SecurePrivacy Logo

Quebec Law 25 (2021)

View Law Text
Maximum Fine
CAD$25M or 4%
Scope
Provincial
Regulator
CAI
Enacted
2021

Need Help with Quebec Law 25 (2021) Compliance?

Get expert guidance on implementing Quebec's modernized privacy requirements and ensuring ongoing compliance for your organization.

Get Expert Help

Overview

Quebec's Law 25 modernizes privacy protection in Quebec, introducing significant new requirements for organizations that collect, use, or disclose personal information.

Key Facts

  • Enacted in 2021, phased implementation through 2023
  • Enforced by Commission d'accès à l'information (CAI)
  • Introduces strict consent and transparency requirements

Key Principles

Necessity Principle

Personal information must only be collected when necessary for a serious and legitimate purpose.

Requirements

  • Justify data collection
  • Document purposes
  • Limit collection scope
  • Regular necessity reviews
  • Purpose validation

Examples

  • Purpose documentation
  • Collection justification
  • Necessity assessments
  • Review records

Transparency

Organizations must be transparent about their personal information practices.

Requirements

  • Clear privacy policies
  • Inform of purposes
  • Explain automated processing
  • Disclose overseas transfers
  • Document practices

Examples

  • Privacy notices
  • Collection statements
  • Transfer disclosures
  • Process documentation

Confidentiality

Organizations must protect the confidentiality of personal information throughout its lifecycle.

Requirements

  • Implement security measures
  • Control access rights
  • Encrypt sensitive data
  • Monitor security
  • Incident response

Examples

  • Security policies
  • Access controls
  • Encryption protocols
  • Monitoring systems

Compliance Requirements

Privacy Officer Appointment

Organizations must designate a person in charge of personal information protection.

Implementation Steps

  • Appoint qualified privacy officer
  • Document responsibilities
  • Publish contact information
  • Establish reporting structure
  • Train on requirements

Required Documentation

  • Appointment letter
  • Role description
  • Contact information
  • Training records
  • Reporting procedures

Privacy Impact Assessment

Conduct privacy impact assessments for high-risk processing activities.

Implementation Steps

  • Identify assessment triggers
  • Evaluate privacy risks
  • Document safeguards
  • Implement recommendations
  • Regular reviews

Required Documentation

  • Assessment reports
  • Risk evaluations
  • Mitigation plans
  • Implementation records
  • Review schedule

Confidentiality Incidents

Requirements for handling and reporting confidentiality incidents.

Implementation Steps

  • Establish incident procedures
  • Create response team
  • Document incidents
  • Notify affected persons
  • Report to CAI

Required Documentation

  • Incident procedures
  • Response team contacts
  • Incident logs
  • Notification templates
  • CAI reports

Enforcement & Penalties

Administrative Penalties

The Commission d'accès à l'information (CAI) can impose significant administrative penalties for violations.

Penalty Categories

Severe Violations
Up to CAD$25M or 4% of revenue
For serious breaches of the law's requirements
Standard Violations
Up to CAD$10M or 2% of revenue
For general compliance failures
Continuing Violations
Up to CAD$50,000 per day
For ongoing violations after notice

Example Cases

Major Retailer
CAD$15M
2023 - Failure to implement adequate security measures
Tech Company
CAD$8M
2023 - Unauthorized collection of biometric data

Penal Provisions

Criminal penalties for serious violations of the law.

Penalty Categories

Individual Liability
Up to CAD$100,000
For individuals who commit offenses
Corporate Liability
Up to CAD$25M or 4%
For organizations that commit offenses
Subsequent Offenses
Double the amounts
For repeat violations

Example Cases

Data Breach Cover-up
CAD$75,000
2023 - Intentional concealment of confidentiality incident
Biometric Database
CAD$50,000
2023 - Illegal collection of biometric information