9 Actions to be taken to comply with Bill 25 (personal information)

As part of your real estate brokerage activities, here are the essential steps you must take to comply with the privacy obligations introduced by Bill 25.¹

September 22, 2022

• Appointing a person in charge of the protection of personal information and posting his or her contact information on the agency’s website or the website of the broker acting on his own account.
• Managing confidentiality incidents and maintaining a confidentiality incident log
  • Implementing security measures to prevent or limit the consequences of a confidentiality incident, for example:
    • Making an inventory of personal information held and assessing its sensitivity;
    • Managing physical and computer access to personal information held;
    • Training staff members;
    • Establishing internal policies and guidelines to ensure the confidentiality and integrity of personal information;
    • Securely destroying personal information in accordance with the periods prescribed by law;
    • Establishing standardized classification methods.
  • Establishing a response plan and internal guidelines in the event of a confidentiality incident.

September 22, 2023

• Establishing privacy policies and practices and publishing detailed information about these policies on the website
  • Making an inventory of personal information held and assessing its sensitivity.
  • Defining the roles of staff members involved in the handling of personal information.
• Establishing consent forms for collecting personal information in accordance with the law
  • Obtaining valid consent for all the specific purposes for which personal information is collected.
  • Presenting the consent request separately from the other information provided (for example, on a separate page).
  • Providing the mandatory information required by law on the consent form.
• Providing "cookie" banners on the website, where appropriate.
• Publishing a confidentiality policy on the website.
• Establishing an internal procedure for handling complaints about personal information management

September 22, 2024

• Ensuring that your computer systems allow personal information to be disclosed to the person concerned in a structured and commonly used technological format.

¹ Act to modernize legislative provisions as regards the protection of personal information (LQ 2021, c. 25)

9.1 Recap of legislative changes related to privacy protection

Here are the main changes introduced by Bill 25 that may have an impact on real estate brokerage practice.

September 22, 2022

• Appointment of a person responsible for protecting personal information within the agency
• Obligation to manage and report confidentiality incidents
  • Conduct an assessment of privacy-related factors before disclosing personal information without the consent of the individuals concerned for study, research or statistical production purposes. 

September 22, 2023

• Obligation to adopt privacy governance rules, including a confidentiality policy.
  • New mandatory information to be disclosed when collecting personal information, including profiling (“cookies”).
  • Obligation to determine in advance the specific purposes for which the collection of personal information is made.
  • Obligation to present the consent request separately from all other disclosed information and to provide the person concerned with the information required by law.
• Obligation to help the person concerned understand the scope of the consent. 
  • Public nature of personal information relating to the performance of a function within an agency by its brokers and employees, such as their name, title and position, as well as mailing and email addresses and work phone number.
  • Obligation to conduct an assessment of privacy-related factors:
  • Of any information system acquisition, development and redesign project or electronic service delivery project involving the collection, use, release, keeping or destruction of personal information;
  • Before disclosing personal information outside Québec without the consent of the persons concerned (for example, hosting personal information on servers located outside Québec).
• Obligation to destroy personal information once the purposes for which it was collected have been achieved, subject to the time periods prescribed by law.¹
• Prohibition to disclose nominative lists without client consent and addition of a right to refuse the use of personal information for commercial prospection purposes.
• Significant increase in penal fines imposed by the Commission d'accès à l'information (CAI) and addition of monetary administrative penalties.

¹ S. 17 of the Regulation respecting records, books and registers, trust accounting and inspection of brokers and agencies (c. C-73.2, r. 4: “17. The licensee must keep the registers and records for at least 6 years following their final closing. These registers and records may then be destroyed unless they constitute evidence in a civil, disciplinary, penal or criminal action.”

September 22, 2024

• The individual's right to data portability, which is the right to obtain his or her personal information on a structured and commonly used technological medium.¹

This right gives individuals the best possible control over their personal information. 

Personal information in paper format is not covered by this right. Information created from information provided by the individual (for example, a profile created from an analysis of a person's web activities) is also excluded. Individuals may also ask the company to disclose their computerized information to a third party of their choice. The Québec Government considers that a format is “structured and commonly used” when commonly used software can easily recognize and extract the information it contains (for example, open formats such as CSV, XML or JSON). A format that is difficult to process, such as an image or a PDF, is not considered to be “structured and commonly used.”²

For the full list of changes, see the Act to modernize legislative provisions as regards the protection of personal information. 

¹ Section 3.3 of the Private Sector Act
² www.quebec.ca, Accès aux renseignements personnels