'You have a clear set of rules of dos and don'ts that allow companies to comply more easily with new, strict privacy requirements': Legal experts explain new hiring rules
Since September 2024, Quebec’s Law 25 has been fully in effect—bringing sweeping changes to how organizations collect, process and store personal information.
One of the most pressing implications for HR and recruiters? Privacy rights don’t just apply to employees — they start with the first interaction with a job candidate.
To help clarify these obligations, Quebec’s privacy regulator recently issued a new hiring guide, detailing the privacy rules at each step of the recruitment process.
“The message that I've been hearing from my clients is that everybody was feeling like they were a bit left out for dry and then it was like, 'Here's all these obligations, and if you don't respect them, you're going to get a multi-million-dollar penalty. Good luck,’” says Eugen Miscoi, associate at McCarthy Tétrault in Montreal.
“Now… you have a clear set of rules of dos and don'ts, and that hopefully will allow companies to comply more easily with those new strict privacy requirements."
New guide from CAI provides guidance
For many organizations, the guide from the Commission d’accès à l’information (CAI) comes as a much-needed explanation of how to operationalize the law during hiring since the privacy legislation took effect.
The guide should be seen not as a burden, but as a tool, says François Tremblay, associate at DLA Piper in Montreal.
“We have a new law that's on paper. When you read it, it's very complex, it's very stringent, and it's also a little bit scary, because we have these fines and consequences,” he says.
“So, whenever we have the regulator coming on the record and telling us, ‘Hey, this is what we're looking for. This is what interests us, this is what this is what we think is important,’ that's very, very helpful.”
The applicant category of individuals is often forgotten by employers, says Carly Meredith, a partner at DLA Piper in Montreal.
"I see a lot of employers who will have employee privacy policies, but they forget about the level of applicant information that they're collecting at the hiring stage. And so I think this was a really kind of stark reminder of these obligations apply as well in that context."
‘Necessity’ for every stage of recruitment
At each stage of the recruitment process, the employer must collect only the information necessary to evaluate the applications and select the right person. And the goal pursued must be “legitimate, important, and genuine,” with the invasion of privacy proportional to the objective, according to the CAI (translated):
“Under this necessity test, even if a candidate agrees to provide information that is not necessary, the employer is not entitled to collect it. Before any information is collected in a hiring process, the first question to ask yourself is: ‘Is it necessary, at this stage, to gather such information to evaluate a candidate for this position?’
If HR collects data such as social insurance numbers or background check information early on in the process, without necessarily being certain that they want to hire an individual, they’re just going to end up with a lot of sensitive data, says Miscoi.
“The collection of information has to be tied to the objectives that's kind of related. You can’t just collect information for fun. It needs to be supporting the legitimate and objective business need that you have, and then you have to minimize the privacy impact that's caused by this collection activity.”
The message here is that employers should start narrow and then broaden as necessary, says Tremblay, “whereas what we're seeing right now is a little bit the opposite: ‘I'll ask for everything during the interview, during the hiring process, and then I'll use only what I need.’”
The commissioner is saying that you can't look at your hiring process as a whole, says Meredith.
“You need to look at every single stage of your hiring process and find out: ‘OK, what is it exactly that I need to know right now?’"
AI and privacy in recruitment
Quebec’s regulator is also increasingly vocal about the risks of AI in hiring — especially when it comes to automated decisions made without human review.
“The employer must pay particular attention to the criterion of necessity, transparency and discriminatory biases of algorithms. It must also ensure that its organisation has reached the technological maturity required to use AI: the staff using it should be properly trained and familiar with the limitations of the tools chosen,” says the CAI (translated).
“You have to be really careful about using tools that might be using the information that it's collecting for their own purposes," warns Meredith, citing the risks of violating privacy laws.
“Really, each tool needs to be evaluated on its own for its own merits and what criteria it has, and then what you're going to be using it for and how.”
A of employers, for example, are asking about using AI technology to detect whether a job candidate in a video interview is a real person or not, she says.
“So, you can imagine that that collects a significant amount of information. And so I think this is just calling everybody back a little bit and saying, ‘Hey, there's a lot of things you need to be considering before you just go ahead and collect all this information that you think might be useful to your hiring process.’”
It’s about making sure that the tool works the way it’s intended to, and that there's no built-in bias that's being perpetuated or integrated into the tool to then spit out biased results, says Miscoi.
As a result, using AI for basic pre-screening processes makes sense, as long as it’s vetted by humans who are “in the loop,” he says.
It’s a tricky area because it can also involve biometrics tools as well, says Tremblay, “and, generally, the regulator is not a fan, I would say.”
“Yes, there's efficiency to be gained, and a practice will emerge eventually where the regulator is going to probably try to reconcile itself with what the law says and what the practice is. But it can't just be ‘I'm massively using AI to automate a bunch of decisions in the process, just because it's convenient.’”
Medical and psychological testing for candidates
Medical and psychological assessments are also under heavy scrutiny in Quebec. The CAI says collecting medical information must not be “systematic, intrusive or too broad” (translated). Employers must show that such testing is job-relevant and justified — and consent alone isn’t enough.
It’s about the necessity principle again, says Tremblay.
"You can't just get away with, 'Oh yeah, but I asked for the medical file, and they gave it to me willingly,'" he says. "It's on you to justify that it's a reasonable and legitimate purpose in the circumstances, and only then you ask for consent."
Meredith points out that medical testing may be legitimate for roles with physical requirements. But psychometric testing? That’s where many employers stumble because of blind spots with the technology.
"You don't necessarily know how the algorithm is coming up with certain results. And so it could be that it's inherently biased, and that you're eliminating people from your candidate pool on criteria that you're not even sure what those may be " she says.
The regulator has warned that these tests may be based on opaque or discriminatory logic — especially if developed by third parties.
Miscoi recommends clear opt-in consent and transparency: "Usually there's a form that explains what kind of information is being collected... how that information will be used, how long will it be stored, who gets access."
Reference checks for Quebec’s job candidates
Reference checks are also in the spotlight with the new guide, as the CAI clarifies that before requesting references or consulting external files, the employer should submit a conditional job offer to the applicant.
In addition, the employer must specify the reason why the checks are necessary according to the position offered — and obtain consent.
"That one really stood out to me," says Meredith. “I would have thought that somebody putting references on their CV was enough to have implied consent.”
Even if consent is given, employers should be careful to limit questions about the candidate, she says, “making sure that those questions are really tailored to what you need to know about them for evaluating their candidacy for the position.”
If the questions are not relevant to evaluating that specific person's ability to do the job, then the employer shouldn't be looking at information and references, says Tremblay.
And a conditional offer is important, he says: "You need to be careful on how you structure your process so as to not paint yourself into a corner... So, if you’ve made things very clear that ‘It’s conditional… and only if everything checks out, you're getting an offer.’"
Risks of third-party recruiters
A recurring mistake highlighted in the CAI guide? Thinking that outsourcing the recruitment process also outsources the legal risk. Not true.
"What your service provider is doing on your behalf, you are essentially doing it yourself. So, if your third-party recruiter has practices that are non-compliant, this could come back to bite you,” says Tremblay.
Some employers tend to think they’re not the ones collecting the information, so this doesn't concern them, says Meredith.
“That’s really not the case. The employer remains responsible for the information that the third-party recruiter is collecting on their behalf," she says, and that includes ensuring the data is necessary, secured and properly disposed of when no longer needed.
That’s why it’s important to have an agreement between the two parties, says Meredith.
“It’s just really important for the employer to be able to point back to a contract to say, ‘Hey, we had contractual provisions in place requiring them to follow all these steps, which is required under the law.’”
Privacy impact assessments mandated in Quebec
Under Law 25, privacy impact assessments (PIAs) are no longer optional. Any new tool or process involving personal data must be assessed for privacy risks before implementation.
It's been a requirement for the public sector in some provinces and at the federal level, but now it’s being introduced to the private sector through the Quebec law, says Miscoi.
“The principle there is — in any new initiative that involves collection or use of personal information... before you turn on the switch and start using this new recruitment tool or this new background check service provider or this new AI pre screening tool — that you're really asking yourself the questions about ‘How compliant is this with privacy laws?’”
The PIA becomes an important tool to proactively identify those risks and compliance pain points, he says.
