Since its adoption in 2021, Law 25, officially titled An Act to modernize legislative provisions as regards the protection of personal information, has profoundly transformed Quebec’s legal landscape with respect to privacy. Brought into force in successive phases between 2022 and 2023, it imposes a rigorous framework on public and private organizations for the collection, use, communication, and retention of personal information. Here is an overview of the current obligations, applicable fines, and changes that players in the legal and business communities are calling for.
Background and objectives of Law 25
Law 25 modernized two existing statutes: the Act respecting the protection of personal information in the private sector and the Act respecting access to documents held by public bodies and the protection of personal information. Its primary objective is to align Quebec with the most advanced international standards, particularly the General Data Protection Regulation (GDPR) of the European Union.
This reform responds to an unavoidable reality: the proliferation of cyberattacks, data breaches, and opaque commercial practices linked to the exploitation of personal data. The legislature sought to give Quebec citizens greater control over their information, while making the companies and organizations that process it more accountable.
Current obligations imposed by Law 25
Designation of a person responsible for the protection of personal information
Every company, regardless of its size, must designate a person responsible for the protection of personal information (PRP). By default, this role falls to the person holding the highest authority within the organization. The name and contact information of this person must be published on the company’s website or through any other means that allows the public to access it easily.
Privacy policy and transparency
Organizations must publish a clear and accessible privacy policy written in plain language. This policy must explain the purposes of collection, the categories of information gathered, the rights of the individuals concerned, and the mechanisms available to exercise those rights. Transparency is at the heart of the framework: it is no longer sufficient to vaguely mention the existence of cookies or tracking files — their use must be described in detail.
Explicit and granular consent
Consent must be freely given, informed, provided for specific purposes, and in certain cases, express. For sensitive information (health data, biometric data, data relating to minors), explicit consent is mandatory. Organizations can no longer rely on pre-checked boxes or ambiguous wording. Consent must be obtained for each distinct purpose.
Rights of individuals
The law considerably strengthens the rights of individuals concerned. Among the rights now guaranteed are the following:
- The right to access one’s own personal information
- The right to rectification in the event of inaccuracy
- The right to data portability (since September 2023)
- The right to erasure or de-indexing in certain circumstances
- The right to withdraw consent at any time
- The right to be informed in the event of a confidentiality incident
Management of confidentiality incidents
In the event of a data breach likely to cause serious harm, the organization must notify the Commission d’accès à l’information (CAI) and the individuals concerned as soon as possible. A register of incidents must be kept up to date and retained for a minimum period of five years.
Privacy impact assessments
Before launching any project involving the collection or use of personal information, organizations must conduct a privacy impact assessment (PIA). This preventive analysis aims to identify and mitigate privacy risks from the outset of the project, in accordance with the principle of privacy by design.
Transfers of information outside Quebec
Any transfer of personal information outside Quebec is subject to a prior assessment of the level of protection offered by the recipient country or organization. If that level is deemed insufficient, the transfer may only take place with adequate contractual safeguards.
Fines and penalties under Law 25
Law 25 is distinguished by particularly severe penalties, designed to deter any form of negligence or bad faith. The penalties are graduated according to the seriousness of the offence and the size of the offending organization.
Penal sanctions
For legal persons (companies, organizations), fines can reach:
- Up to $10 million or 2% of worldwide turnover for less serious offences
- Up to $25 million or 4% of worldwide turnover for the most serious offences, whichever amount is greater
For natural persons (executives, employees), individual fines are also provided for, ranging from several thousand to several hundred thousand dollars depending on the nature of the offence.
Administrative sanctions
In addition to penal fines, the Commission d’accès à l’information has expanded powers to issue orders, require the cessation of illegal practices, and impose corrective measures. It may also make its decisions public, which represents a significant reputational risk for the organizations concerned.
Liability of executives
The law provides for personal liability for directors and executives who authorized or tolerated an offence. This provision is intended to ensure that compliance with the law is taken seriously at the highest levels of the organizational hierarchy.
Changes and improvements called for by experts
Despite the undeniable progress that Law 25 represents, several players in the legal community, including the Barreau du Quebec, have put forward recommendations to improve the legislative framework and strengthen its effectiveness.
Greater clarity in definitions
One of the most frequent criticisms concerns the imprecision of certain key concepts, such as sensitive information or serious harm. More precise definitions would help organizations better understand their obligations and reduce the risk of divergent interpretations before the courts.
Greater support for SMEs
Small and medium-sized enterprises face considerable challenges in complying with the law, due to insufficient human and financial resources. Experts are calling for the creation of tailored practical guides, standardized tools, and state-funded support programs to help SMEs meet their obligations without compromising their competitiveness.
Strengthening the CAI’s resources
The Commission d’accès à l’information is the authority responsible for overseeing the application of the law. However, several observers believe that its human and budgetary resources are insufficient to effectively monitor all subject organizations. Strengthening its capacity is considered essential if the penalties are to be truly dissuasive.
Harmonization with other provinces and the federal government
Quebec’s framework is more demanding than federal legislation (PIPEDA) and that of several other Canadian provinces. This disparity creates challenges for companies operating across multiple jurisdictions. Experts are advocating for a gradual harmonization of Canadian data protection legislation, ideally aligned with the most protective standards.
Regulation of artificial intelligence
The rapid rise of artificial intelligence raises questions that Law 25 addresses only partially. AI systems process massive volumes of personal information and can make automated decisions with significant impacts on individuals. Legal experts and rights advocacy groups are calling for specific regulation of AI within the law, particularly with respect to algorithmic transparency and the right to explanation.
How to prepare and maintain compliance
In light of all these obligations, organizations must adopt a proactive and structured approach. The following are the key recommended steps:
- Appoint a person responsible for the protection of personal information and provide them with the necessary resources
- Conduct a comprehensive inventory of the personal information collected and processed
- Update privacy policies and consent forms
- Train employees on best practices for data protection
- Establish a process for managing confidentiality incidents
- Conduct privacy impact assessments for every new project
- Review contracts with suppliers and partners who process data on behalf of the organization
Conclusion
Law 25 represents a major step forward for the protection of privacy in Quebec. Its requirements are ambitious, and the penalties provided for non-compliance are substantial. While many organizations have already begun their compliance efforts, the work is far from over. The improvements called for by experts — whether legislative clarifications, better support for SMEs, or regulation of artificial intelligence — reflect the need for ongoing dialogue between the legislature, regulators, and the business community. Compliance with Law 25 is not a destination, but a continuous process that demands vigilance, adaptation, and long-term commitment.
