Canadian privacy laws: New rules for a new era

Skip to Québec's Law 25 content

The first phase of Québec's Law 25 came into effect on September 22, 2022. In the weeks and months ahead, organizations doing business in the province of Québec will likely need to implement significant changes to the ways in which they collect, use, and disclose personal information. Are you prepared to comply?

What is Law 25?

Law 25 is the latest and most significant privacy legislation development in Canada. It follows the 2021 adoption of Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, which enacted significant changes to the requirements governing the collection, use, and communication of personal information.

Under the provisions of Law 25 in effect on September 22, 2022, it is mandatory for organizations operating in Québec to:

  • Designate a privacy officer to oversee the handling of personal information (this role will default to a company's CEO in the absence of a dedicated privacy officer);
  • Notify the Commission d'accès à l'information and affected individuals of any confidentiality incidents, including privacy data breaches and the unauthorized access/use/disclosure of personal information; and
  • Keep a record of all security incidents for a period of five years (subject to regulation's adoption).

The vast majority of the amendments enacted by Law 25 will come into effect on September 22, 2023, and will require significant changes to privacy compliance frameworks, including mandatory PIA's for the transfer of personal information outside of Québec, mandatory provisions within all outsourcing contracts, the adoption of privacy by default mechanisms for new technologies, and many other significant changes.

Who does it impact?

With some exemptions, most organizations established in Québec and/or doing business in Québec that are collecting, using, or disclosing personal information of individuals located in the province will be impacted. Even the scenario of a Québec-based customer soliciting goods and services from a foreign website – in other words, most international online shopping scenarios – is potentially covered by the new legislation and may require compliance by the foreign company.

What are the penalties for noncompliance?

Law 25 increases the fines for non-compliance with privacy legislation, with private-sector entities subject to fines ranging from $15,000 to $25,000,000 CAD, or an amount corresponding to four per cent of worldwide turnover for the preceding fiscal year (whichever is greater).

An Act to modernize legislative provisions as regards the protection of personal information (also known as "Law 25" or "Bill 64") adopted on September 22, 2021, substantially modifies the protection of personal information regime for businesses and public organizations operating in Québec. These changes will come into effect over the course of the next three years, starting on September 22, 2022.

Below is an overview of the main obligations now in effect as well as the solutions that our team proposes to ensure your compliance.

Overview of obligations and solutions - Phase 1 (September 22, 2022)

Topic

Obligations

Solutions

Governance
  • Designate a Privacy Officer
  • Structure tasks and responsibilities
  • Establish a customized training program
  • Map data flows

Cyber security
  • Confidentiality incident Reporting
  • Have an organizational structure for incident prevention, management and response
  • Establish a security policies and incident response plan
  • Review of contracts with service providers
  • Set up a cyber security training program
  • Create a register of security incidents

Biometrics
  • Reporting the creation of biometric Database
  • Create a policy on the use of biometric systems
  • Conduct a privacy impact assessment for any project involving biometric data

Research
  • Disclosure of personal information for research purposes
  • Have a procedure in place for research projects (including privacy impact assessment and other documentation)
  • Liaise with the Commission d'accès à l'information du Québec

Please note that penalties for non-compliance can include up to CDN $25 million dollars. It is not too late to start your compliance process. Our team is at your disposal to help review your practices and processes, taking into account the Québec legislation as well as other applicable laws in Canada and the European Union.

Contact our team

Cyber security and data protection

Our team of cyber security and data protection lawyers takes a pro-active approach to safeguarding your world.

Learn more about the team

Subscribe

Sign up to receive our Privacy newsletter for the latest developments and trends that matter most to you.

Sign up

Latest resources

View all related insights Latest resources
abstract photo of a digital fingerprint Guides
07 March 2023 The Artificial Intelligence and Data Act (AIDA)
abstract photo of a digital lock Guides
24 February 2023 Law 25: Annotated Private Sector Act
abstract photo of a digital lock Guides
27 January 2023 Canadian privacy breach notification requirements: An overview