September’s implementation of the first phase of Quebec’s new private sector privacy law will include privacy impact assessments, which were formerly only present in the province’s public sector, says Guillaume Laberge, a Montreal-based partner at Lavery.
Law 25, which amended Quebec’s Act Respecting the Protection of Personal Information in the Private Sector, is coming into force in three phases, beginning on Sept. 22. Among the first set of changes is a requirement companies execute privacy impact assessments in three different scenarios. When an organization communicates personal information outside of Quebec, they will need to complete a privacy impact assessment. The development or upgrade of an information system or electronic service that involves the collection, use, communication, or destruction of personal information will trigger the requirement. And a privacy impact assessment will also be necessary when a company shares personal information for research purposes.
“It’s a risk management process that occurs before the decision is made,” says Laberge. “The purpose is to help businesses to ensure that they heed legislative requirements, and they identify beforehand the impacts that their activities will have on individuals’ privacy.”
Laberge is a member of Lavery’s administrative law group, practises administrative and constitutional law, and has experience in the law around access-to-information, privacy, and professional discipline.
Clients may be concerned about the time-commitment involved, the process’s complexity, and the resources required to execute a privacy impact assessment. But, he says, a proper assessment is not necessarily long, complicated, or resource intensive. It simply requires planning and an understanding the risks and potential privacy impacts.
“A good privacy impact assessment must be adapted to the level of complexity of the project.”
For an example of the necessary planning, when a company decides to communicate personal information outside of Quebec, they must consider the legal regime applicable in the jurisdiction in which the information will be disclosed, and whether that jurisdiction provides an adequate level of protection considering “generally accepted principles of protection of personal information,” says Laberge.
Organizations engaging in any of the activity triggering a privacy impact assessment will need to keep records of it on-hand in case there is an inquiry from the privacy commissioner as the result of a complaint, he says.
“It’s not necessarily a complicated process, but it needs to be done carefully. It’s not a superficial legal checklist. It’s more than that.”
“It also needs to be kept up to date. It’s not necessarily a one-time exercise. It’s not a marketing tool… More importantly, it’s not a tool to justify decisions already made or practices already in place. It needs to happen upstream of the decision-making process.”
Also read: Collegium System in Indian Law
The first batch of amendments came into force in 2022, the third will be in force in September 2024, and the fourth in September 2025.
Among the requirements being introduced this September is that organizations appoint a privacy officer in charge of the handling personal information. Companies will also need to notify the Commission d’accès à l’information du Québec of any privacy breaches or unauthorized disclosure of personal information, as well as anyone impacted, and keep a record of the event for five years.
Fines for non-compliance with Law 25 range from $15,000 to $25,000,000.