Article November 22, 2022

What you need to know about Quebec’s Bill 25

The new Act to Modernize Legislative Provisions as Regards the Protection of Personal Information (“Bill 25”) applies to all advisors. This means that it applies to both independent and associated advisors, but the situation is more complex for advisors affiliated to a firm or dealer. Here’s why.

The new Act to Modernize Legislative Provisions as Regards the Protection of Personal Information (“Bill 25”) applies to all advisors. This means that it applies to both independent and associated advisors, but the situation is more complex for advisors affiliated to a firm or dealer. Here’s why.

Passed in September 2021, Bill 25 (which stems from Quebec’s Bill 64) increases privacy requirements and provides for substantial penalties for breach or non-compliance. CSF members must now contend with enhanced requirements along with their own professional obligations regarding the protection and disclosure of their clients’ personal information (PI), as described in sections 26 and 27 of the Code of Ethics and Division III of the Regulation respecting the rules of ethics in the securities sector.

Appointing a designated officer

To begin, it is important to note that as of September 2022, it is mandatory for every company to appoint a Designated Privacy Officer (DPO) and to report privacy incidents. By default, the CEO of an organisation will perform this role, but can delegate it in writing to any person, even externally. The organization will be required to publish the name and contact information of the officer on its website.

Organizations must also notify the Commission d’accès à l’information (CAI) and the individuals concerned of any privacy incident that poses a risk of serious harm, and keep a record of such events. An incident denotes an access, a use or disclosure of PI not authorized by law, a loss, or any other breach of such information.

“In every case, we will have to assess whether there is a risk of serious harm,” explains Geneviève Beauvais, lawyer in charge of professional development and quality of practice at the CSF. “We will have to analyze the sensitivity of the information, the consequences of the incident and the likelihood that the information will be used for harmful purposes.”

The situation for associated advisors

CSF professionals are affected by reforms to the Private Sector Act. They began to take effect in three stages, in September 2022, 2023, and 2024.

The law carries penalties ranging from 2% to 4% of revenue for companies and from $5,000 to $150,000 for individuals. Self-employed representatives are considered firms and are therefore subject to the law.

“The law applies to all persons carrying on an enterprise within the meaning of Article 1525 of the Civil Code of Québec and does not distinguish between a self-employed person and a larger enterprise,” states Cynthia Chassigneux, a partner at Langlois Avocats and former commissioner of the CAI.

Thus, a self-employed advisor automatically becomes responsible for the protection of the PI they collect. The only difference is in the penalty amounts, which are lower for independents.

What about advisors who enter into agreements with distribution networks and are affiliated advisors within the meaning of the Act respecting the Distribution of Financial Products and Services, but who also work with their own clients?

“A client ownership agreement has no effect on the firm’s obligations regarding the protection of its clients’ information: the firm remains responsible for ensuring the confidentiality of this information at all times,” says Sylvain Théberge, Director of Media Relations at the Autorité des marchés financiers (AMF).

Chassigneux agrees. She doesn’t have to look far to find an example that illustrates this situation. “I myself am considered self-employed, but I am associated with Langlois Avocats,” she explains. “So, the firm takes the necessary security measures to protect clients’ PI, and I must follow those rules.”

In this sense, associated advisors may have some advantage over independent representatives, as they have the support of the firm to which they are attached to put in place privacy measures and protocols to comply with them.

For their part, independent advisors must ensure that they establish their own policies and practices to protect PI and bear full responsibility if problems arise.

In addition, under the Act respecting the protection of personal information in the private sector (Private Sector Act), all members of the CSF are required to maintain the confidentiality of the PI they collect as independent representatives or on behalf of their firm, broker or independent partnership. “The new legislation completes and clarifies these obligations and, above all, raises the bar,” summarizes Beauvais.

Crunch time in 2023

A more imposing set of new requirements will come into effect in September 2023. Organizations will be required to establish and implement policies and practices governing their use of PI. They will also be required to publish - in accordance with clear language principles - detailed explanations of these policies and practices on their website.

In addition, organizations will be required to inform their clients of the means and methods used to collect their data and the purposes for which it will be used. The information must be destroyed or anonymized once these purposes are met.

Technology tools used to collect PI must be configured to the highest level of privacy by default. Clients will have to intentionally take actions to share their personal information; not protect it. Clients must also be informed about the use of features that allow them to be profiled, located, or identified and how to explicitly opt for them. These features cannot be agreed upon by default.

“CSF professionals are particularly affected by these changes, since they are on the front line with clients,” cautions Beauvais. It will be their responsibility to explain the reasons for collecting information and the policies that will govern the use and protection of this data.

They will also need to obtain free and informed consent for each purpose. The client cannot give blanket consent to use their information for multiple purposes. In the case of sensitive data, such as medical or biometric data, consent must be provided in writing. It should be noted that customers retain the right to withdraw their consent, access their PI and have it corrected at any time.

In September 2024, a final requirement will be added: the right to portability. An individual will be able to request to receive their PI in a commonly used technological format. “However, this excludes data that the organization creates from its own analysis of the individual’s PI,” remarks Beauvais.

The CAI may impose administrative penalties directly for violations of the law’s requirements. The amount of the fines is $10 million or 2% of the targeted entity’s worldwide revenue.

Certain violations will also be subject to criminal penalties of up to $25 million or 4% of worldwide sales. Finally, clients themselves are given the right to sue organizations for damages.

Yvan Morin, Vice President of Legal Affairs at MICA Cabinets de services financiers, believes that it is appropriate for the government to strengthen the protection of PI. “Technological tools make it possible to collect and retain a lot of information, which is often sensitive,” he says.

Finally, we note that for those who would like to use client lists, the communication and use of nominative lists by a private company for commercial or philanthropic prospecting purposes are now subject to the consent of the person concerned.

As of September 1st 2023, companies will be required to:

— Establish and implement policies and practices to guide their governance of PR.

— Publish clear and detailed explanations of these policies and practices on their website.

— Inform their clients of the means and methods used to collect their data and the purposes for which it will be used.

— Obtain free and informed consent for each objective.

— Destroy or anonymize the data once these objectives have been met.

— Default their PI collection technology to the highest level of confidentiality.