What Does Quebec’s Law 25 Mean for Your Business?

Many of the key provisions of Bill 64, now known as Law 25, are finally taking effect after passage by the Quebec legislature in 2021. The law modernizes regulations governing the protection of personal information in the province, creating new mandates from data breach notifications to privacy impact assessments. Because of the scope of the regulations, provisions were designed to take effect over the course of three years, giving businesses time to prepare for new data security and privacy obligations.

And yet, many organizations may still be grappling with their strategy to comply. Here’s what you need to know about the legislation and how DocuSign’s privacy and data protection compliance practices can help you meet its mandates.

This information is provided for general information purposes only. It does not constitute and is not a substitute for legal advice. 

Which provisions took effect in 2022 and 2023? 

A few preliminary requirements of Quebec’s Law 25 took effect in September 2022, and more followed in September 2023, with the final phase scheduled for September 2024. One key requirement of the 2022 provisions requires companies to appoint a data protection officer (DPO) to oversee compliance with the law. Businesses also have to notify Quebec’s Commission on Access to Information (CAI) when they create biometric databases and the CAI and affected individuals about data breaches.

More currently, the September 2023 provisions also require companies to:

• Conduct privacy impact assessments (PIAs) before implementing or developing technology that processes the personal information of Quebec residents. If a company plans to send personal data outside the province, it must also conduct a PIA to ensure the information will be subject to adequate protection by the recipient.
• Publish a privacy policy that notifies people about the collection of personal information in clear and straightforward language.
• Update privacy notices to inform people when their personal information is collected for automatic decision-making systems or used by technology that identifies, profiles or locates them.
• Review consent practices to ensure compliance with new requirements for validity and transparency. For instance, companies must inform individuals of their right to withdraw consent, how long their data will be stored and the types of employees who have access to their data.
• Create third-party contracts outlining required measures for protecting, using and eliminating any shared personal information.

The final key provision, the right to data portability, will take effect in September 2024.

Quebec’s Law 25 vs. GDPR

Backed by EU Binding Corporate Rules—considered one of the most rigorous transfer safeguards—DocuSign’s privacy and data protection framework is designed to meet the most stringent privacy and data protection requirements globally where we operate and where our customers do business. There are a number of similarities between Quebec’s Law 25 and the European Union’s General Data Protection Regulation (GDPR). Crucially, both laws apply extraterritorially to businesses processing information of their respective jurisdictions’ residents, not just businesses located in the respective jurisdictions. This means that a business based in the U.S. that serves and handles the personal information of customers in Quebec must comply with Law 25. Law 25 also confers similar data subject rights to Quebec residents as GDPR does to those in the EU (e.g., the right to access collected personal information and the right to erasure).  DocuSign is committed to upholding data subject rights and has a privacy team dedicated to ensuring that data subject rights are handled promptly in accordance with applicable laws.

Businesses can potentially face significant financial penalties under both laws. Fines under GDPR can extend up to 4% of global revenue or 20 million euros, whichever is greater, and fines under Quebec’s Law 25 can reach a similar 4% of global turnover or 25 million Canadian dollars. Although fines of this magnitude have been levied thus far, fines, and more importantly, reputational harm from insufficient privacy and data protection practices, can have significant negative impacts to businesses. Both laws also permit a private right of action, allowing data subjects to sue businesses for damages and harm caused by businesses, although procedural differences exist.

How DocuSign can help 

Agreements and your agreement process are extremely important to consider in being compliant with Law 25. DocuSign takes security seriously and already meets globally recognized security standards like ISO 27001, SOC 1 and SOC 2 and the PCI Data Security Standard. The DocuSign data center in Quebec City is an added data residency safeguard, enabling customers to protect Canadian data within the country and easily comply with Canadian data residency regulations. More information can be found at the DocuSign Trust Center.

DocuSign can also facilitate your organization’s compliance with Law 25 with secure agreement workflows, including the ability to:

• Track documents and processes: With DocSign eSignature, you can see where your documents are in the completion process and who still has to sign. You can also create templates to include required terms and language in all relevant agreements, including contracts with third parties that handle private customer data.
• Gather consent: With Web Forms, you can quickly capture consent at the point of data collection. Alternatively, if you need to send a high volume of documents all at once—for example, for annual notifications—you can securely gather consent via email with the eSignature bulk send feature.
• Certify completion: Each document signed via eSignature comes with a certificate of completion and a court-admissible tamper-evident audit trail.
• Control access: DocuSign Admin Tools enable you to provide document access on an as-needed basis You can also implement an added layer of security with multi-factor authentication—including single sign-on (SSO), SMS authentication and knowledge-based identity verification methods.
• Monitor activity: DocuSign Monitor lets you track web, mobile and API account activity in near-real-time. In turn, your security team can detect threats and quickly respond to keep your data secure.

As jurisdictions across the world look to update and enact new data privacy laws, companies will need comprehensive and scalable organization-wide strategies to comply. Modern, digitized, secure agreement processes are key to maintaining compliance and building trust with your customers and partners.

Want to learn more about how DocuSign can help you comply with Law 25 and other legislation? Reach out to your DocuSign representative or contact sales to get started.