Quebec’s Law 25: Is your company ready for round 2?

Share   | 

Law 25 Alert: Ready for Compliance?

The latest Law 25 changes are here, reshaping how Canadian companies handle personal information.

eZsign: Your Law 25 Compliance Partner

At eZsign, we take compliance and security seriously. We’re fully equipped to meet Law 25 requirements, ensuring businesses in Quebec and across Canada can:

The next wave of changes under Law 25 (Bill 64) take effect on September 22, 2023 and will have a big impact on how Canadian companies protect personal information.

Most Canadian businesses, associations, and organizations gather and store sensitive personal information as part of their operations, including names, telephone numbers, email addresses, social insurance numbers, credit card or bank account information, and more.

In recent years, multiple Canadian businesses have been involved in high-profile data breaches, including Bell Canada, Desjardins, and even Ontario’s provincial vaccine management system. And the amount of data being stolen is increasing: according to security firm Risk Based Security (RBS) and cited by Deloitte, the quantity of stolen records increased by 4,379% between 2015 and 2020.

In response, the National Assembly of Quebec adopted Law 25 (also known as Bill 64 and officially an act to modernize legislative provisions as regards the protection of personal information) on September 22, 2021, with different waves of changes entering into effect between September 22, 2021 and September 22, 2024. The latest (and most important) of the provisions are entering into effect on September 22, 2023. Are you ready?

What do businesses have to do under Law 25?

Law 25 may be a provincial law, but it is the most sweeping and strict privacy legislation in Canada in decades. It applies to most organizations or companies that do any business involving the collection, use, or disclosure of personal information of Quebec residents and imposes a broad new “privacy by default” mandate.

This means that almost all Canadian businesses will be impacted by this law. And while implementation has been slow and steady, the biggest changes are taking place in just a couple of weeks.

Examples of new obligations under Law 25

As of September 22, 2023, organizations operating in Quebec will have to:

  • Appoint a privacy officer who will oversee the handling of personal information
  • Notify Quebec’s Commission d’accès à l’information and all affected individuals of any confidentiality or privacy incidents, including data breaches and any unauthorized access/use/disclosure of personal information 
  • Take reasonable steps to reduce the risk of breach-related harm on those affected
  • Keep detailed records of all incidents
  • Enhance data policies and procedures

How can Canadian businesses prepare to comply with Law 25?

It is safe to say that if you’re a Canadian business or organization, Law 25 will affect you. So, how can you prepare? 

First, don’t delay. The biggest changes go into effect in less than a month.

Next, make sure you have done the following:

  • Ensured your technology partners and e-signature provider are Law 25 compliant
  • Designated a privacy officer and documented their role and responsibilities
  • Documented and updated policies and procedures about personal data collection and privacy
  • Established a privacy incident response plan, including a breach notification plan
  • Created a privacy incident documentation process
  • Planned when and how to conduct Privacy Impact Assessments (PIAs) 
  • Implemented a way to inform people concerned that they have the right to access, rectify, and erase their personal data, and to withdraw consent to data processing and/or restrict processing (enhanced consent)

Organizations that don’t comply with Law 25 face steep penalties. Penalties for natural persons range from $5,000 to $50,000 and between $15,000 and $25,000,000 or 4% of global revenue, whichever is greater, for companies. 

eZsign: helping you comply with Law 25

At eZsign, we take security, regulatory compliance, and the law extremely seriously. You can read about all the measures we take every day to keep personal data safe in our Trust Centre.

eZsign the company and eZsign, our leading electronic signature solution, meet all of the requirements of Law 25, which means businesses across Quebec and across Canada can sign important documents electronically with confidence knowing personal data is being processed and stored correctly.

eZsign features for Law 25

  • Based in Quebec: All eZsign data is processed and stored securely on Quebec soil thanks to our powerful and versatile AWS infrastructure
  • Level 4 Assurance: The highest level of identity verification assurance in Canada, with all data processed and stored in compliance with Law 25
  • Enhanced Consent: Signers consent to signing documents electronically and to electronic data transfers, and can remove consent at any time

eZsign: the best e-signatures for Canada

eZsign is Quebec’s very own homegrown electronic signature solution. We know Canada better than anyone else, which is why we’re the best alternative to Adobe, DocuSign, and other popular solutions for Canadian companies that want to harness the benefits of e-signatures.

To learn more, book a time with one of our e-signature experts.

This article in no way constitutes legal advice. Always consult with counsel for all your legal and contractual questions.