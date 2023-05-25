Quebec is no stranger to privacy laws. It was the first province to establish privacy legislation in the early 1990’s, but those laws didn’t have too much actual power.1 Law 25 changes that.
Law 25 (formerly Bill 64) adapts the existing laws protecting the personal information of Quebecors to the digital and technological realities of today and add requirements for anyone doing business within Quebec—not just organizations based in Quebec.
Designed to protect Québecors and their personal information, Law 25 holds organizations accountable for the data they collect and store and requires them to clearly explain why they are asking for your information and how they plan on using it.
Some provisions came into effect on September 22, 2022 and the rest will come into effect in September 2023 and September 2024.3
In classic law fashion, there’s some pretty ambiguous language being used and that means there is no clear list of organizations that need to follow Law 25. It only states that any private enterprise that collects, process or communicates personal information is subject to the new rules and regulations.4 And that includes nonprofit and charity organizations.
Under Quebec law, an enterprise is an “organized economic activity, whether or not it is commercial in nature, consisting of producing, administering or alienating property, or providing a service.”5
Phew. So, for example, unions and private clinics, such as a psychiatrist, are considered enterprises. Spiritual organizations and religions are not considered enterprises because their main purposes are spiritual, not economic. But it’s all pretty murky.
When in doubt, it’s best to follow the regulations in Law 25 (they’re designed to be in the best interest of your donors after all), or seek out a professional opinion.
So, if your nonprofit organization does collect and store personal information what do you need to do?
Let’s break down what needs to be done and when.
Your nonprofit organization needs a Privacy Officer to implement and ensure your nonprofit follows Law 25.6
A few things to keep in mind:
You know need to start keeping a record of confidentiality incidents (such as a data breach) in case the Commission d’accès à l’information requests it.6
What that means for your nonprofit:
New rules allow you to disclose personal information without consent when it’s part of a commercial transaction. (For example, when accepting a donation through a third party fundraising software such as Zeffy you can share the information needed to complete the transaction.) However, it is your responsibility to make sure all parties are following Law 25.6
See Vers la conformité à la Loi sur le privé for more information or New Privacy Obligations for Businesses.
The Commission d’accès à l’information du Québec can impose penalties for non-compliance of up to $25 million or 4% of a company’s worldwide sales. (Whichever is greater.)8
When in doubt, if you store your donor’s personal information, we suggest following the rules and regulations laid out in Law 25. If you don’t store any of your donor’s personal information, but work with third-party services (such as Zeffy) to help you manage your fundraising activities, we suggest checking with them to make sure they are following all the rules and regulations of Law 25. (Zeffy follows them to a tee!)
McMillan has released a two part series explaining Law 25 and both episodes are worth a listen:
Part 1 | Privacy 101 – Obligations Under Québec’s New Act 25: Why your business needs a privacy officer now
Part 2 | Privacy 101 – Obligations Under Québec’s New Act 25: Why you must now record and report privacy violations
And, Didomi is an excellent resource (in English and French).
Oh, and follow the Commission d’accès à l’information du Québec on Twitter to stay up to date on it all.
Law 25: Act respecting the protection of personal information in the private sector.
The “Coles Notes” from the Commission d’accès à l’information du Québec: New Privacy Obligations for Businesses.
And en français: Vers la conformité à la Loi sur le privé.
