Quebec Law 25 (2021)
View Law TextNeed Help with Quebec Law 25 (2021) Compliance?
Get expert guidance on implementing Quebec's modernized privacy requirements and ensuring ongoing compliance for your organization.
Get Expert HelpOverview
Quebec's Law 25 modernizes privacy protection in Quebec, introducing significant new requirements for organizations that collect, use, or disclose personal information.
Key Facts
- Enacted in 2021, phased implementation through 2023
- Enforced by Commission d'accès à l'information (CAI)
- Introduces strict consent and transparency requirements
Key Principles
Necessity Principle
Personal information must only be collected when necessary for a serious and legitimate purpose.
Requirements
- Justify data collection
- Document purposes
- Limit collection scope
- Regular necessity reviews
- Purpose validation
Examples
- Purpose documentation
- Collection justification
- Necessity assessments
- Review records
Transparency
Organizations must be transparent about their personal information practices.
Requirements
- Clear privacy policies
- Inform of purposes
- Explain automated processing
- Disclose overseas transfers
- Document practices
Examples
- Privacy notices
- Collection statements
- Transfer disclosures
- Process documentation
Confidentiality
Organizations must protect the confidentiality of personal information throughout its lifecycle.
Requirements
- Implement security measures
- Control access rights
- Encrypt sensitive data
- Monitor security
- Incident response
Examples
- Security policies
- Access controls
- Encryption protocols
- Monitoring systems
Compliance Requirements
Privacy Officer Appointment
Organizations must designate a person in charge of personal information protection.
Implementation Steps
- Appoint qualified privacy officer
- Document responsibilities
- Publish contact information
- Establish reporting structure
- Train on requirements
Required Documentation
- Appointment letter
- Role description
- Contact information
- Training records
- Reporting procedures
Privacy Impact Assessment
Conduct privacy impact assessments for high-risk processing activities.
Implementation Steps
- Identify assessment triggers
- Evaluate privacy risks
- Document safeguards
- Implement recommendations
- Regular reviews
Required Documentation
- Assessment reports
- Risk evaluations
- Mitigation plans
- Implementation records
- Review schedule
Confidentiality Incidents
Requirements for handling and reporting confidentiality incidents.
Implementation Steps
- Establish incident procedures
- Create response team
- Document incidents
- Notify affected persons
- Report to CAI
Required Documentation
- Incident procedures
- Response team contacts
- Incident logs
- Notification templates
- CAI reports
Enforcement & Penalties
Administrative Penalties
The Commission d'accès à l'information (CAI) can impose significant administrative penalties for violations.
Penalty Categories
Example Cases
Penal Provisions
Criminal penalties for serious violations of the law.