Canadian privacy laws: New rules for a new era

Skip to Québec's Law 25 content

The final phase of Quebec's Law 25 came into effect on September 22, 2023. Is your business complying?

What is Law 25?

Law 25 is the latest and most significant privacy legislation development in Canada. It follows the 2021 adoption of Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, which enacted significant changes to the requirements governing the collection, use, and communication of personal information.

Law 25 requires significant changes to privacy compliance frameworks, including mandatory PIA's for the transfer of personal information outside of Québec, mandatory provisions within all outsourcing contracts, the adoption of privacy by default mechanisms for new technologies, and many other significant changes.

Who does it impact?

With some exemptions, most organizations established in Québec and/or doing business in Québec that are collecting, using, or disclosing personal information of individuals located in the province will be impacted. Even the scenario of a Québec-based customer soliciting goods and services from a foreign website – in other words, most international online shopping scenarios – is potentially covered by the new legislation and may require compliance by the foreign company.

What are the penalties for noncompliance?

Law 25 increases the fines for non-compliance with privacy legislation, with private-sector entities subject to fines ranging from $15,000 to $25,000,000 CAD, or an amount corresponding to four per cent of worldwide turnover for the preceding fiscal year (whichever is greater).

An Act to modernize legislative provisions as regards the protection of personal information (also known as "Law 25" or "Bill 64") adopted on September 22, 2021, substantially modifies the protection of personal information regime for businesses and public organizations operating in Québec. 

Biometrics and compliance: Navigating Québec's legal framework

In the digital age, organizations are integrating biometric technology into their operations with increasing prevalence. While the use of these technologies offer significant benefits to society, they also bring forth major privacy risks. In Québec, there are two laws – the Act to establish a legal framework for information technology (the “Québec IT Act”) and the Act respecting the protection of personal information in the private sector (the “Québec Privacy Act“) – that govern the use of biometric information within the province.

Learn more

Cyber security and data protection

Our team of cyber security and data protection lawyers takes a pro-active approach to safeguarding your world.

Learn more about the team


Sign up to receive our Privacy newsletter for the latest developments and trends that matter most to you.

Sign up