In September 2021, Quebec’s Parliament passed Law 25 (formerly Bill 64), which significantly overhauled the Act Respecting the Protection of Personal Information in the Private Sector. Law 25 imposes several new obligations on enterprises who do business in Quebec, which obligations have periodically gone into effect since the enactment of Law 25.
Click here for Greenberg Traurig’s introduction to Law 25.
Unlike comprehensive privacy laws in other jurisdictions, nothing in Law 25 explicitly requires employees be trained in the handling and protection of personal information. However, several provisions in Law 25 either require or suggest the implementation of enterprise-wide and project-specific policies and procedures around the protection of personal information. Ultimately, training employees on such policies and procedures is recommended to ensure compliance and consistency, and updating employee training materials may help ensure compliance, including in the areas of:
-
Data subject access requests;
-
Data governance;
-
Privacy impact assessments;
-
Data retention and destruction;
-
Anti-retaliation; and
-
Consents.
New Responsibilities for Personal Information Agents
Previously, Personal Information Agents[1] were required to establish and apply rules of conduct within their enterprises that allow data subjects access to their personal information in a way that protects the personal information.[2] Personal Information Agents were also required to establish a method of operation that ensured any personal information communicated was accurate.[3] Law 25 now additionally requires this procedure allow data subjects to rectify their information.[4]
Those entities required to have Personal Information Agents will have to not only update the rules of conduct to account for the new rectification right but also train their employees tasked with implementing the procedure on the update so they can ensure that the rules of conduct are being followed.
Governance Policies
Law 25 mandates that covered enterprises must implement governance policies and practices regarding the protection of personal information.[5] While Law 25 does not mandate employee training on these policies and practices per se, it does specify certain criteria that must be present in these governance policies, including defining the roles and responsibilities of employees throughout the life cycle of personal information held by the enterprise.[6] Training employees on their individual roles and responsibilities, as well as the execution of the same, is crucial to ensuring Law 25 compliance.
Projects Involving Information Systems
Under Law 25, whenever an enterprise acquires, develops, or overhauls an information system that involves the collection, use, communication, keeping or destruction of personal information, the enterprise must conduct a privacy impact assessment on that project.[7] The Commission d’accès à l’information du Québec, the enforcement body for Law 25, defines a privacy impact assessment as an impact analysis that considers all factors relating to a project that have a positive or negative effect on the privacy of data subjects.[8] Privacy impact assessments, according to the Commission, are designed to bring a “preventative and evolving approach” to protecting privacy in new projects. The person in charge of personal information may, but is not required to, implement training on protecting personal information for employees involved in the project.[9]
While training is not mandatory, electing to implement this type of training could factor into the privacy impact assessment for the project and influence the enterprise’s decisions related to the risk of processing personal information.
Business Activities Involving Data Collection and Processing
Law 25 places many obligations on enterprises when it comes to data collection and processing. Some of these obligations include identifying a purpose for collection,[10] limiting collection to that purpose,[11] imposing default privacy settings that provide the highest level of confidentiality,[12] and obtaining consent to process sensitive data and data of certain minors.[13] Additionally, transfers of personal information outside of Quebec require privacy impact assessments and under some circumstances, written agreements.[14]
Certain departments or employees of the enterprise may be accustomed to data collection and processing activities that previously did not require these measures. For example, marketing teams may have to reconsider their digital marketing practices, especially when it comes to behavioral advertising. Policies that allow employees to access Quebec-data remotely from locations outside of Quebec may need to be re-examined. Ensuring these changes are effectively implemented will require training the appropriate personnel.
Retention Schedules
Law 25 creates a new mandatory retention period for any personal information that is used to make a decision about a data subject.[15] Additionally, Law 25 requires Personal Information Agents to destroy personal information collected more than seven years prior.[16]
Employees may benefit from training on these mandatory retention periods to ensure they are properly implemented.
Retaliation
While retaliation against employees is generally prohibited, Law 25 specifically prohibits employers from retaliating against any person who is involved in filing a complaint or participating in an investigation with the Commission concerning the protection of personal information.[17]
Enterprises may benefit from training supervisory and management personnel on these prohibitions to prevent retaliation from occurring.
Conclusion
Several provisions in Law 25 either require or suggest the implementation of enterprise-wide and project-specific policies and procedures around the protection of personal information. Further, Law 25 requires enterprises to engage in more transparency around these policies and procedures. Ultimately, training employees on your enterprise’s data privacy practices may better effectuate them and ensure compliance with Law 25.
Abigail Walker ˘ is an Intellectual Property Law Clerk based in Greenberg Traurig's Denver office and contributed to this article
* Greenberg Traurig is not licensed to practice law in Canada and does not advise on Canada law. Specific Canada law questions and Canada legal compliance issues will be referred to lawyers licensed to practice law in Canada.
FOOTNOTES
[1] “Personal Information Agents” are defined as “Any person who, on a commercial basis, personally or through a representative, establishes files on other persons and prepares and communicates to third parties credit reports bearing on the character, reputation or solvency of the persons to whom the information contained in such files relates” Section 70, Act Respecting the Protection of Personal Information in the Private Sector.
[2] Section 78, Act Respecting the Protection of Personal Information in the Private Sector.
[3] Section 71, Act Respecting the Protection of Personal Information in the Private Sector.
[4] Section 78, Law 25.
[5] Section 3.2, Law 25.
[6] Section 3.2, Law 25.
[7] Section 3.3, Law 25.
[8] Note that Law 25 does not define “privacy impact assessment.”
[9] Section 3.4(4), Law 25.
[10] Section 4, Law 25.
[11] Section 5, Law 25.
[12] Section 9.1, Law 25. Note that this requirement has an exception for browser cookies.
[13] Sections 12 and 4.1, respectively, Law 25.
[14] Section 17, Law 25.
[15] Section 11, Law 25.
[16] Section 79.1, Law 25.
[17] Sections 81.1 & 81.2, Law 25.