Law 25 in Brief
Law 25, officially titled An Act to modernize legislative provisions as regards the protection of personal information (Bill 64), came into force in phases between September 2022 and September 2023. It modernizes two existing laws: the Act respecting the protection of personal information in the private sector (P-39.1) for businesses, and the Act respecting access to documents held by public bodies and the protection of personal information (A-2.1) for the public sector.
The law applies to any Quebec organization — business, non-profit, municipality, or public body — that collects, uses, retains, or shares personal information. There is no minimum size threshold: a five-person SME faces the same requirements as a large corporation.
Law 25 places Quebec among the most demanding jurisdictions in North America for privacy protection, drawing heavily from the European GDPR.
Key Obligations
Quebec organizations must meet several core requirements:
- Privacy officer: designate a person responsible for personal information protection and publish their contact information on the organization's website
- Governance policy: adopt and publish a policy governing how personal information is managed
- Incident register: maintain a register of all confidentiality incidents (even when notification is not required) and notify the Commission d'accès à l'information (CAI) and affected individuals when a serious risk exists
- Privacy impact assessments (PIAs): conduct a PIA before any project involving personal information, and before any cross-border transfer of personal data
- Individual rights: honor requests for de-indexing, access, correction, and data portability
- Consent management: obtain valid, separate, and documented consent for each purpose of collection
- Information inventory: document the categories of personal information held, where it is stored, and which third parties have access
Penalties
The Commission d'accès à l'information (CAI) has had expanded investigation and enforcement powers since September 2023. Administrative penalties can reach $25,000,000 or 4% of worldwide turnover for the most serious violations, whichever is higher.
Criminal penalties apply for certain specific offences. Executives can be held personally liable if they authorized or participated in a violation.
Beyond fines, organizations face significant reputational risk in a market where client trust is a strategic asset.
Practical Steps to Comply
1. Appoint a privacy officer
Designate a privacy officer, ideally a member of the leadership team. This is not a symbolic role — this person must understand your processes and have the authority to enforce policies.
2. Inventory your personal information
Map what personal information you hold, where it is stored, who has access, and how long you retain it. This inventory is the foundation for every other compliance step.
3. Adopt a governance policy
Draft and publish a policy that covers: purposes of collection, security measures, retention and destruction rules, and procedures for handling incidents.
4. Set up your incident register
Every incident involving personal information must be logged, even when notification is not required. A structured register simplifies notification decisions and demonstrates your due diligence to the CAI.
5. Assess projects before launching
For any new project involving personal information (new CRM, new integration, new HR tool), complete a PIA before you start. This assessment identifies risks and documents the steps taken to mitigate them.
Conclusion
Law 25 compliance is not a one-time project. It is an ongoing program that requires discipline, documentation, and processes scaled to the size of your organization.
Observantia was built to simplify this work: incident management, privacy impact assessments, registers, and reports, all in a platform structured around the actual requirements of Law 25. Try it free for 14 days.