Law 25 Compliance: Quebec’s New Standard For Privacy

Law 25 applies to any governmental or commercial institution that handles Quebec citizens’ data in Quebec, Canada, or abroad. This includes:

• Canadian Firms Serving Quebec
• E-commerce sites for Quebecers
• Quebec-based SaaS companies processing user data
• International firms courting Quebecers

No matter where you are located, you must comply if your company gathers, maintains, or processes Quebec data.

Consent must be:

• Free
• Informed
• Precise
• Explicit

Users should know:

• What data is collected
• Why it’s gathered
• How it’s used
• Who it’s shared with

Yes. Every company must appoint a Privacy Officer (the “Person in charge of personal information”). Usually, this is the CEO or highest-ranking executive, though it may be delegated in writing. Responsibilities include:

• Overseeing privacy compliance
• Managing access and correction requests
• Handling breach notifications
• Coordinating audits and staff training

The company’s privacy policy must include the Privacy Officer’s contact information.

A Privacy Impact Assessment (PIA) evaluates how a new project or technology may affect privacy. Required before launch for:

• Any initiative involving personal data
• Cloud or international data transfers
• AI decision-making tools
• New services that gather or analyze user data

PIAs must outline:

• Privacy hazards
• Mitigation strategies

These are critical compliance documents and should be retained for audits.

These principles mean privacy must be built into every system and process from the start. By default:

• Only minimum personal data should be collected
• The strongest privacy settings must be pre-selected

Examples:

• Forms should request only essential information
• Marketing communications should require opt-in consent
• Systems should limit data visibility unless users choose otherwise

Under Law 25, individuals may request the erasure or anonymization of their data if:

• It was collected illegally
• It is outdated
• It is no longer needed

Requests must be processed within 30 days unless an exemption applies. The process must be clear and accessible.

Organizations must:

• Keep a record of all breaches
• Notify the CAI and affected individuals immediately if there is a “risk of serious injury.”

Risk factors include:

• Sensitivity of data
• Population affected
• Potential for misuse

Your incident response plan must allow for quick investigation, containment, notification, and remediation.

Yes, but under strict conditions. Before transferring data beyond Quebec, organizations must:

• Conduct a Privacy Impact Assessment
• Ensure the destination provides equivalent legal protection
• Inform the individual about the transfer
• Use contractual protections

Neglecting these steps can result in sanctions, especially if data is sent to jurisdictions with weaker privacy laws.

Fact: Only fully anonymized, irreversible data is out of jurisdiction. Changing names to codes (pseudonymization) is inadequate to shield such data from the law.

Fact: Law 25 penalizes compliance lapses beyond breaches. Fines may apply for:

• Lack of consent
• Poor data retention
• Not registering an Information Guardian
• Skipping PIAs
• Ignoring privacy by default

Even without a breach, penalties may exceed CAD 25 million or 4% of turnover.

Fact: Size does not create exceptions. Once an entity handles data beyond personal use, it must comply with Law 25.

Fact: Contractual safeguards assist, but you must notify individuals about:

• The destination of the data transfer
• Associated dangers
• Protection measures

Passive reliance on ‘model clauses’ is not compliant.

Fact: Privacy Impact Assessments (PIAs) must include:

• Risk evaluations
• Mitigation plans
• Executive approval and documentation

Auditors and regulators may demand verification for new systems or sensitive processes.

Fact: Law 25 mandates prior permission for data collection and use. Consent must be:

• Informed
• Explicit
• Documented

Fact: Disclosure is required for automated decision-making that affects:

• Legal
• Social
• Financial
• Reputational outcomes

You must:

• Inform users
• Explain logic
• Enable reviews

Even benign consequences do not exempt disclosure.

Fact: Only irreversibly anonymized data is exempt. Pseudonymization is not enough. De-identification supports compliance but must be verified for legality.

Fact: Physical safety is not a substitute for legal equivalence. The U.S. lacks Quebec-like privacy protections. Use:

• Encryption
• Disclosures
• Contractual and organizational safeguards

Fact: All active personal data systems must comply. Legacy applications storing Quebec data must:

• Enforce privacy defaults
• Update consent logs
• Replace outdated protections
• Perform retroactive PIAs, if required

Fact: Enforcement is ramping up. Privacy now plays a key governance role. Integration—not surface-level tweaks—is essential.

Fact: Compliance is phased:

• Consent updates began earlier
• Privacy by default kicks in late 2024
• Complete assessments are required by September 2025

Fact: Law 25 has no third-party certification system.

• Internal audits ensure compliance
• Branding aids visibility but doesn’t replace legal governance or documentation

Fact: Only an authorized Information Guardian can manage privacy obligations. General policies are ineffective without assigned responsibility and staff training.

Fact: Self-reporting doesn’t ensure immunity.

• Penalties are still possible if safeguards are lacking
• Prompt reporting reduces penalties
• Long-term protection requires systemic compliance

Fact: Law 25 promotes continuous improvement:

• Annual compliance evaluations
• Regular PIA updates
• Fresh consent collection
• Breach log maintenance
• Ongoing staff training

Organizations must develop a privacy culture, not a checkbox approach.