This article highlights three incremental requirements in
Quebec’s new privacy Law 25 that organizations who previously
prepared for the EU’s General Data Protection Regulation (GDPR)
and the California Consumer Privacy Act (CCPA) should consider.

1. Data Protection Officer – According to
Quebec’s Law 25, the individual with the highest level of
authority within the organization is responsible for ensuring that
Law 25 is implemented and complied with.1 The position
can be delegated, in writing, to a member of the management
personnel. 2

This Data Protection Officer (DPO) role under Quebec’s Law
25 is responsible for reviewing and approving policies and
procedures, participating in the development of Privacy Impact
Assessments (PIAs), advising the organization during data breaches,
and responding to privacy rights requests, including but not
limited to, the right to be forgotten.

Quebec’s Law 25 does not require the DPO to be located in
Quebec, as such, we anticipate this role will fall to the
organization’s existing Chief Privacy Officer / DPO or
organizations will appoint a Third Party DPO. The assumption is
that the CEO will take on the DPO role unless otherwise delegated
to another member of management or the Third Party DPO.

Organizations that collected personal information on residents
of Quebec but did not meet the requirement to appoint a DPO under
the EU’s GDPR may find themselves in a position where they need
to appoint a DPO regardless of the DPO appointment decision taken
under their GDPR readiness program.

Action item: Organizations will likely need to
appoint a DPO if its CEO does not want to assume the DPO role by
default.

2. Privacy Impact Assessments
Quebec’s Law 25 requires that organizations conduct a Privacy
Impact Assessment “for any project to acquire, develop or
overhaul an information system or electronic service delivery
system involving the collection, use, release, keeping or
destruction of personal information.”3 Law 25 also
requires that organizations conduct Privacy Impact Assessments
before transferring personal information outside of
Quebec.4

As Privacy Impact Assessments and/or Transfer Impact Assessments
become more common and required by most major sovereign privacy
laws, it is important to note that Quebec’s Law 25 requires
PIAs for “keeping or destruction of personal
information.” We highlight this requirement as incremental to
Quebec’s Law 25 because other privacy laws such as the GDPR or
CCPA do not require PIAs to be conducted on data retention or
minimization activities.

In terms of conducting a Privacy Impact Assessment on personal
information transferred out of Quebec, the assessment is to confirm
that the data transfer would receive adequate protection in
accordance with “generally recognized principles”
regarding the protection of personal information. 5

It is interesting to ponder if the U.S. Data Privacy Framework
(DPF) certification will serve as a proxy for “generally
recognized principles” for the transfer of personal
information from Quebec to the United States.

Action item: Develop a data map and conduct
privacy/transfer impact assessments on all data transfers leaving
Quebec.

3. Automated Processing – Under
Quebec’s Law 25, an organization that uses personal information
to render a decision based exclusively on automated processing must
inform the person concerned of the personal information used to
render the decision; the reasons, principal factors, and parameters
that led to the decision; and the right of the person to have the
personal information used to render the decision
corrected.6

In this context, “Automated Processing” under
Quebec’s Law 25 may be broader than “Automated Decision
Making” under the GDPR. The threshold for Automated Decision
Making (AMD) considerations under the GDPR only apply if that
processing activity carries a significant and/ or legal impact on
the individual. Under Quebec’s Law 25, we do not see that same
high threshold for Automated Processing as for Automated Decision
Making under the GDPR.

Action item: Evaluate the notification
requirements in Quebec’s Law 25 related to automated processing
in the content of your existing Artificial Intelligence governance
program.

The Quebec Privacy Law 25 carries many of the same requirements
as other modern privacy laws; however, organizations should
consider adjusting their privacy readiness program to account for
the finer nuances discussed herein.

Footnotes

1. Quebec Bill 64. Page 7. Retrieved October 25, 2023: https://www.publicationsduquebec.gouv.qc.ca/fileadmin/Fichiers_client/lois_et_reglements/LoisAnnuelles/en/2021/2021C25A.PDF

2. Ibid.

3. Quebec Bill 64. Page 11. Retrieved October 25,
2023.

4. Quebec Bill 64. Page 19. Retrieved October 25,
2023.

5. Ibid.

6. Quebec Bill 64. Page 15. Retrieved October 25,
2023.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

Credit to the Original Article | Explore More of Their Work If You Found This Article Enjoyable.
https://news.google.com/rss/articles/CBMingFodHRwczovL3d3dy5tb25kYXEuY29tL3VuaXRlZHN0YXRlcy9wcml2YWN5LXByb3RlY3Rpb24vMTM4NjI4OC9xdWViZWMtcHJpdmFjeS1iaWxsLTY0LWxhdy0yNS0tcmVxdWlyZW1lbnRzLWluLXF1ZWJlY3MtcHJpdmFjeS1sYXctdGhhdC1nby1iZXlvbmQtZ2Rwci1hbmQtY2NwYdIBAA?oc=5&hl=en-US&gl=US&ceid=US:en