On September 21, 2021, the Act to modernize legislative provisions as regards the protection of personal information (The Privacy Legislation Modernization Act) – otherwise known as Law 25 was adopted by the National Assembly of Québec. This Act governs the protection of personal information and introduces significant updates to Québec’s privacy governance. It is a “law with teeth” (Canadian Press, 2021, para. 2), in line with European-style privacy requirements such as the General Data Protection Regulation (GDPR) in both private and public jurisdictions.

The application of the multiple new provisions of the new law is spread over three years, on September 22 of each year, until 2024. The Commission d’accès à l’information du Québec (CAI) is responsible for the enforcement of the law.

New provisions for 2022 

Here is an overview of the new provisions that came into effect in September: 

  • Assign a Privacy Officer: Designate a person in charge of the protection of personal information and publish the contact details of that person. 
  • Mandatory Breach reporting: Report confidentiality incidents involving personal information presenting a risk of serious injury to the CAI, and keep a register of confidentiality incidents which must be communicated to the CAI upon request.
  • Biometrics: Notify the CAI before using any biometric technique to verify or confirm the identity of a person. Disclose the verification or confirmation of identity made by means of biometric techniques. 

By 22 September 2023 

  • Privacy Policy: Have a comprehensive privacy policy published on your website. This must set out your data protection policies and practices in clear and simple language, and provide sufficient information for consumers (for example, on personal data management, breach reporting, consent, access requests, and automatic decision-making) to meet transparency obligations.  
  • Privacy Impact Assessments: It is now mandatory to carry out a Privacy Impact Assessment when communicating any personal information outside of Quebec when creating or acquiring any digital systems involving private data, or before disclosing any personal information without consent for research purposes. You will need to have guidance in place governing how this requirement is triggered, as well as clear communication procedures for staff.
  • Purpose, Collection, and Consent: Your organization should have conducted a comprehensive review into its existing mechanisms for gathering, storing, and disseminating consumer information. These should now be updated to meet the new consumer rights framework, paying particular attention to the following points: 
    • Deactivate any data collection technology on your website by default, without requiring any confirmatory action by users. You can provide an explicit “opt-in” mechanism instead. This excludes the use of cookies.
    • Update your consent forms and access to information systems. Ensure that, when requested, you are able to provide details of the categories of individuals within your company who have access to any given customer’s personal information, as well as the contact information of your privacy officer.
    • Identify any cross-border jurisdictions to which your organization may transfer personal information and conduct a PIA(s) in respect to those locations.
    • Ensure that you have procedures in place to manage the confidentiality exception for bereavement. You may pass on personal information relating to somebody who has passed away to their spouse or close relatives – but only if this is likely to help them in the mourning process, and if the deceased did not withdraw consent within their lifetime.
    • Ensure that your organization is no longer collecting any personal information concerning a child under the age of 14 without parental consent.
    • Ensure that your privacy policy provides details of your organization’s automated decision-making processes, including access to information and appeals.
  • Destruction of Personal Information: A system must be in place to either destroy personal data once the purposes for which it was collected have been achieved, or to anonymize it where applicable. If you are implementing or updating an anonymization system, this must meet the high bar of ensuring that the person concerned can no longer be directly or indirectly identified.  
  • Right to be Forgotten: Organizations must make accommodations to fulfill requests from individuals who wish to stop their personal information from being disseminated.

By 22 September 2024 

  • Data Portability: Organizations will be required to have the technology and training in place to be able to produce a digital copy of all personal information that you hold in respect to any individual if it is requested.  


Organizations that fail to comply with Law 25 and its related regulations will face more severe penalties than under the current regime. These will vary based on the size of the business, but generally include: 

  • $20 million, or two percent of the organization’s worldwide turnover for the preceding fiscal year, for private organizations that fail to administer regulations.
  • Four percent of the organization’s sales – or between $15,000 and $25,000,000 – for private organizations facing criminal penalties.
  • Two tiers for public institutions for failure to meet regulations:
    • $3,000 and $30,000
    • $15,000 and $150,000
  • Between $5,000 and $50,000 for violations made by a natural person.

How Safetica Helps Comply with Quebec’s Law 25 

Safetica gives you an overview of both your sensitive data and information flow, and monitors user operations across the entire organization, so you know how personal information is being processed. With this solution, you can classify your data and set specific security policies to comply with Quebec’s Law 25. Safetica notifies your employees about risky operations and mitigates risks of misuse or accidental policy violation.

Safetica's cloud-based solution includes a built-in template for data classification and protection, specifically designed to comply with Quebec Law 25. It simplifies and expedites your organization's compliance to the law when managing and safeguarding personal information.

Privacy and personal data protection should be an absolute right of everyone in the modern world. That's why we at Safetica place these protections at the heart of each of our products and help every company protect their reputation, resources, and employees,”

Radim Trávníček, CISO.

Why Safetica 

Data Leakage Prevention has been at the heart of our business for more than a decade, and thanks to our customers we know what the biggest challenges in data protection are. Safetica is among the best DLP solution providers, and customers especially appreciate how easy it is to use and how well we support them. 

Next articles

SAMA’s Cyber Security Framework: The Scope, Purpose, and How to Comply

The Saudi Arabian Monetary Authority (SAMA) has introduced a Cyber Security Framework designed to fortify the nation's financial systems and critical industries against cyber threats. Throughout this guide, we'll explore the key components, while also providing tips and insights on how to achieve compliance with its requirements.

HITRUST framework: The Scope, Purpose, and How to Comply

This article will guide you through HITRUST's evolution, its current scope, and how it can be a game-changer for your organization's data protection strategy.

Understanding SOC 2: The Scope, Purpose, and How to Comply

Get started with your SOC 2 compliance efforts: what SOC 2 is, why it matters, and, most importantly, what steps you need to take if you want to get a SOC 2 report for your organization.