The bulk of the “Law 25” amendments to Québec’s Act Respecting the Protection of Personal Information in the Private Sector (“PPIPS”) take effect on September 22, 2023. In a previous post, we discussed the internal policies and practices these amendments require. This post focusses on four information systems configurations Québec businesses must respect to comply with Law 25. These include ensuring that (i) privacy settings default to “off”, (ii) profiling settings can be easily deactivated, (iii) an accurate mapping of personal information exists, and (iv) the systems can destroy and anonymize personal information that is no longer needed. This post also addresses a fifth requirement – often overlooked but increasingly relevant – concerning biometric data.
Privacy Settings Default to “Off”
As of September 2023, PPIPS’ new sub-section 9.1 requires businesses that collect personal information while offering a technological product or service to “ensure that the parameters of the product or service provide the highest level of confidentiality by default, without the intervention of the person concerned”. This requirement does not apply to cookies used as connection indicators. Concretely, this means that the individual must activate any tracking included in service or product. By default, the business offering such a good or service must set the tracking features at “off”.
Profiling Disclosed
In keeping with the previous point, businesses that use technology to identify, locate or profile an individual will have to disclose, in their privacy policy, not only that they are engaging in such activity but how their profiling technology can be activated (presumably so the individual who does not wish to be profiled can de-activate it). Subsection 8.1 makes clear that this required transparency also applies to monitoring in the workplace. It specifically states that “profiling” “means the collection and use of personal information to assess certain characteristics of a natural person in particular for the purpose of analyzing that person’s work performance, economic situation, health, personal preferences, interests or behaviour”.
As a result, come September 2023, businesses will have to be fully transparent about all the technology they deploy to monitor individuals, including employees in Québec. Presumably they will also have to ensure that the technology in question is configured to allow for deactivation at the individual’s request.
Knowing Where the Personal Information Is…