Glad you’re back for part 2 of interview with Mathilde Canque, Data Protection Officer, Risk & Compliance Expert from right here at Hitachi Systems Security. In part 1, we listed and defined the three-phase rollout of the legislation, discussed the major components of Law 25 and provided you Ms. Canque’s perspective on handling the Privacy Officer’s responsibilities and those of the organization in general. In this 2nd part of the two-part series, we’ll continue our interview with Ms. Canque to discuss the rest of Law 25 as well as how organizations can prepare for the law’s compliance mandates.
Question: Is the definition of "confidentiality incident" under the new Québec law the same as the definition of "breach of security safeguards" in the current federal legislation?
Answer: It is similar, but there are some key differences.
A “breach of security safeguards” is defined in PIPEDA as the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards or from a failure to establish those safeguards.
Law 25 defines "confidentiality incident" as the unauthorized access, use or disclosure of personal information, the loss of personal information or any other breach of personal information.
Law 25 also includes unauthorized use of personal information, which makes it broader than the definition of "breach of security safeguards" in the current federal legislation.
Question: If an organization has reason to believe a confidentiality incident has occurred, does the obligation to take reasonable measures to reduce the risk of injury and prevent future incidents of the same nature arise solely from the new Québec law?
Answer: While the definition of what is an incident or a breach affecting personal information may differ from a legislation to another, Law 25 is not the only regulation requiring taking appropriate actions to reduce the associated risks. Indeed, similar requirements may be seen under PIPEDA, or the General Data Protection Regulation (GDPR) in the European Union.
When such event occurs and that the organization discovers the breach, Law 25, PIPEDA, or GDPR will require the organization to investigate the breach to assess the risk and take appropriate actions, including:
Indeed, under Law 25, while documenting the breach is always required to demonstrate compliance with privacy legislations (accountability principle), notification of such event will be required in case of a “risk of serious injury”, which is similar to a “real risk of significant harm” under PIPEDA.
The assessment of the risk will be performed on a case-by-case basis, considering for example:
The existing measures at the time of the incident and the additional measures taken and/or proposed to mitigate the risks should also be taken into account for the risk assessment.
Question: Do organizations need to start keeping a register of all breaches under the new Québec law?
Answer: Yes, similarly to PIPEDA and GDPR, organization subject to Law 25 will need to keep track of every confidentiality incident in a dedicated register in order to keep their business in compliance with the law. This way, you will be able to provide information to the CAI upon request and demonstrate your compliance with the Law. In addition, organizations should retain the documentation for a five-year period, which is 3 years longer than under PIPEDA.
Also, in phase 2 starting in late 2023, the CAI will have broad authority to order any individual involved in a confidentiality incident to take any measure needed to protect the rights of those concerned.
This includes, but is not limited to:
While the application of Law 25 started in September 2022 with the first stage of requirements, the biggest part of the Act is for September 2023. In this regard, and if not already started, organizations will have to establish and implement a privacy framework comprising practices and policies that are proportional to the extent and nature of the company's activities to protect personal information.
Law 25 sets out specific requirements regarding the protection and destruction of personal data, the responsibilities, and roles of staff members throughout the information life cycle, and the implementation of a process to handle complaints.
Develop and implement a privacy framework outlining your policies and practices with respect to the organization’s use and protection of personal information. This framework should especially include a data breach response plan, retention schedules, the roles, and responsibilities of the members of the organization’s personnel throughout the life cycle of Personal Information and procedures for access requests and handling complaints.
Publish clear, simple, and detailed information about the organization’s practices on your website, through a privacy policy.
If you collect personal information through technological means, provide a confidentiality policy that is written in clear and simple language on your website.
In addition, organization must conduct Privacy Impact Assessments or PIA under a few scenarios. First, organization must conduct PIAs regarding any upgrades, acquisitions, or developments of any of the organization’s IT infrastructure or digital products involving the processing of personal information.
Second, firms must conduct PIAs prior to transferring covered data out of Quebec. In conducting PIAs prior to transfer, the firm must consider the sensitivity of the information, the purposes for which it will be used, and the protection measures used in the transfer. Firms must also assess whether the information will receive adequate protection in compliance with “generally accepted data protection principles” in the jurisdiction to which it is sent.
Lastly, an organization must conduct a PIA when it discloses covered personal information “for study or research purposes” without data subjects’ consent.
GDPR established the now infamous “right to be forgotten” and “right to portability” rules and Law 25 creates rights very similar to those offered under GDPR. Individuals’ right to erasure comes into effect in September 2023 and requires that individuals be able to request organizations to stop distributing their personal information. In cases where this distribution is causing the individual harm (or where it contravenes a court order), they will also have the right to have any internet links attached to their names de-indexed.
In addition, just like GDPR or CCPA in California, USA under the right of portability, organizations will be required to provide individuals with personal information collected about them in a structured and commonly used technological format. The portability requirements are the only provision amending the Private Sector Act that will take effect in phase 3 or September 2024.
Law 25 brings Québec’s privacy laws closer in line with the GDPR, the leading data protection framework in the world. Because the USA is not governed by an overarching federal privacy law, the California Consumer Privacy Act (CCPA) is seen as one of the most important privacy developments in the country.
As we close part 2 of this article and interview with Ms. Canque’s we wanted to get her final thoughts and takeaways on the law, so we asked her to compare and contrast Law 25 with GDPR and CCPA
Answer: The three legislations present similarities in that they are based on the same fundamental principles proposed by the OECD, with a marked desire for Quebec and California to align themselves with European practices. However, the approach differs from a legislation to another.
A key difference will be the scope of each legislation, where Law 25 and GDPR applies to all individuals located respectively in Québec and European Union. CCPA however will only protect customers located in California.
Another great example would be the consent requirement and applicable legal basis for the collection and processing of personal information. Indeed, Law 25 requires organizations to ask for consent to collect personal information prior to collecting the data. Under GDPR however, the processing of personal data can be allowed under several justification, for example the existence of a legal obligation, the existence of a contract or a legitimate interest. In California, obtaining prior consent is not a requirement and CCPA puts the responsibility on the consumer to request data deletion after collection.
Question: Final question Ms. Canque, can you recommend any resources to help organizations get started with Law 25?
Answer: We have helped dozens of organizations upgrade their privacy framework to become compliant with their applicable privacy legislations, so we are always here as a resource for organizations. Also, I recommend a step-by-step and risk-based approach; checklists like this one by McMillan are always good resources to get started. I would also recommend to refer to guidelines provided by the supervisory authorities in Quebec and Canada, but also around the world with the European Data Protection Board (EDPB) to learn more about international best practices. Finally, the International Association of Privacy Professional (IAPP) is also a great source of information.
Thank you to Ms. Canque for her thoughtful interpretation of Law 25 and candid advice and recommendations in our interview. Much appreciated!
