Law 25: Québec's new privacy legislation and the impact on your organization

Skip to Overview content

Québec's Law 25 comes into effect in its first phase on September 22, 2022. In the weeks and months ahead, organizations doing business in the province of Québec will likely need to implement significant changes to the ways in which they collect, use, and disclose personal information. Are you prepared to comply?

What is Law 25?

Law 25 is the latest and most significant privacy legislation development in Canada. It follows the 2021 adoption of Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, which enacted significant changes to the requirements governing the collection, use, and communication of personal information.

Under the provisions of Law 25 in effect on September 22, 2022, it is mandatory for organizations operating in Québec to:

  • Designate a privacy officer to oversee the handling of personal information (this role will default to a company's CEO in the absence of a dedicated privacy officer);
  • Notify the Commission d'accès à l'information and affected individuals of any confidentiality incidents, including privacy data breaches and the unauthorized access/use/disclosure of personal information; and
  • Keep a record of all security incidents for a period of five years (subject to regulation's adoption).

The vast majority of the amendments enacted by Law 25 will come into effect on September 22, 2023, and will require significant changes to privacy compliance frameworks, including mandatory PIA's for the transfer of personal information outside of Québec, mandatory provisions within all outsourcing contracts, the adoption of privacy by default mechanisms for new technologies, and many other significant changes.

Who does it impact?

With some exemptions, most organizations established in Québec and/or doing business in Québec that are collecting, using, or disclosing personal information of individuals located in the province will be impacted. Even the scenario of a Québec-based customer soliciting goods and services from a foreign website – in other words, most international online shopping scenarios – is potentially covered by the new legislation and may require compliance by the foreign company.

What are the penalties for noncompliance?

Law 25 increases the fines for non-compliance with privacy legislation, with private-sector entities subject to fines ranging from $15,000 to $25,000,000 CAD, or an amount corresponding to four per cent of worldwide turnover for the preceding fiscal year (whichever is greater).

Learn more about the key obligations coming into effect

Interested in learning more about Law 25 and its potential impact on your business? Contact any member of Gowling WLG's Cyber Security & Data Protection Law Group to begin a conversation.