This podcast series, intended for private sector companies doing business in Québec, dives into the requirements of Act 25 coming into force on September 22, 2022. Candice Hévin and Marie-Eve Jean, from our Privacy & Data Protection Group, lead the discussions on the changes to the private sector regime, namely the amendments to the Act respecting the protection of personal information.
In this episode, discover why your business needs to develop, implement and maintain a register of confidentiality incidents and what your reporting obligations responsibilities are surrounding breach reporting.
Please note that the following provides only an overview and doesn’t constitute legal advice. Listeners are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.
Transcript
Marie-Eve Jean: Hello, and welcome to the second episode of Privacy 101 – Obligations under Act 25, a series of podcasts designed to assist you in preparing to comply with Québec’s new privacy legislation regarding the protection of personal information.
Candice Hévin: I am Candice Hévin.
Marie-Eve Jean: And I am Marie-Eve Jean.
Candice Hévin: We’re both lawyers at McMillan LLP and we work together as a team to help businesses operating in Québec achieve compliance with Québec’s privacy legislation.
Marie-Eve Jean: To give you some context, Québec adopted a new law on September 22, 2021. Bill 64 aims to modernize the privacy framework for both private and public sector regimes. This series focuses on the changes to the private sector regime, namely the amendments to the Act respecting the protection of personal information in the private sector, we will refer to it as Act 25. Act 25 introduces new obligations for organizations doing business in Québec.
Candice Hévin: As we explained in the previous episode, this means any organization collecting, using or disclosing personal information of individuals located within Québec. The Act likely applies to the organization’s handling of personal information, even if the organization does not have an office, facilities or installations in Québec.
In terms of timing, requirements will come into effect in three phases throughout the next three years. Although the majority of the new requirements will take effect as of September 22, 2023, some key requirements will take effect this month on September 22, 2022. A few requirements will also take effect as of September 22, 2024.
Marie-Eve Jean: In our first episode last week, we talked about enforcement mechanisms and your obligation to appoint a Privacy Officer before September 22nd. In this episode, we’ll dive into your obligations surrounding breach reporting, which is another requirement that will take effect as of September 22nd a couple days away now.
Candice Hévin: Under Act 25, as soon as you have a reason to believe that a confidentiality incident involving personal information in your custody has occurred, you immediately have to take reasonable measures to reduce any risk of harm and to prevent similar incidents from occurring. A Confidentiality incident is defined as access to, use, or communication of personal information not authorized by law, as well as the loss or any infringement of the protection of such information.
Marie-Eve Jean: So this definition is actually…
Part 3 | Privacy 101 – Obligations Under Québec’s New Act 25: How to ensure your business’ biometric data complies with the law
This podcast series, intended for private sector companies doing business in Québec, dives…
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
