy incidents, whether high-risk or low-risk, since a so-called low-risk incident can quickly escalate into a much more serious risk.

The incident log should include the following information:

  • Personal information affected by the incident
  • Under what circumstances did the incident occur?
  • The date of the incident
  • The date on which the company became aware of the incident
  • Number of people affected by the incident
  • The level of seriousness of the incident (low, medium, high or serious)
  • Measures taken by the company

If the level of seriousness of the incident is high, the person responsible for the personal information will have to contact the persons concerned (if, for example, the incident damages reputation or credit files, or causes identity theft) and the Commission d’accès à l’information.

September 2023

Most of the new provisions come into force in September 2023. Companies must revise their privacy policies to explain how information will be handled and protected within the company. The privacy policy should be easy to find on the company’s website. The terms should be clear and simple for everyone to understand, and it should include the contact details of the person responsible for personal data. Companies must also draw up governance rules covering the retention and destruction of personal information, the roles and responsibilities of the data controller, the complaints handling process and the protocol for managing privacy incidents.

The penalties for companies are very high. If companies fail to comply, administrative penalties are $10 million or 2% of worldwide sales, and criminal penalties are $25 million or 4% of worldwide sales. Class action suits are also available for all companies that fail to comply with Law 25. But that’s not all: incident victims can obtain a minimum of $1,000, if the company has been negligent or responsible for gross negligence in fulfilling its obligations.

Consent is a big part of Bill 25. Companies will have to obtain clear consent from users before collecting personal information. Users may withdraw their consent at any time, in which case the company has 30 days to delete the information from its databases. In addition, the company must delete or anonymize the information as soon as collection is complete. All customers must have access to their personal data and have the right to modify or delete it.


As mentioned above, any privacy incident must be reported to the commission. This makes risk assessment and verification of the impact of information collection more than important. A privacy incident is an unauthorized access to personal information, an unauthorized use or disclosure of personal information, a loss of personal information or any other breach of confidentiality.

September 2024

The last stage of the law applies in September 2024. Don’t worry, there are fewer stages this month! Companies will have to provide portability; portability is the transfer of any information the company holds on a person, either to that person or to a third party, (for example, in the case of a change of insurer). The company has 30 days in which to transfer personal information, and it must be done in a usable format (compatible with all other platforms).

What to do or not to do, that's the question

To protect your data as much as possible, and that of others, here are some examples of do’s and don’ts:

  • Did you know that a date of birth is personal information? We’re not saying don’t wish someone a happy birthday at the office, but if you do it on social networks (on the birthday boy’s wall, for example) it could be considered a disclosure of personal information. Proceed with caution!
  • Following on from the previous point, be careful what you share on social networks. Limit the information you share, and make sure you really know everyone on your friends list.
  • NWe know it’s tempting, but public Wi-Fi is your worst enemy. It’s a huge gateway for hackers.
  • It may seem trivial to some, but the simple act of sending an e-mail with several people in carbon copy (CC) is considered a communication of unauthorized personal information, since the e-mail addresses are visible to all the recipients of the. You can remedy this problem by making all your recipients invisible carbon copies (ICC).

Advantages and disadvantages

Obviously, the first disadvantages that come to mind are the administrative ($10 million or 2% of worldwide sales) and penal ($25 million or 4% of worldwide sales) sanctions, as well as punitive damages for offenders responsible for gross negligence (data leakage, for example); so each victim may receive a minimum of $1,000 in the event of a confidentiality incident. A company’s reputation may also be at stake if, for example, it failed to comply with the law and someone decides to take legal action against it.

In terms of benefits for the IT department, this is great news! Gone are the days when we used to say that protecting data, information and information systems was strictly an IT problem. It involves a lot more people than you might think, including human resources, IT technicians and executive staff. The application of Bill 25 is forcing organizations to clean up their data and processes, so that they are less exposed to risk. Companies that fail to do so expose themselves to great risk. In any case, it’s now the law 😉

Did you know that insurance also involves risks? If you decide to take out cyber insurance, you’ll need to assess your risk to determine the extent of your coverage, comply with the insurer’s requirements (such as setting up a data protection system) and make a truthful declaration. If an incident occurs, and your declaration was not truthful, or the insurer realizes that the necessary measures were not taken to prevent an incident, a refusal to pay may apply.

A new right for citizens

Citizens now have the right to call the company to ask what their information will be used for, and where it will be stored (the person in charge will have to answer all these questions).

The right to be forgotten is another new right for citizens. The right to be forgotten deals with the deletion of links or Web pages containing personal information that may infringe on privacy. Individuals will therefore be able to ask companies to stop disseminating their personal information, or to de-index any links attached to their name giving access to information if this dissemination causes them harm.

Actions to be taken

Here is a list of actions to be taken as soon as possible to comply with Bill 25.

  1. If you are not familiar with Bill 25, we strongly recommend that you take a training course (Psst, we provide this training 😉 )
  2. Identify the services you need to accompany you through the compliance process. We don’t recommend doing this in-house if it’s not clear to you.
  3. Once the services have been identified, a compliance audit is in order. This will establish the steps that still need to be taken to achieve compliance, and draw up a game plan based on priorities.
  4. Appointing a data manager. This must be done in writing.
  5. Drawing up a contingency plan in the event of an incident. This plan will enable you to take steps to minimize the risk of an incident. This plan should include everyone’s tasks and who to call in the event of an incident. There is no such thing as zero risk; you have to be prepared. We strongly recommend that you practice it; an incident simulation might be a good idea. It’s not an emergency plan if you don’t know how to apply it, is it? Very important: have a hard copy on hand. It’s hard to access them via your computer if they’re encrypted.
  6. Review your privacy policies. They should cover how personal information is handled and protected, and who to contact if you have any questions or complaints.
  7. Have governance rules, such as clear consent, the retention and destruction cycle of personal information, how data is protected within the company, the responsibility of everyone in the company and the responsibilities of the person in charge.
  8. A review of agreements with third-party suppliers, to ensure that everything is compliant and that information is well protected.
  9. Most importantly, employee training. The weakest link is undoubtedly the human factor. An incident can happen very quickly if an employee clicks on a link in an e-mail that they thought was safe.

Law 25 is a big deal for companies, but it’s now more than necessary. If you have any questions or concerns, drop us a line; we can help you comply!