Quebec’s tough new privacy law

Back in 2018, shortly after the European Union’s General Data Protection Regulation (GDPR) came into force, Nicolas Vermeys — professor of law at the University of Montreal — was on sabbatical in Virginia, attending a conference and overhearing conversations.

“There were a couple of lawyers sitting in the row ahead of me,” said Vermeys, whose work focuses on the impact of information technology on the law. “And they were talking about the European law and saying it’s a game-changer, it’s unprecedented, things like that.

“And I wanted to ask them, what’s different, really? In fact, it’s the fines. The fines went way up and that’s what caused companies abroad to pay attention, because they couldn’t afford to do otherwise.”

The GDPR got the corporate world’s attention by ramping up penalties for privacy breaches. Meanwhile, Quebec’s new Law 25 — which emulates the GDPR — has had a much lower profile. Media coverage in Quebec has been modest; media interest outside of Quebec has been almost non-existent.

Which is a shame, because even though Law 25 is, as Vermeys puts it, a “cut-and-paste” of the GDPR in many aspects, it goes considerably further than the European law in some important ways. And like the GDPR, Law 25 is extraterritorial; a company falls under its ambit if its actions affect consumers in Quebec.

“It means that anyone affected by a privacy breach linked to a Quebec-based entity can be involved in a putative class action filed in Quebec, no matter where they live. And any business that does any business in Quebec is liable to Law 25,” said Catherine Samaha, a doctoral candidate in a joint research project between the University of Montreal and the Sorbonne in Paris. She studies digital platforms and class actions.

Law 25 embraces “privacy by default,” giving consumers an automatic right to confidentiality over personal information held by private companies. For example, any tracking or profiling tech on a company’s website must be deactivated unless the user has given express consent. That makes Law 25 much more aggressive than the GDPR, which requires data controllers to employ “appropriate technical and enterpriseal measures” to protect personal information — so-called “privacy by design.”

Quebec’s law requires that companies conduct “privacy impact assessments” (PIAs) when acquiring or creating systems involving private data, when communicating any personal information outside of Quebec and before disclosing personal information without consent for research purposes. The GDPR only calls for PIAs where data processing poses a “high risk” to individuals’ rights.

Law 25 also tightens the screws by making consent the default authority for processing someone’s personal information, and says that the individual’s consent must be obtained for each specific use of the data. Consent is not the default under the GDPR and the European law gives member states more exemptions from the consent rule than Law 25 does —including compliance with legal obligations and “public interest.”

Those are just a few of the big differences between Law 25 and the GDPR that, arguably, make Law 25 the greater compliance hazard for the private sector. And Law 25’s penalties for non-compliance can be stiff: a fine of $15,000 to $25 million, or 4% of the company’s worldwide turnover for the previous year — whichever is greater.

The corporate world has had more than five years to adapt to the GDPR. Are companies ready for Law 25?

“Anecdotally, I can say that many of our clients with significant operations in Quebec are commencing compliance with the law,” said Adam Kardash, a partner in privacy and data management law at Osler.

“You can expect that a lot of companies are just beginning the effort now. An immense amount of work is going to have to get done in the final 60 days.”

“Some businesses are prepared, some aren’t,” said Vermeys. “I think a lot of smaller businesses have no idea what’s coming.”

Given Law 25’s relative obscurity outside of Quebec, it’s probable that few non-Quebecois companies are aware of what the law might require of them. Kardash said large companies dealing in personal information are already up to speed on their obligations under relevant provincial, federal and international law.

“You have to keep in mind that Quebec is a very small market,” he said. “Small businesses in general may be less aware of their responsibilities under Law 25. But any company that deals with large amounts of personal information is being asked by customers and suppliers constantly about how they’re responding to privacy concerns. So they’re much more likely to be prepared.”

But Law 25’s effects won’t be limited to fines, said Samaha. Law 25 does not compensate victims of privacy breaches. That’s where the class action option comes into play.

“Victims will seek compensation through class actions, and we will witness a significant increase in privacy class actions,” Samaha said.

On the one hand, Quebec’s class action procedure was built to be plaintiff-friendly. The bar for certification is lower in Quebec than in common law provinces.

On the other hand, the jurisprudence on privacy-related class actions doesn’t appear to tilt in the direction of plaintiffs in most cases. In 2021, the Superior Court of Quebec dismissed a privacy class action in Lamoureux v. Investment Industry Regulatory Organization of Canada (IIROC) — the first privacy class action in Canada to be decided on its merits — because the plaintiffs had failed to demonstrate that a breach of their personal information had harmed them in any way beyond inconvenience.

“In my opinion, Law 25 changes things,” said Samaha.

Law 25 compels companies to take proactive measures to protect individuals’ privacy. Quebec courts are going to be slapping hefty fines on companies that fail to take those proactive steps.

“So this has to change the perspective of the courts,” said Samaha. “It will not be reasonable or logical to penalize companies under the law for a failure to take proactive measures while dismissing class actions filed on the same grounds.”

Could Law 25, and the low bar for class actions in Quebec, lead to a spike in privacy class actions involving non-Quebecois companies? Nobody knows for sure — but there’s nothing like a class action lawsuit to make the private sector sit up and take notice.