Compliance Briefing — September 22, 2023

Executive briefing: Key provisions of Quebec’s Act to modernize legislative provisions as regards the protection of personal information (Law 25) took effect on 22 September 2023. Organisations must now perform privacy impact assessments for high-risk processing, report confidentiality incidents to the Commission d’accès à l’information (CAI), and obtain express consent for sensitive data.

Key compliance checkpoints

• Privacy impact assessments. Conduct assessments for any project involving personal information, including transfers outside Quebec and development of information systems.
• Incident response. Maintain registers of confidentiality incidents and notify the CAI and affected individuals when risk of serious injury exists.
• Consent and transparency. Obtain express consent for sensitive data, provide clear notice of automated decision systems, and publish governance policies.

Operational priorities

• Governance. Designate a privacy officer (default: highest-ranking officer) and document delegation, responsibilities, and training.
• Cross-border transfers. Assess foreign legal regimes and implement safeguards before communicating personal information outside Quebec.
• Rights management. Prepare for new rights including cessation of dissemination (de-indexing) and data portability (effective 2024).

Enablement moves

• Integrate Law 25 requirements with GDPR and Canadian PIPEDA controls to streamline privacy governance.
• Automate incident logging and reporting workflows to meet CAI expectations for timeliness and documentation.
• Provide bilingual (French/English) communications for consent, notices, and incident notifications.

Sources

• Act to modernize legislative provisions respecting the protection of personal information
• CAI guidance for organisations on Law 25

Zeph Tech supports Quebec compliance with privacy governance frameworks, impact assessment toolkits, and bilingual incident response playbooks.