A law with broad application
Assented to in September 2021, Bill 25 (which began as draft Bill 64) increases the obligations around the protection of personal information and prescribes stiff penalties for infractions. Effective September 2022, companies are required to appoint a personal information privacy officer and report confidentiality incidents.
Starting in 2023, companies will have to:
— develop and implement policies and practices as part of a personal information governance framework;
— post clear and detailed explanations of their policies and practices on their website;
— inform clients regarding the means by which information will be collected and the purposes for which it will be used;
— obtain free and informed consent for each such purpose;
— destroy or anonymize information once the purpose for its collection has been achieved;
— ensure that technology used for collecting personal information has privacy settings defaulted to the highest level of confidentiality.
“The legislation applies to all persons operating an enterprise within the meaning of article 1525 of the Civil Code of Quebec and makes no distinction between self-employed workers and larger businesses.” — Me Cynthia Chassigneux
Advisors attached to a firm
The legislation provides for penalties that range from 2% to 4% of sales for businesses, and from $5,000 to $150,000 for natural persons. Independent representatives are considered to be firms and are therefore subject to this legislation.
“The legislation applies to all persons operating an enterprise within the meaning of article 1525 of the Civil Code of Quebec and makes no distinction between self-employed workers and larger businesses,” says Me Cynthia Chassigneux, partner at Langlois Lawyers and former commissioner with the Commission d’accès à l’information. This means that independent advisors are automatically responsible for the protection of all personal information they collect. The only difference is in the amounts of the applicable penalties, which are lower for independent representatives.
But what about advisors who have agreements with distribution networks and are considered attached within the meaning of the Act respecting the distribution of financial products and services, but who work with their own clientele?
“An agreement concerning ownership of the clientele has no impact on the obligations that apply to the firm when it comes to protecting its clients’ information: the firm is responsible at all times for ensuring the confidentiality of that information,” says Sylvain Théberge, Director of Media Relations at the Autorité des marchés financiers.
Me Chassigneux agrees. And she doesn’t have to look far to find an example that illustrates the situation. “In my own case, I am considered self-employed, but I’m attached to Langlois Lawyers,” she explains. “So the firm takes the necessary security measures to protect clients’ personal information, and I personally am required to comply with those rules.”
In that sense, advisors attached to a firm might have an advantage over independent representatives, as they have support from the firm with which they are associated. Independent advisors have to make sure that they establish their own policies and practices for the protection of personal information, and they bear full responsibility if there is a problem.
“An agreement concerning ownership of the clientele has no impact on the obligations that apply to the firm when it comes to protecting its clients’ information.” — Sylvain Théberge
For more information
Checklist for organizations and companies: What to do in case of loss or theft of personal information