As global privacy regulations evolve, organizations operating in or interacting with Canadian consumers must stay ahead of the curve. One of the most significant recent developments in Canadian privacy law is Quebec Law 25—formerly known as Bill 64—which overhauls the province’s privacy framework and imposes stricter requirements on how personal information is collected, used, and secured.
What is Quebec Law 25
Adopted in September 2021, Quebec Law 25 (Loi modernisant des dispositions législatives en matière de protection des renseignements personnels) modernizes Quebec’s privacy legislation and aligns it more closely with global standards like the EU GDPR and California’s CCPA/CPRA. Its provisions are being phased in over three years, with the most critical enforcement deadlines arriving in September 2023 and September 2024.
Quebec Law 25 introduces several significant enhancements to the province’s privacy framework, including stronger privacy rights for individuals and new obligations for data controllers. These include requirements to maintain clear privacy policies, conduct risk and privacy impact assessments, and provide timely notifications in the event of a data breach.
Quebec Law 25 vs PIPEDA
Quebec Law 25 and PIPEDA (Personal Information Protection and Electronic Documents Act) are both Canadian privacy laws, but they differ significantly in scope, enforcement, and modernization. PIPEDA is a federal law that applies to private-sector organizations across most of Canada, setting baseline privacy standards for the collection, use, and disclosure of personal information in commercial activities. In contrast, Quebec Law 25 is a provincial law that introduces stricter and more comprehensive requirements for organizations operating in Quebec or handling data of Quebec residents. Law 25 mandates clear, informed consent, privacy impact assessments, and automated decision-making transparency, and imposes much higher penalties for non-compliance than PIPEDA. While PIPEDA is currently under review to be modernized (via the proposed CPPA), Quebec has already implemented a more GDPR-like framework, positioning itself as a leader in privacy regulation within Canada.
Who does Law 25 apply to?
Quebec’s Law 25, formerly known as Bill 64, has a broad scope that extends well beyond traditional organizational boundaries. Unlike some privacy laws that apply only to certain sectors or organizational sizes, Law 25 is designed to protect the personal information of all Quebec residents, regardless of who is handling their data. Which includes private-sector businesses, public institutions (government agencies, educational institutions, and other public bodies), non-profit organizations, and individuals acting in a professional capacity (healthcare providers, legal advisors, financial professionals, or real estate agents)
Importantly, the law is territorial in nature. Its applicability is based on the location of the individual whose data is being processed, not the organization. This means that even if your business is located outside of Quebec—or even outside Canada—you are subject to Law 25 if you handle the personal information of Quebec residents. This expansive reach reinforces the law’s objective to uphold and enforce the privacy rights of individuals throughout the province.
Quebec Law 25 Requirements
Here are the most important aspects companies need to understand:
1. Consent and Transparency
Businesses must obtain clear, free, and informed consent from individuals, especially when collecting sensitive data. Consent must be granular and specific to each purpose of data use. Additionally, privacy policies must be easily accessible and clearly outline data processing practices.
2. Privacy Impact Assessments (PIAs)
Law 25 requires organizations to conduct Privacy Impact Assessments in certain situations, such as the collection, use, disclosure, or deletion of personal information, acquiring, developing, or launching new technologies or information systems, transferring personal information outside Quebec, and performing automated decision-making using personal data.
An assessment should include information relating to:
- The sensitivity of the information
- The purpose and uses of information
- The data protection measures
- The jurisdiction where the information is shared and the applicable legal framework
3. Data Subject Rights
Law 25 data subject rights are very similar to those in the EU General Data Protection Regulation (GDPR).
Data subject rights in Quebec include:
- Right to access
- Right to correct inaccurate information
- Right to erasure
- Right to remove consent
- Right to restrict processing
- Right to request data portability
- Right to be informed about and object to automated decision-making.
Privacy teams need to respond within 30 days of receiving the request, but there is the possibility of an extension in some circumstances.
4. Breach Notification
Law 25 requires organizations to notify the Commission d’accès à l’information (CAI) and affected individuals of data breaches, such as unauthorized access of personal information that could pose a “risk of serious injury.”
Under Law 25, organizations are required to promptly report any breach as soon as it occurs and maintain detailed records of all security incidents.
5. Data Minimization and Retention
Organizations securely destroy data that is no longer needed, and data must be retained only as long as necessary, and it must be used for a legitimate purpose. Additionally, companies must maintain a data inventory and retention schedule.
6. Governance and Accountability
Law 25 requires the appointment of a Privacy Officer. If no one is appointed, then by default, the CEO will be considered the Privacy Officer. The privacy officer is responsible for overseeing specific compliance activities such as DSAR fulfillment, data breach reporting, and conducting privacy impact assessments.
From a governance perspective, the law requires maintaining records of data processing activities, as well as implementing internal policies and employee training programs.
7. Automated Decision-Making
When using AI or algorithms for decisions with significant impact on individuals, companies must inform individuals, provide the rationale behind the decision, and provide the right to contest the outcome.
Law 25 Non-Compliance Penalties
Penalties under Law 25 are substantial:
- Administrative fines can reach up to $10 million CAD or 2% of worldwide turnover, whichever is higher.
- Penal sanctions can go up to $25 million CAD or 4% of global revenue for severe violations.
- An individual can exercise their private right to action to take legal action against organizations that violate the law. Damages start at a minimum of $1,000 per person. In addition, individuals can pursue collective legal action through class-action lawsuits.
How BigID Helps with Law 25 Compliance
BigID helps organizations connect the dots across data & AI for security, privacy, compliance, and AI data management. BigID is a leading data intelligence platform that helps organizations discover, manage, and protect personal and sensitive data across their entire ecosystem. Here’s how BigID supports compliance with Quebec Law 25:
1. Data Discovery & Classification
BigID uses advanced machine learning and AI to automatically discover and classify personal and sensitive information across structured and unstructured data sources to help organizations understand what data they have and where it resides, identify sensitive and regulated data, and ensure accurate and complete data maps and inventories.
2. Privacy Impact Assessments (PIAs)
BigID provides workflows for conducting automated PIAs and Data Protection Impact Assessments (DPIAs), making it easier to evaluate the risk associated with new projects, document compliance, and share assessments internally or with regulators as needed.
3. Consent & Preference Management
Through integrations and APIs, BigID enables granular consent tracking across data sources and systems, updates and visibility into user consent status, and the management of user preferences across platforms to ensure compliance with Law 25’s transparency and consent standards.
4. Data Subject Rights Fulfillment
BigID streamlines DSR (Data Subject Request) with end-to-end workflows that process the discovery of relevant personal data, enabling easy data extraction, redaction, and delivery, and supporting rights to access, correction, deletion, and portability.
5. Risk & Breach Management
BigID helps detect risky data behavior and supports proactive risk scoring, automated risk alerting for unusual access patterns or policy violations, and streamlined incident and breach workflows to comply with Law 25’s breach notification rules.
6. Governance & Policy Automation
BigID helps enforce data retention, minimization, and governance policies through policy-based data lifecycle management, data labeling and tagging, and integration with existing security and privacy tools.
Whether it’s enhancing transparency, managing risk, or operationalizing privacy by design, BigID is your strategic partner in achieving and maintaining compliance with Law 25 and beyond. Request a demo to see it in action.
Author
