Law 25: Understanding the evolution of the regulatory framework
We’ve been telling you about it for the past few months, but now it’s official: Law 25 came into effect as of September 22. The time has come to prepare your business for the change, and the best way to do that is to fully understand the regulatory framework we’ll all need to work within.
To remind you, Law 25 (LQ 2021, c 25, hereafter referred to as Law 25) brings a certain number of changes to the current framework (articles 100 to 161 of Law 25) on the protection of personal information in the private sector (Law P-39.1). While most of these changes won’t come into effect until September 22, 2023, (article 174 of Law 25), it should be noted that certain provisions are already applicable as of September 22, 2022 (article 175 of Law 25):
- appointment of a person responsible for the protection of personal information (new article 3.1 of Law P-39-1);
- confidentiality incidents (new articles 3.5 to 3.8);
- communication of personal information as part of a business transaction (new article 18.4);
- communication of personal information for the purposes of research (new article 21).
In this article, we’ll explore the general principles behind the new legal arsenal that goes into effect as of September 22, 2023, specifically:
1. The scope of application of the law
Without making any fundamental changes to the scope of the law on the protection of personal information in the private sector, Law 25 adds a certain number of elements to the current definition, in addition to including a new exception.
a. Clarification of the concept of personal information
In the new article 2, Law 25 specifies the following:
personal information is any information that concerns a physical person and enables their identification directly or indirectly.
In this article, legislators seem to be highlighting that the personal nature of information cannot be understood too restrictively. While it’s hard a priori to determine what indirect identification covers, Law 25 introduces a distinction between depersonalized information and anonymized information, which raises some uncertainty.
Personal information is depersonalized (new article 12):
when this information no longer allows direct identification of the person involved […].
Anyone who operates a company and uses depersonalized information must take reasonable measures to limit the risk that someone might be able to identify a physical person using depersonalized information.
On the other hand, information is anonymized when it is (new article 23):
reasonable to expect that under the circumstances it no longer allows, in an irreversible way, anyone to directly or indirectly identify this person.
Both of these definitions hinge on ideas about the risk or impossibility of identification in an irreversible sense. All data that carries a risk of identifying a physical person must therefore logically come under the scope of this law; on the other hand, this shouldn’t be the case if it is reasonable to believe that it is impossible to identify someone with the data collected.
When applied to the digital industry, this definition covers a very wide field:
- Google Analytics- or Adobe Analytics-style systems of behavioural profiling use browser data to identify unique visitors; is it reasonable to believe that it is impossible to identify a person with this type of data? If we consider further that it is currently the practice to cross-reference these data with a customer relationship management (CRM) platform or enterprise resource planning (ERP) system, it becomes obvious that the entire analytics ecosystem is affected by Law 25.
- Ad platforms like Google Ads or Facebook use browsing data to personalize advertising. Given the volume of data collected by these platforms, is it reasonable to think that it would be impossible for them to identify you? It seems once again that in this case it’s the entire digital ecosystem that is affected by Law 25.
The current version of the law for the protection of personal information in the private sector leaves a few lingering uncertainties regarding the concept of personal information. Law 25 brings some clarification to those issues. This clarification leans in the direction of the interpretation provided by the Commission d’accès à l’information du Québec (CAI), which was, as of March 16, 2016:
“companies that use profiling systems and targeted advertising on the Internet are subject to the Law for the Protection of Personal Information in the Private Sector.”
b. The exclusion of professional information
While clarifying the concept of personal information, the law introduces an exception to its scope of application (new article 1) concerning:
personal information about a person’s exercise of their duties within a company.
This provision seems therefore to exclude professional details. It’s therefore theoretically possible to use this information without a person’s consent. It should be noted, however, that the private sector is still subject to the requirements of the Canadian anti-spam law, which makes consent obligatory for sending commercial electronic messages. This puts limits on this exception in practice.
2. New requirements in data collection
Law 25 has introduced a requirement regarding consent and information. It also makes a few clarifications on the scope of data collection.
a. Scope of data collection limited to predetermined purposes
Law 25 states the following (new article 4):
All people operating a company who, as a result of serious and legitimate interest, collect personal information on others must, before collection, determine the purposes of this collection.
Furthermore, it specifies that (new article 5):
The person who collects personal information on others may only collect the information needed to fulfill the purposes determined before collection.
In other words, data collected must be limited to the purposes for which they are being gathered; these purposes cannot be changed once the data-gathering has been performed (unless consent is obtained).
In the digital sector, it’s common for personal data to be used for purposes other than the reason they were initially collected, particularly in the case of audience creation or data unification. Below we’ll see that this requirement regarding the purpose for collection will raise a certain number of difficulties.
b. Reporting obligation in simple, clear terms
i. Necessary information
The new article 8 requires that the person collecting the personal information must inform the individual concerned of the purposes and means by which this information is collected, their right to access it and their right to withdraw their consent for its collection.
ii. A requirement enforced in the digital sector
Concerning the use of technology that “includes functionalities enabling [the identification of the individual concerned], to pinpoint their location or profile them” (new article 8.1), the law requires subjects be informed of the use of such technology as well as the means through which these functionalities are activated.
c. Consent of the subject
i. The concept of implicit consent
From the moment such information has been provided in accordance with the law, anyone who has provided their personal information consents to their use and communication (new article 8.3). In other words, the law recognizes the possibility of companies to make use of implicit consent.
ii. The opt-in principle in the digital sector
While the law recognizes the principle of implicit consent, it seems this is not applicable when it comes to the digital realm:
- New article 8.1: “the person collecting personal information from subjects using a technology that includes functionalities permitting the their identification [must inform them] of the means available for activating these functionalities which permit identification, geolocation or profiling.”
- New article 9.1: “a person operating a company who collects personal information by offering a technological product or service to the public that has privacy parameters must ensure that, by default, such parameters ensure the highest level of privacy.”
By targeting both the activation of identification functionalities and the highest level privacy related to consent, it seems that the principle of implicit consent does not apply to the digital collection of personal data. Addressing this new provision during a parliamentary committee meeting, Éric Caire, the Minister of Cybersecurity and Digital Technology, indicated that such a position resulted in the introduction of explicit consent (opt-in) for the collection of personal data using technology possessing identification, geolocation or profiling functionalities. Furthermore, the CAI mentions on its website that “these technologies cannot be activated by default: the subject must be the one to activate them if this is their preference.”
To sum up, the law introduces fairly significant changes in the digital sector with regard to data collection:
- The use of online advertising services or behavioural data tracking must be preceded by explicit consent (opt-in) before any data can be collected. In practice, this makes the use of consent management systems practically obligatory for anyone with a presence online if they intend to conform to Law 25.
- Privacy policies must be designed with particular attention, given that this document will determine the scope of data collection (meaning the purposes for which the data will be collected).
3. Limits to the use of personal data
a. A use restricted to the purposes for their initial collection
The new article 12 states the following:
“Personal information cannot be used within a company other than for the purposes for which it was originally collected.”
Furthermore, this same article provides for a certain number of exceptions: purposes compatible with those already defined during its collection, its use for the benefit of the subject, the necessity to prevent fraud, the delivery of a product or even for the purposes of a study or research. However, in light of all this, the law specifies that prospecting for business purposes should not be considered a compatible purpose. In other words, business objectives must necessarily be specified at the time the data is collected, otherwise the data cannot be used for such purposes.
In the digital sector, this restrictive approach to business purposes may raise some difficulties:
- For customer data unification systems: connecting different sources of data in order to obtain an overall view of the customer profile is already a technical challenge. This requires having a unique key enabling all the data to be connected together. Law 25 adds another layer of complexity to this type of project. Basically, you now need to ensure that the unified data coming from various sources have all been collected for the purposes of commercial prospection so they can be activated.
b. Prohibition of transmitting information to third parties
The new article 13 states the following:
“No one may transmit personal information held about a subject to a third party unless that subject has consented or such communication is not under the jurisdiction of this Law.”
By introducing the principle of a ban on the communication of personal information to third parties, this provision strikes a decisive blow against how online advertising currently works. The online ad system is mainly based on the sharing of information between advertisers and advertising platforms. The sharing of this information enables, on the one hand, to measure the efficiency of campaigns (conversion metrics), but also to establish fairly precise retargeting tactics. By subjecting this information sharing to explicit consent (see the opt-in idea above), this positioning is likely to produce two results in the online advertising ecosystem:
- the loss of precise conversion metrics;
- the loss of effective retargeting tactics.
The extent of the influence of Law 25 on online advertising should, however, be qualified. For the past few years, the major digital players have already started putting in place policies limiting the sharing of information between advertisers and ad platforms: with the Intelligent Tracking Prevention (ITP) protocol, Apple rendered the sharing of data on Safari with ad platforms practically impossible; Google, for its part, announced the end of third-party cookies on Chrome as of 2024. Law 25 is therefore far from being completely revolutionary in this sense.
c. Regulations regarding the transmission of data outside of Quebec
In the new article 17, the law states the following:
“Before communicating personal information outside of Quebec, the person operating a business must perform an evaluation of elements related to privacy. This person must particularly take into account [certain elements].”
It should be noted that this provision echoes the Schrems II judgment issued on July 16, 2020, by the European Court of Justice (ECJ). The court stated in its decision that the internal regulatory framework of the United States was incompatible with the protection of personal data for European citizens. Services transferring personal data to the U.S. were therefore not in compliance with the EU’s General Data Protection Regulation (GDPR). Following this decision, many European authorities responsible for protecting personal data declared Google Analytics to be non-compliant with European regulations.
Given the framework of Law 25 was largely inspired by European regulations in this area, it’s likely that article 17 will serve as a legal basis for the same type of decision. This provision is therefore far from being harmless and may even in future cause a number of problems, particularly with regard to cloud services hosting data outside of Quebec.
Regarding the use of personal data, Law 25 introduces a big change for companies operating in the digital world:
- Governance of personal data will become a central issue for these companies
- Current tactics in advertising will have to evolve under the accumulated effects of technical changes (the cookie apocalypse) and regulations
- Hosting data outside of Quebec should be examined very closely
4. Data storage
a. The duration of data storage
The new article 23 states the following:
Once the purposes for which personal information has been collected are accomplished, the person operating a business must destroy it or anonymize the information for its use for serious and legitimate purposes, subject to a storage period specified by law.
However, the new article 79.1 states the following:
Despite article 23, a personal information agent must destroy personal information that was collected more than seven years ago.
The drafting of article 79.1 leaves hardly any room for doubt: All personal information collected must be destroyed after seven years, with the exception of investigative records. However, there is no provision explaining how the date of collection should be determined.
b. The right to data portability
The new article 27 has clarified the extent of the law respecting data portability. Upon request by the subject concerned, the company must communicate the information in written form or using a formal technological format that is currently in use.
5. Applicable sanctions
The main limitation of the current law on the protection of personal information in the private sector is due to the low amount of penalties incurred. As an example, the highest penalty that can be imposed is $100,000, which is not that much of a deterrent for a large company. Law 25 revises this amount considerably. In cases of infraction, the fine can now be up to $25,000,000 or 4% of the worldwide revenue of the company in question.
The main principles motivating Law 25 will deeply change the system governing the possession of personal data in the private sector. In particular, companies pursuing online activities will be most affected by this legislation. In the coming year, Quebec companies will need to be especially vigilant with regard to:
- establishing an online consent management system;
- drafting a clear, precise data management policy;
- evaluating the risks of exposing data outside of Quebec;
- evaluating their current practices regarding online advertising, analytics platforms and customer data unification systems.
These aspects have become even more sensitive given the fact that penalties are now much heavier.