In September 2021, the Province of Quebec took steps to update its data protection and privacy laws by introducing Law 25, rolling out a set of obligations over three years that businesses must follow when handling sensitive data and personally identifiable information (PII). In September 2023, Law 25 add more teeth with additional privacy rights for consumers being introduced. This is good news for consumers, and for businesses, Law 25's alignment with the GDPR and PIPEDA will help ease friction when conducting business across different jurisdictions.
Corporate obligation highlights of Law 25
- Breach notification: Law 25 requires prompt notification of a data breach that is likely to cause "serious harm". Private-sector businesses must notify Le Commission d'accès à l'information (CAI) du Quebec, as well as any affected consumers (recommended within 48 hours). Failure to report can result in fines and sanctions as high as 4% of revenue turnover (or C$25 million, whichever is higher. An additional 2% or C$10 million is at the discretion of the regulators to impose administrative monetary penalties (AMP).
- Person in Charge of Personal Information (the PCPI): Law 25 sets the responsibility of privacy and data protection to the highest-ranking senior executive (CEO). Other designated individuals who act as the PCPI must be named and published on the corporate website.
- Privacy Impact Assessment (PIA): Law 25 recognized that privacy and appropriately handling sensitive data is not a "once and done" initiative. Data is at the centre of every business. As businesses change, transform, and evolve, data can be impacted (e.g., merger or acquisition, IT modernization, AI or application development). Law 25 requires businesses to run a privacy impact assessment (PIA) during these events to ensure compliance and responsible personal or sensitive data handling. PIAs must cover what data is impacted, how it is used and protected, and how privacy is preserved.
- Enhanced Consent: Law 25 requires private businesses to receive consent from consumers before collecting, using, or sharing personal data. However, in some cases, companies can process personal data without consent when completing a commercial transaction or conducting research. For other activities, businesses must be able to show how personal data is used (for business purposes). For sensitive information, a consumer must have expressly consented to its use.
Newly added consumer rights
Effective September 2023, consumers now have the following rights:
- Right to be notified of a breach.
- Right to access your data
- Right to rectification your data
- Right to delete your data.
- Right to withdraw consent for collection of personal data.
- Right to restrict processing of personal data.
- Right to action (civil damages minimum of C$1,000)
- Right to data portability (Effective September 2024)
Law 25 Privacy Compliance with OpenText by Voltage
Voltage privacy-enhancing and privacy-preserving technologies
Privacy-enhancing technology (PET) refers to technologies designed to improve privacy by reducing the amount of personal data collected and shared. These technologies include PII detection, de-identification, anonymization, and data minimization techniques. PET aims to reduce the risk of personal data being used or misused in ways that could harm the user if not handled ethically.
Privacy-preserving technology (PPT) refers to a subset of Privacy-enhancing technologies that offers a variety of techniques and tools designed to protect the privacy of individuals and organizations when they share, collect, or personally process data. These technologies are used in various contexts, including consumer privacy, data analytics, and data lifecycle management. The goal of PPT is to ensure that personal data remains secure and cannot be accessed or used by unauthorized parties.
Some examples of privacy-preserving technology include:
- Encryption: preserves data from unauthorized use/ access or sees the data in clear text.
- Data Masking: preserves data by removing personally identifiable information (PII) from data sets, making it difficult to trace the data back to specific individuals.
- Tokenization: preserves data by replacing sensitive data with a unique, reversible token that can be used to represent the data but cannot be used to reveal the data itself without the presence of the token
- Anonymization: preserves data by replacing PII with a pseudonym, or fake name, that cannot be traced back to the individual.
- Data minimization: preserves data by collecting and storing only the minimum amount necessary to achieve a specific purpose, reducing the risk of data misuse or abuse; and,
- Data access monitoring: preserves privacy by ensuring unauthorized parties cannot access or use personal data.
These privacy-preserving technologies are critical to business operations as organizations balance collecting and using customer data and their obligation to protect individuals' personal information from being accessed, used, or shared without their consent.
Voltage Data Privacy and Protection helps organizations with the following areas of the Quebec Data Protection Law 25:
The right to delete – Section 27
Voltage Fusion Data Discovery capabilities help organizations understand the value of their data and how they can apply business purposes along with retention and disposition policies on high-value data-in-use to lessen the disruption of subject rights requests. For example, in cases where the right to delete is requested and valid, Voltage can delete that data from the source location or lead application.
Business purpose – Section 8(1)
Data Discovery capabilities provide insight and analysis around sensitive data. They can dynamically tag data with categories that map to regulations, specifically around the business purpose for which personal information was collected.
Data Minimization – Section 12, paragraph 2 (1)
During Data Discovery processes, help identify what should be kept and what can be minimized or deleted. For instance, it can help determine if the data is duplicate, redundant, or outdated. In addition, application data can be archived and retired to help reduce the threat landscape and improve compliance and security postures.
Data Security and Protection – Section 12, paragraph 2(3), Section 13
Voltage Data Protection services help organizations de-identify sensitive data (mask, encrypt, tokenize). When sensitive data is de-identified, Law 25 considers it no longer directly identifiable to the individual. Voltage data protection capabilities can also further help compliance with this requirement by ensuring that sensitive data cannot be re-identified to the individual.
- Encrypt data at the source or leverage workloads in business data pipelines (cloud data warehouses, analytics, and AI platforms). In the event of a breach, this can protect your organization from sanctions and fines. (Section 12)
- Protect the identity and personal information via dynamic data masking while in use by the business. (Section 13)
- Apply information lifecycle policies to data to ensure proper business use and data deletion requirements are met automatically.
Data Portability – Section 4 (d)
If a data portability request is made and is valid, Voltage can produce a data subject's information in a structured, commonly used, and machine-readable format.
Voltage Data Privacy and Protection provides privacy-enhancing technology within a data trust framework for data discovery and protection that helps improve security postures and privacy compliance for regulations like Law 25. Voltage by OpenText enables organizations to reduce information risk, ensure privacy compliance, and secure quick access to critical data that drives the business. Voltage protects and preserves data and mitigates the risk of processing sensitive data while supporting other corporate initiatives that drive business growth, operational efficiency, and sustainability.
For more information on Voltage Fusion check out our YouTube channel.
For How Voltage is helping customers with other privacy regulations please visit the OpenText Cybersecurity Privacy Hub.