Quebec Bill 64

What is Law 25?

Quebec's Law 25 — formally titled the Act to modernize legislative provisions as regards the protection of personal information — is a comprehensive privacy law that significantly reformed the province's data protection framework. The Quebec National Assembly unanimously adopted the law (then known as Bill 64) on September 21, 2021, and it was assented to on September 22, 2021. It amended both the Act respecting the protection of personal information in the private sector and the Act respecting access to documents held by public bodies and the protection of personal information.

Law 25 is now fully in force. Its provisions were implemented in three phases: September 22, 2022 (privacy officer designation, breach notification, and foundational obligations), September 22, 2023 (the majority of provisions, including enhanced consent requirements, privacy impact assessments, individual rights, transparency obligations, automated decision-making requirements, new enforcement powers, and the private right of action), and September 22, 2024 (the right to data portability).

Law 25 is the most comprehensive privacy reform enacted in any Canadian province to date, and it diverges from many North American privacy laws by drawing heavily on the EU's General Data Protection Regulation (GDPR) as a model.

Who does Law 25 apply to?

Law 25 applies broadly to private sector organizations, public bodies, non-profit organizations, and individuals acting in a professional capacity that collect, hold, use, communicate, or destroy the personal information of individuals in Quebec. Unlike many U.S. state privacy laws, Law 25 does not set minimum revenue or data-volume thresholds; any organization handling the personal information of Quebec residents in the course of carrying on an enterprise falls within scope.

The law also has extraterritorial reach. Organizations based outside Quebec — including in other Canadian provinces or in the United States — must comply if they collect, use, or disclose the personal information of individuals located in Quebec. This is consistent with the extraterritorial approach taken by the GDPR and by the Commission d'accès à l'information du Québec (CAI), the province's enforcement authority.

Personal information

Law 25 defines personal information as any information about a natural person that allows them to be identified, regardless of the format in which it is held (written, graphic, digital, or otherwise). The law introduced a "sensitive personal information" category, covering information that is sensitive either due to its nature (medical, biometric, or otherwise intimate information) or due to the context of its use or communication. The degree of sensitivity affects consent requirements and security measures.

Individual rights

Law 25 grants individuals the following rights:

• The right to be informed about the collection, use, and disclosure of their personal information, including the specific purposes, categories of persons who will have access, and retention periods.
• The right of access to personal information held by an organization, with a response deadline of 30 days.
• The right to rectification of inaccurate, incomplete, or equivocal personal information.
• The right to withdraw consent for the processing of personal information, subject to certain exceptions.
• The right to deletion or anonymization of personal information when it is no longer necessary for the purposes for which it was collected.
• The right to be informed about automated decision-making processes used to render decisions based exclusively on automated processing that significantly affect an individual, and the right to have the decision reviewed by a person within the organization.
• The right to data portability, allowing individuals to obtain a copy of their personal information in a structured, commonly used technological format, or to request direct transfer to another organization where technically feasible (effective September 22, 2024).
• The right to lodge complaints with the CAI and to seek remedies, including statutory punitive damages for intentional or grossly negligent infringements (effective September 22, 2023).

Key business obligations

Law 25 imposes obligations on both private and public sector organizations that go beyond Canada's federal Personal Information Protection and Electronic Documents Act (PIPEDA), which applies primarily to commercial activities.

Privacy officer designation: Organizations must designate a person responsible for the protection of personal information. This role defaults to the highest-ranking officer (CEO or equivalent) but can be delegated in writing. The privacy officer's title and contact information must be published on the organization's website (effective September 22, 2022).

Governance policies: Organizations must establish and implement governance policies and practices for the protection of personal information, including policies on retention, destruction, anonymization, roles and responsibilities, and complaint handling. These policies must be published on the organization's website.

Consent: Law 25 requires consent that is manifest, free, informed, and given for specific purposes. Consent must be obtained separately for each purpose and cannot be bundled with acceptance of terms of service. Consent for the collection and use of sensitive personal information must be expressly obtained. Organizations using identification, location, or profiling technologies (such as cookies) must obtain opt-in consent.

Privacy impact assessments (PIAs): Organizations must conduct PIAs before implementing any new project involving the collection, use, or communication of personal information, or before making changes to an existing information system that involves personal information.

Transparency: At or before the time of collection, organizations must inform individuals of the specific purposes for which personal information is being collected, the means of collection, the rights of access and rectification, and the right to withdraw consent. If the information will be communicated to third parties or transferred outside Quebec, this must also be disclosed.

Automated decision-making: When a decision based exclusively on automated processing is made about an individual, the organization must inform the individual of the use of automated processing, the reasons for and principal factors leading to the decision, and the individual's right to have the decision reviewed by a person within the organization.

Biometric data: Organizations must disclose the creation of any biometric database to the CAI at least 60 days before the system goes live.

Data breach notification

Organizations must notify the CAI and affected individuals when a confidentiality incident (data breach) involving personal information presents a risk of serious injury. The risk assessment must consider the sensitivity of the information, the anticipated consequences of misuse, and the likelihood of injurious use. Organizations must maintain a register of all confidentiality incidents, whether or not they meet the serious-risk threshold, and provide this register to the CAI on request (effective September 22, 2022).

Cross-border transfers

Before transferring personal information outside Quebec — including to other Canadian provinces or to the United States — organizations must conduct a privacy impact assessment that evaluates whether the destination jurisdiction provides an adequate level of protection. The assessment must consider the sensitivity of the information, the purposes of the transfer, the protective measures in place (including contractual safeguards), and the applicable legal framework in the destination jurisdiction. If the assessment concludes that the destination does not provide adequate protection, the transfer cannot proceed unless appropriate contractual or other measures are implemented.

Enforcement

The CAI is responsible for enforcing Law 25. The law introduced a two-tier enforcement framework with substantially increased penalties compared to the prior regime.

Administrative monetary penalties (AMPs): The CAI can impose AMPs of up to C$10 million or 2% of worldwide turnover for the preceding fiscal year, whichever is greater. AMPs may be imposed for violations including collecting, using, communicating, or destroying personal information in breach of the law; failing to report confidentiality incidents; or failing to implement required security measures.

Penal fines: For more serious violations, the Court of Quebec can impose penal fines of up to C$25 million or 4% of worldwide turnover for the preceding fiscal year, whichever is greater. Penal offenses include violations that cause significant harm to individuals, unauthorized attempts to re-identify de-identified or anonymized information, and failure to comply with CAI orders. For individuals (natural persons), penal fines range from C$5,000 to C$100,000. For repeat offenses, fines are doubled.

Private right of action: Effective September 22, 2023, individuals can bring civil claims for statutory punitive damages when an organization unlawfully infringes a right conferred by the law, provided the infringement is intentional or results from gross negligence.

How Law 25 differs from PIPEDA

Law 25 applies to both commercial and non-commercial activities, while PIPEDA applies primarily to commercial activities. Law 25's penalties (up to C$25 million or 4% of global turnover) far exceed PIPEDA's (up to C$100,000 per violation). Law 25 requires privacy impact assessments; PIPEDA does not. Law 25 grants a private right of action with statutory punitive damages; PIPEDA does not provide a comparable remedy. Law 25 includes specific provisions for automated decision-making; PIPEDA does not. And Law 25's consent requirements are more granular, requiring separate consent for each purpose and express consent for sensitive information.

How Law 25 compares to the GDPR

Law 25 was explicitly modeled on the GDPR in several respects, including its extraterritorial scope, penalty structure benchmarked against global turnover, privacy impact assessment requirements, data portability right, and emphasis on purpose limitation and data minimization. However, the two laws differ in important respects. The GDPR provides six lawful bases for processing (including legitimate interests and contract performance); Law 25 relies primarily on consent, with more limited exceptions. The GDPR requires designation of a Data Protection Officer with specific qualifications and independence protections; Law 25's privacy officer designation carries fewer structural requirements. The GDPR imposes a 72-hour breach notification deadline; Law 25 requires notification "promptly" when there is a risk of serious injury, without a specific hourly deadline. The GDPR's maximum fine is €20 million or 4% of global turnover; Law 25's penal maximum is C$25 million or 4%.

Key dates

September 22, 2021: Law 25 assented to.

September 22, 2022: Phase 1 (privacy officer designation, breach notification, breach register).

September 22, 2023: Phase 2 (majority of provisions including consent, transparency, PIAs, individual rights except portability, automated decision-making, enforcement powers, private right of action, punitive damages).

September 22, 2024: Phase 3 (right to data portability). Law 25 is now fully in force.