Québec Law 25 and Third-Party Risk Management

Québec Bill 64 is a law passed in 2021 to modernize the Canadian province’s Private Sector Act and improve personal data protection standards. Bill 64 is similar in scope to the European Union’s General Data Protection Regulation (GDPR). One key provision of the bill is Law 25, which empowers Québec’s data protection authority – the Commission d’accès à l’information du Québec – to enforce requirements such as conducting privacy impact assessments before transferring personal data outside the province. Canadian authorities implemented the data protection requirements of Law 25 in stages in September of 2022 and 2023, with additional enforcement set to begin in September 2024.

This post examines the key requirements in Law 25 that are related to third-party data protection and recommends best practices to address these requirements.

Québec Law 25 Summary

Originally passed in 2021, Québec Law 25 includes requirements that govern the collection, use, and communication of personal information. The law:

• Applies to any entity established in Québec and/or doing business in Québec that is collecting, using, or disclosing personal information of individuals located in the province
• Requires conducting mandatory privacy impact assessments (PIAs) for the transfer of personal information outside of Québec
• Includes mandatory provisions within all outsourcing contracts (e.g., third parties)
• Enforces penalties ranging from CAD10 million or 2% of global turnover up to CAD25 million or 4% of global turnover for violations

Organizations doing business in Québec should evaluate their third-party data protection practices, much in the same way as is required of companies operating in Singapore or the European Union.

Québec Law 25 Third-Party Risk Management Requirements

The table below summarizes select provisions in Law 25 that pertain to third-party data protection.

Note: The information presented in this table is a summary of Law 25 requirements and therefore comprehensive legal guidance must not be considered. Please consult the full text of the law and your organization’s legal counsel to determine the best course of action for your company.

How Prevalent Helps Address Québec Law 25 TPRM Requirements

Organizations that must comply with Law 25 should ensure that third parties handling personal information of Québec citizens have controls in place to protect that data. Prevalent provides a scalable third-party risk management platform that addresses data protection risks. The Prevalent Platform:

• Sets a strong foundation for third-party data protection within a comprehensive TPRM program
• Enables teams to build and enforce data protection provisions in contracts, and continually measures adherence to those provisions throughout the vendor lifecycle
• Delivers visibility into where data is, how it flows, and who has access to it
• Assesses and continuously monitors third-party data privacy risks in line with common industry standards
• Speeds risk identification and remediation, mitigating breach costs and reputational damage
• Generates targeted reports for regulators, vendors and internal stakeholders
• Continuously monitors for breaches and accelerates incident response to mitigate the risk of a damaging and expensive data security incident

With Prevalent, your security and privacy teams have a single, collaborative platform for conducting privacy assessments and mitigating both third-party and internal data privacy risks.

Download the Third-Party Data Privacy Compliance Handbook to learn more about how Prevalent can help address your data privacy compliance challenges. Or schedule a demo to discuss how we can address your specific needs.