Blog

Compliance with Law 25 and the Upcoming Bill C-27

Written by NOVIPRO | Nov 13, 2024 5:03:17 PM

Are you adequately informed about the implications and regulatory requirements imposed by Law 25, which is now in effect in Quebec, and the upcoming Law C-27 at the federal level in Canada?  

Our latest annual study, the IT Trends, indicates a concerning lack of awareness regarding these new regulations among Canadian enterprises. The report reveals that nearly 30% of respondents remain unfamiliar with Law 25, while 28% are not acquainted with the upcoming Bill C-27. 

Throughout this article, focus your considerations on ensuring your company’s compliance and protecting yourself against significant repercussions, both financially and reputationally. 

Summary of Law 25 and Upcoming Bill C-27 

How to Sum Up Law 25 and Upcoming Bill C-27 in a Few Lines? 

Effective September 2022 in Quebec, Law 25 aims to protect personal information, ensuring it is secured and respects individuals' privacy. 

At the federal level, the upcoming Bill C-27 (introduced in the House of Commons on November 4, 2022, and currently under consideration) seeks to establish three existing laws: 

  • The Consumer Privacy Protection Act 
  • The Personal Information and Data Protection Tribunal Act 
  • The Artificial Intelligence and Data Act 

Furthermore, this bill proposes measures to safeguard consumer privacy, while also aiming to regulate the use of artificial intelligence (AI) to ensure its ethical deployment. 

The IT Trends reveals that nearly 50% of respondents have concerns about various aspects of these two laws, including data security, information management, and consent to data collection. 

According to Roger Ouellet, Director of Security Practice at NOVIPRO, "Many companies have a poor understanding of expectations and actual needs. They harbor concerns, yet may not fully grasp the impact and human investment required to achieve compliance." 

For More Relevant IT Information, Download IT Trends

Frequently Asked Questions from our Customers 

What Does Law 25 Require of Us? 

The issue of compliance with Law 25 is legitimate and frequently raised. Below is an overview of the key points to consider: 

1. Adherence to Strict Standards for the Collection, Use, and Retention of Personal Information:  

The implementation of Law 25 requires enhanced transparency in the collection of personal data. You are obligated to explicitly inform individuals about the purpose of collecting their data and how it will be utilized. 

Consent must be obtained formally, often through a checkbox on a form that clearly specifies the terms of data collection and usage, for example: 

Additionally, individuals have the right to withdraw their consent at any time, which requires you to cease any further use of their data. They may also request an inventory of their data and demand its deletion. 

2. Obligation to Inform Affected Individuals in the Event of a Data Breach 

In the event of a security breach compromising personal data, it is imperative to promptly inform the affected individuals. This communication must specify the nature of the incident, the compromised data, as well as the measures taken and to be taken to mitigate the associated risks. 

An incident log must be maintained, and it is important to understand that an incident is not solely a security breach but also includes unintentional actions, such as sending an email containing personal information to the wrong recipient. 

3. Reporting Privacy Incidents to the Commission d’Accès à l’Information (CAI):  

Any security incident that may cause significant harm to affected individuals must be reported to the CAI within 72 hours. This report must detail the incident, identify the impacted individuals, and describe the corrective actions that have already been implemented, as well as those planned to prevent future breaches. 

What Exactly Is Personal Information? 

In a constantly evolving regulatory environment, it is imperative for companies to recognize the importance of personal information and its protection. Many mistakenly believe that they do not handle personal data and, consequently, feel unaffected by Law 25. This perception is a fundamental error. 

The most sensitive personal information includes: 

  • Biometric data: fingerprints, DNA, face characteristics used for facial recognition 
  • Medical information: physical and mental conditions, medical history 
  • Personal preferences: political opinions, religious beliefs, sexual orientation 

Although not all companies necessarily collect this type of data, it is essential to know that even information deemed less sensitive can also be classified as personal information such as: 

First Name Last Name Email Address Mailing Address
Age  Social Insurance Driver's Licence Bank Information
IP Adress Taille Poids Password

If your company holds this information, you must be aware of your responsibility to protect personal information and comply with the law! 

When Do I Have to Comply with This Law? 

This visual represents the deadlines and associated responsibilities. 

Are you up to date?

If you are not up to date, contact a NOVIPRO expert to guide you! 
Contact an Expert 

Is My Company Subject to the Bill If It Is Located Outside Quebec? 

If your company is established outside Quebec but conducts business with clients located in the province, you are indeed subject to Law 25. This legislation applies not only to businesses present in Quebec but also to those that handle personal information of Quebec residents. Therefore, it is essential to comply with this law to ensure the protection of your clients' personal data and to avoid potential sanctions. 

How Can My Company Prepare for the Upcoming Bill C-27?

Although you still have time to prepare for the upcoming Bill C-27, it is advisable to begin implementing certain practices within your company now to get ahead and avoid a rushed implementation. 

It incorporates certain principles already established in the Generally Accepted Privacy Principles (GAPP), such as: 

  • Responsibility: Organizations are responsible for protecting the personal information in their possession, and a personal information security officer must be identified and published 
  • Identity: Companies must clearly identify the reasons for collecting personal information 
  • Consent: Individuals must provide their consent before their data is collected and used 
  • Limitation of collection: The collection of information must be limited to the data necessary to achieve the identified objectives 
  • Use and disclosure: Data must only be used or disclosed within the specific context for which it was collected 

And other requirements stemming from Privacy by Design (PbD): 

  • Security: You are required to implement robust security measures to protect personal data 
  • Visibility and transparency: You must establish transparent data management practices that allow users to understand how their information is used 
  • Respect for choices: You must provide individuals with the ability to exercise control over their personal data, including the right to give or withdraw their consent 

These principles can be found in privacy policies on your website, as here for NOVIPRO.

Discover NOVIPRO's Privacy Policies Here

"Many clients believe they are compliant with Law 25 or assume they are not affected. However, during our audits, it becomes evident that few companies are truly compliant. This concerns me, as the risks of cyberattacks are high, and the consequences can be significant for both clients and the organization itself," states Roger Ouellet. 

Consequences of Non-Compliance with the Law 

Law 25 imposes financial penalties when companies do not take data protection seriously. These penalties can reach up to $10 million in fines or 2% of the company’s global revenue, whichever is higher. 

Regarding delays in compliance, the penalties can vary depending on the nature and severity of the breach. They may range from less severe fines or administrative measures to more substantial penalties. Beyond these penalties, companies also risk losing the trust of their clients and suffering damage to their reputation. 

Bill C-27 indicates that companies may face a maximum fine of up to $10 million or 3% of the organization's gross global revenue for the previous fiscal year, whichever is higher. 

Any organization that deliberately violates the law or obstructs the Commissioner's work in the investigation process may be found guilty: 

  • From a criminal offense, subject to a fine of $25 million or 5% of gross global revenue 
  • From an offense punishable on summary conviction, which may result in a fine of $20 million or 4% of gross global revenue 

To avoid repercussions on your company's financial health and reputation, ensure you comply with the Quebec government's requirements. Anticipate the requirements of the upcoming Bill C-27 by reviewing your current practices and making the necessary adjustments to comply. 

NOVIPRO: Your Trusted Partner on the Path to Compliance 

We understand that the journey toward regulation and compliance can be complex and tedious. It is easy to become overwhelmed by the numerous legal requirements involved. That is why NOVIPRO's experts are at your disposal to guide you throughout this process. 

Here are some key steps we offer: 

  • Comprehensive diagnosis: We conduct a detailed audit of your company concerning all the requirements mandated by the law 
  • Roadmap: We develop an action plan to meet regulatory requirements following the diagnosis 
  • Legal compliance: We assist you in preparing for legal matters related to the law 
  • Data governance: We establish strict data governance practices 
    • Discovery and classification of sensitive data: Identify and categorize your data for optimal management 
    • Simplification of data privacy compliance: Develop clear and effective strategies to ensure the protection of information 
    • Governance of sensitive data: Implement robust governance policies to ensure proper data management 
    • Risk assessment related to data: Measure and mitigate the risks associated with managing your personal data 
    • Automation of data subject access requests (DSAR), privacy impact assessments (PIA), and data transfers (TIA): Organize these processes to achieve appropriate compliance 
    • Active data governance: Establish continuous and proactive monitoring of data management to ensure compliance 

Discover NOVIPRO’s Managed Security Services Provider (MSSP) solutions, which are built on strategically selected pillars designed to maximize benefits while optimizing cost-effectiveness. 

Compliance and data governance are included in our offerings! 

Discover how our MSSP can guide you through compliance requirements!

Want to Explore More Subjects?
Discover our Cybersecurity Article Series
Explore Our Article on 5 Myths in Cybersecurity 
Access All Our Resources on Security 

 
View full post