Law 25 – CAI’s Enforcement – What’s first?

What will the CAI Enforcement Priorities be?

Bill 64, also known as the Act to Modernize Legislative Provisions Respecting the Protection of Personal Information, was introduced by the Quebec government to update privacy laws and strengthen the protection of personal information. It aims to align the province’s legislation with modern challenges in data protection and privacy. We will review what we think will be enforced first and why.

Some of the key provisions of Bill 64 include:

Strengthening Consent Requirements: The bill aims to enhance consent requirements for the collection, use, and disclosure of personal information. It emphasizes obtaining explicit consent and making it easier for individuals to understand and manage their consent preferences.

Increased Accountability and Governance: Bill 64 imposes stricter obligations on organizations to implement privacy policies, establish governance mechanisms, and designate responsible individuals for privacy compliance. It also requires organizations to conduct privacy impact assessments for certain processing activities.

Enhanced Rights for Individuals: The legislation seeks to strengthen individuals’ rights regarding their personal information. This includes the right to access, correct, and delete their data, as well as the right to be informed about data breaches.

Data Breach Notification: Bill 64 introduces mandatory data breach notification requirements, obligating organizations to report any breaches of security safeguards that could result in significant harm to individuals.

Enforcement and Penalties: The bill enhances the enforcement powers of the Commission d’accès à l’information (CAI), Quebec’s access to information commission. It allows the CAI to impose administrative penalties for non-compliance with privacy laws.

While we cannot provide specific details about what the CAI might focus on for initial fines, it is likely that they would prioritize areas related to: 

  1. Obtaining valid consent, 
  2. Implementing proper privacy policies and governance mechanisms, and 
  3. Ensuring timely and accurate data breach notification, 
  4. Among other compliance measures. 

These areas align with the key provisions of Bill 64 and are common focus points for privacy regulators in other jurisdictions. Let’s examine these 4 issues in a little more detail:

1. Obtaining Valid Consent

The first Guidance documents produced by the CAI include Guidelines for Valid Consent. Our friends at McCarthy Tetrault wrote a detailed Blog that should be mandatory reading for every CEO who operates across Canada. If your database is truly National, chances are, 20-25% of the individuals reside in Quebec, so Law 25 applies.

Quebec is very prescriptive regarding Valid Consent and it includes:

Clear

Free

Informed

For Specific Purposes

Granular

Understandable

Temporary

Separate

 

Here is the language from the Act:

“Consent under this Act must be clear, free and informed and be given for specific purposes [i.e. Specific]. It must be requested for each such purpose [i.e. Granular], in clear and simple language [i.e. Understandable]. If the request for consent is made in writing, it must be presented separately from any other information provided to the person concerned [i.e. Separate]. If the person concerned so requests, assistance is provided to help him understand the scope of the consent requested [this is another aspect of consent being Informed]. 

The consent of a minor under 14 years of age is given by the person having parental authority or by the tutor. The consent of a minor 14 years of age or over is given by the minor, by the person having parental authority or by the tutor.

Consent is valid only for the time necessary to achieve the purposes for which it was requested [i.e. Temporary].

Consent not given in accordance with this Act is without effect.”

 

Consent is the foundation of this Law and it appears to us the CAI is likely to issue some early fines directly to CEOs for not being able to prove Valid Consent. The ‘highest authority’ is , by default, accountable for all PII used by that organization. As Valid Consent has never been a requirement for organizations operating in Canada, many will struggle with this new obligation. We recommend CASSIE, a powerful and flexible SaaS Consent Management Platform based in the UK. This best of breed automated solution tracks and records specific consent and preferences of your audience so you can prove specific consents on specific dates for every individual in your database. Using the Guidelines for Valid Consent from the CAI, we can help you structure your instance of CASSIE in a way that minimizes the risk for the organization and more important, respects the rights of every individual in your database(s).

 

2. Implementing proper privacy policies and governance mechanisms

As a long term but important obligation, businesses should begin to draft a clear and robust governance policy relating to personal information. The Amended Private Sector Act requires privacy policies to provide detailed and comprehensive information for the life cycle of data collected by the business. 

This includes data mapping, which could take time to properly conduct. For many organizations PII is not truly owned by any group – it simply exists and several departments are responsible for certain aspects of PII, but no one department takes ownership of that data. We recommend the department that uses it the most, take ownership and put in strong Data Governance practices to protect the enterprise and reduce the business risks. In many organization that would be Marketing’s responsibility.

Staff training is critical. The front line staff is where the rubber hits the road. There is no point having well documented policies and procedures if your staff are not aware of them and why they are important to the organization’s reputation.

Privacy Impact Assessments are another new obligation. When deciding to collect new PII, adding new software or making any network change that impacts PII, a written assessment of the potential impacts is required. In a similar fashion, Transfer Impact Assessments are required when the data crosses borders, as the organization is accountable if anything goes wrong.

Third Party Agreements must now include clear language and details of your organization’s position on privacy and they should lay out clear statements of all parties obligations and expectations regarding all PII used by the organization and it’s third party partners.

If you are interested in more detail, reach out to info@newportthomson.com for a full list of obligations under Law 25.

 

3. Ensuring timely and accurate data breach notification,

Law 25 requires every organization to have documented policies and procedures for Confidentiality Incident Reporting Planning. They define Confidentiality Incidents as Security, Data or Privacy breaches. This includes a Log of Confidentiality Incidents as well as reporting to the CAI and individuals involved under certain circumstances. We have implemented this process in dozens of organizations, large and small. If we can help, please contact us at info@newportthomson.com.

4. Among other compliance measures

We have a list of all obligations under law 25 and will provide it upon request.

 

Summary

There is work to be done.

The business and personal risks are significant and we should expect to see a few CEOs fined early in the enforcement process. Proving Valid Consent will be a key issue as will reporting Confidentiality Incidents.

Quebec has watched the GDPR enforcement earn a failing grade during the first 5 years of enforcing those regulations and we believe they are determined to learn from some of those mistakes. All indications point to the CAI aggressively enforcing Law 25, the bulk of which comes into force September 22, 2023.

It takes time to implement a compliant Privacy Management Program so we recommend starting now if you didn’t 2 years ago when Bill 64 was passed and became Law 25.

Leave A Reply