Skip to main content

Quebec Act to Modernize Legislative Provisions Respecting the Protection of Personal Information

Quebec Law 25 (formerly Bill 64) modernizes Quebec's privacy regime with GDPR-style obligations, phased in from 2022 to 2024, including privacy by default, breach reporting, and impact assessments. It is overseen by the CAI and carries steep penalties.

Jurisdiction
Quebec

Quebec Law 25, formerly known as Bill 64, is the Act to modernize legislative provisions as regards the protection of personal information. It received assent in September 2021 and brought sweeping reforms to Quebec's public-sector and private-sector privacy laws. Its obligations came into force in three phases, on September 22 of 2022, 2023, and 2024. Law 25 is one of the strictest privacy regimes in North America and brings Quebec closer to the GDPR.

The law is overseen by the Commission d'accès à l'information (CAI), Quebec's data protection authority. It applies on top of, and in some respects beyond, Canada's federal PIPEDA within the province.

Who It Applies To

Law 25 applies to public bodies and to private-sector enterprises that carry on business in Quebec and collect, hold, use, or communicate personal information about individuals. Its reach is broad and includes organizations outside Quebec that handle the personal information of Quebec residents in the course of business.

Key Requirements

Law 25 introduced a wide set of obligations phased in over three years. Organizations must appoint a person in charge of the protection of personal information, by default the most senior executive. They must report confidentiality incidents that present a risk of serious injury to the CAI and to affected individuals, and keep an incident register. They must conduct privacy impact assessments for projects involving personal information systems and for transfers outside Quebec. By 2023, consent rules tightened, privacy by default became mandatory for technology with privacy settings, and transparency obligations expanded. As of 2024, individuals gained a right to data portability. The law also restricts automated decision-making and profiling and requires disclosure when such methods are used.

Penalties for Non-Compliance

Law 25 carries some of the highest privacy penalties in Canada. The CAI can impose administrative monetary penalties of up to CAD 10 million or 2 percent of worldwide turnover. Penal fines can reach CAD 25 million or 4 percent of worldwide turnover, whichever is greater. The law also created a private right of action for damages caused by unlawful infringement.

How to Comply

Appoint a privacy officer and publish their contact details. Build an incident response process and maintain a confidentiality incident register. Conduct privacy impact assessments for new projects and for cross-border transfers. Implement privacy by default in products with configurable settings. Update consent and transparency practices, including disclosures for automated decisions. Provide data portability mechanisms. Review international transfer arrangements against the law's adequacy-style assessment.