Quebec’s Data Privacy Law 25: What is it and how to comply with it

29-07-2024 | 9 min read | GDPR Compliance, SAP Information Lifecycle Management

In Quebec, Canada’s federal region, respect for privacy is governed by a number of laws, both provincial and federal, to protect the use of individuals’ personal information. These laws rule the collection, use and disclosure of personal information by organisations in the private and public sectors.

The Quebec region already has a longstanding commitment to protect personal information, with a robust legal framework in place that includes strict data privacy laws. These include the existing Personal Information Protection and Electronic Documents Act (PIPEDA) – LPRPDE acronym in French – that applies at federal level. However, the Canadian regulators believed that due to the rapid evolution of technology and increasing data privacy concerns, there was a clear need for tighter regulations, which culminated in the development of Law 25, the Act of Respecting the Protection of Personal Information in the Private Sector.

Loi 25 – Text in French

Law 25 – Text in English

The implementation of the Law 25 adopted a phased approach, each phase adding up new requirements and responsibilities:

  • Phase 1 – 22 September 2022: Designation of a person responsible for privacy protection, mandatory reporting of breaches, disclosure of biometric data.
  • Phase 2 – 22 September 2023: Privacy policy, mandatory privacy impact assessments (PIAs), transparency and consent systems, anonymisation, right to erasure.
  • Phase 3 – 22 September 2024: Right to portability.

In launching these regulations, Quebec brings into force robust regulations that share the stringency of the EU’s GDPR, whilst offering some new and unique elements.

The Canadian authorities have clearly reviewed existing privacy legislation in place, for example the GDPR, and have taken many of its features into consideration when developing Law 25. In addition, they have gone further, and incorporated other elements to make the rules even more enforceable.

Here are ten of Law 25’s key features:

  • Phased roll out. Law 25 is being rolled out in three phases over three years. Having observed the impact of GDPR in Europe, the aim is to allow businesses the time to adapt to the new requirements. Rather than introduce a blanket change, the Quebec authorities are seeking to enable organisations to prioritise and implement the required changes more systematically.
  • Breadth of scope. Law 25 is wide-reaching and its impact extends beyond the Quebec region, to affect any entity or individual that conducts business with Quebec based residents.
  • Top-down accountability. Whereas GDPR places ultimate responsibility for compliance with the data processor, Law 25 reverses this emphasis. Once fully implemented it will be the CEO or person with the highest authority in an organisation that is ultimately responsible for compliance. This makes it a much fairer regulation and it emphasises how important data privacy is in the eyes of Quebec’s policy makers.  In addition, all organisations are required to have appointed a person responsible for privacy protection. This role includes ensuring compliance with the new law and managing privacy-related matters.
  • Stringent consent requirements. Law 25 brings into effect very strict rules for consent. This law includes a requirement for separate requests for consent to be made by companies, using clear language and with special provisions in place for sensitive information, minors and people with additional needs.
  • High penalty fines. In keeping with the penalty fines being levied for GDPR non-compliance, Law 25 is equally punitive. High fines will be imposed on violators, with the scale of penalties set to reach up to C$25 million or 4% of worldwide turnover for the preceding fiscal year, whichever is the greater figure. In spite of this limit, it may be possible for even greater fines to be imposed depending on the extent of violation committed.The stringent enforcement by the Commission d’accès à l’information highlights the seriousness of adhering to these regulations.
  • Enhanced privacy rights for individuals. Recognising the rights of private individuals to privacy on their own terns, Law 25 allows Quebec residents the right to ‘data portability’ and the right to be informed about the automated processing of their personal information. Individuals are granted the right to request the deletion of their data, and businesses must anonymise personal data once its intended purpose is fulfilled. Effective September 22, 2024, individuals will have the right to obtain and reuse their personal data across different services, promoting greater control over personal information.
  • Mandatory breach reporting. Law 25 ensures that data breaches cannot be concealed and organisations operating in Quebec will be required to report any data breaches that present a “risk of serious injury” to both the authorities and affected individuals.
  • Privacy Impact Assessment (PIA) requirement. Law 25 goes beyond GDPR to require organisations affected to conduct a PIA before they can implement new technologies or transfer any personal data outside Quebec. This ensures proactive identification and mitigation of privacy risks.
  • Biometric data protection. Biometric data is especially sensitive to data breaches and Law 25 acknowledges this with a specific requirement for organisations to pre-notify authorities whenever they are handling biometric information, including the creation of new biometric information databases.
  • Emphasis on transparency. Law 25 requires that every affected organisation in Quebec publishes clear privacy policies and should provide regulators with detailed information about all its data collection and data usage practices.

Law 25 requires that once the primary data function has been fulfilled and the objective for collecting the data achieved, the data must be destroyed or anonymised. Herein lies the compliance challenge, because many organisations using SAP have no internal mechanism for cleansing their data in this way, allowing it to persist indefinitely. This practice must now be corrected.

The enforcement of Law 25 lies with the Commission d’accès à l’information du Québec (CAI), which demonstrates how seriously the Canadian government is taking compliance with Law 25 and highlights the urgency of developing an automated and continuously evolving framework for data lifecycle management.

You might also be interested in this article about how to minimise non-compliance risks in SAP systems

As already mentioned, Law 25 introduces new financial penalties for non-compliance with privacy protection regulations. Private companies that fail to comply with this law face fines ranging from C$15,000 to C$25,000,000, or 4% of their total turnover for the previous fiscal year, whichever is greater.

Although the speed with which these penalties will be applied remains uncertain, if we draw a parallel with other Canadian laws such as the Canada Anti-Spam Act (CASL), it is clear that offenders will indeed be punished.

One way to ensure compliance with Law 25 is implement a data anonymisation and data deletion project. Since September 2023, The anonymisation of personal information has been accepted as a way to comply with Law 25, offering an alternative to data destruction. However, certain rules and procedures must be followed in accordance with recognised best practices determined by Quebec’ government. Read the guidelines to keep or destruct personal information carefully or get in touch with us if you need help decrypting them.

Image: Rules for anonymisation. Commission d’accès à l’information du Québec.

Whereas data deletion is as described and involves the permanent destruction of data, data anonymisation involves using a set of irreversible techniques to make it impossible to identify person or data record by any means. Once data has been anonymised, it can be kept for an unlimited period of time.

What data is really needed? For instance, a record could be anonymised for Date of Birth and Name, but transactional behaviour useful for commercial planning could be retained. This is because anonymous information is not regarded as personal data and data protection laws like Law 25 does not apply.

Quebec’s Law 25 marks a pivotal advancement in data privacy, reflecting the growing emphasis on protecting personal information in today’s digital age. For businesses using SAP, it underscores the necessity of rigorous data management practices and compliance with enhanced privacy standards. As the law continues to unfold, its impact on privacy protection will be profound, fostering greater trust and security in the digital landscape.

Compliance with Law 25 can be complex; consequently, companies also have to implement an ongoing information lifecycle management programme. If you would like advice on how to proceed, speak to TJC Group we are experts in SAP data management for privacy compliance.

As mentioned previously, PIPEDA is Canada’s main law to protect individuals’ personal information in the private sector and establishes the rules to collect, use and disclose such information. Its application encompasses federal organisations and private sector companies in their interprovincial international activities.

As mentioned previously, PIPEDA is Canada’s main law to protect individuals’ personal information in the private sector and establishes the rules to collect, use and disclose such information. Its application encompasses federal organisations and private sector companies in their interprovincial international activities.

The law is based on 10 fair principles that businesses must follow to guarantee personal information is duly protected. The Office of the Privacy Commissioner in Canada offers a useful overview of these 10 principles. Check this article: https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/p_principle/

PIPEDA sets the national standards for privacy practices in the private sector in Canada. Beyond that, a few provinces have passed their own provincial privacy, which are similar to PIPEDA but introduce some nuances and changes in several directions. In many circumstances, the provincial law applies instead of the federal law. Determining which law applies must be done on a case-by-case basis.

These are the provincial data privacy laws in Canada, which are considered equivalent to PIPEDA in terms of protecting personal data.

Across all aspects of life, data privacy compliance is a critical issue for businesses to navigate. Its rise to political and social prominence is due to numerous factors. Data is incredibly valuable and is being collected continuously on an unprecedented scale.

Law 25 modernises the rules protecting personal information in Quebec so that they are better adapted to the new challenges posed by today’s digital and technological environment. It has clearly set a turning point for data privacy laws and shows the strong commitment of Quebec’s government to better protect the use of individuals’ personal information.

If you would like to go deeper, the below resources offer further information on Canada’s data privacy laws, as well as data protection practices such as anonymisation and pseudonymisation:


Sources of information: [TJ1] 


Data privacy series

This article is part of the data privacy series. Check out other related articles that might be of your interest: