Privacy impact assessments (PIAs) prior to data transfers

Businesses must conduct PIAs for projects involving the acquisition, development, or overhaul of an information system or electronic service delivery, and when communicating personal information outside Quebec. These assessments must be proportionate to the sensitivity, purpose, quantity, distribution, and medium of the information. The PIA should assess:

• Sensitivity of the information;
• Purposes for using the information;
• Protection measures applied to the information; and
• Recipients’ legal framework and level of personal information protection, ensuring it meets equivalent standards to those in Quebec.

Transparency and accountability

Public and private organizations must establish and publish a confidentiality policy on their website if they collect personal information via technological means. This policy must inform data subjects about:

• The purpose and means of collection;
• Data subject rights;
• Whether personal information will be transferred outside of Quebec or to third parties;
• How individuals can access and rectify their personal information.

Organizations must also designate a privacy officer responsible for supervising compliance with Law 25, with their title and contact information made publicly accessible.

Consent and privacy settings

Businesses must obtain clear, expressed, and granular consent for each purpose of processing personal information, particularly if it involves sensitive data. For minors under the age of 14, valid parental consent is required. Furthermore, organizations must configure privacy settings of publicly available technology products and services to provide the highest level of privacy by default, without requiring intervention by data subjects.

Additionally, individuals have the right to request the cessation of the distribution of their personal information or de-index any hyperlinks associated with their name if this causes harm or violates the law. Organizations must comply with these requests to support the right to deindexation, also known as the right to erasure or the right to be forgotten.

Anonymization and security of personal information

Organizations are required to destroy or anonymize personal information once it has fulfilled its purpose. Anonymized information must be irreversibly altered so that individuals cannot be identified, directly or indirectly, and this process should adhere to generally accepted best practices and government regulations. Additionally, organizations must implement adequate security measures to protect personal information and report data breaches to the Commission d’accès à l’information (CAI) and affected individuals when there is a risk of serious harm.