Navigating Quebec’s Law 25 and Ensuring Privacy Compliance

Navigating Quebec’s Law 25 and Ensuring Privacy Compliance

In an era dominated by digital advancements, the paramount concerns of privacy and data protection have prompted governments to establish laws safeguarding personal information. Quebec’s proactive response to this imperative is Law 25. This legislation ushers in a new era of data protection and compliance.

This guide aims to provide businesses and stakeholders with a comprehensive understanding of the profound implications of Law 25, while also highlighting how Borealis Stakeholder Engagement Software can seamlessly facilitate compliance.

Understanding Quebec’s Law 25

On June 12, 2020, the legislative journey of Law 25, previously known as Bill 64, “An act respecting the protection of personal information in the private sector,” was initiated in Quebec. This transformative legal framework aimed to modernize the province’s private and public sector privacy laws; a groundbreaking legislative endeavor that reshaped data privacy norms. After gaining adoption by the National Assembly on September 21, 2021, Bill 64 was officially designated as Law 25.

Law 25 introduces stringent privacy requirements for businesses within Quebec, including enhanced transparency, robust data protection measures, and stringent consent mechanisms. Non-compliance carries the potential for significant fines, accompanied by increased regulatory authority for the Commission d’accès à l’information (CAI) du Québec (Quebec’s Commission for Access to Information). The immediate focal points of this law are as follows:

Disclosure of biometric data processing

Entities are required to notify the CAI of any biometric data processing activity at least 60 days before activating the system.

Designation of a Responsible Individual

Designation of a Responsible Individual: Organizations must appoint a responsible individual to oversee the safeguarding of personal information. Any person can be assigned the role of Privacy Officer, though in situations where no one has been formally assigned, this duty automatically falls to the most senior employee (i.e., the CEO). If a Privacy Officer other than the CEO is appointed, it is mandatory for companies to publish the person’s name, job title, and contact details on their website, ensuring their accessibility for communication.

Mandatory reporting of incidents

Should any confidentiality incidents occur, businesses are required to:
  • take appropriate steps to minimize potential harm to the individuals involved and to prevent the recurrence of similar incidents;
  • inform the CAI and the affected parties (using the form provided);
  • maintain a record of confidentiality breaches and security breaches, and furnish a copy to the CAI upon their request;
  • adhere to the updated regulations regarding the disclosure of personal data without explicit consent from the relevant individual, particularly in the context of research, analysis, statistics, or commercial transactions;
  • conduct a Privacy Impact Assessment (PIA) before disclosing personal information without the consent of the affected individual, specifically for research, analysis, and statistical purposes; and
  • prior to conducting any identity verification or confirmation using biometric characteristics or measurements, notify the CAI by completing the form provided.

Implementation phases and requirements

Law 25 extends its influence beyond provincial borders, impacting businesses within Quebec as well as businesses across Canada that interact with Quebec residents. Implemented in three phases, the core of this multi-phased rollout will occur on September 23, 2023. Each of these three phases introduces new requirements and responsibilities:

  • By September 22, 2022: Appoint a Privacy Officer, Mandatory Breach Reporting, Biometrics Disclosure.
  • By September 22, 2023: Privacy Policy, Mandatory Privacy Impact Assessments (PIA), Transparency and Consent Systems, Anonymization, Right to Erasure.
  • By September 22, 2024: Right to Portability.

The expansive impact of Law 25’s privacy changes

In an era defined by rapid technological progress, Law 25 does not merely accommodate emerging technologies; it embraces them. From artificial intelligence to the prevalence of the Internet of Things, the legislation adopts a forward-thinking stance, ensuring Quebec’s privacy framework remains adaptable and resilient within this dynamic digital landscape

Applicability of Law 25

Law 25 casts a wide net; it applies to enterprises of all sizes and locations engaged in collecting, holding, using, or communicating personal information. Additionally, businesses beyond Quebec’s borders are affected if they serve customers using their products or services within the province. This global reach emphasizes the law’s profound implications.

Defining “personal information” under Law 25

Law 25 defines “personal information” broadly, encompassing data linked to a natural person enabling identification. This definition extends beyond identifiers like names and addresses to encompass digital certificates and online identifiers. Crucially, data need not be identifiable on its own; its combination with other data for identification also falls under the law.

Addressing transborder data flows, data lifecycle, and enforcement

Within Law 25, transborder data flows take center stage, compelling businesses to ensure that data protection transcends provincial boundaries. It is imperative for individuals to be informed about the destination(s) of their data. Businesses that transfer personal information beyond Quebec’s borders must ensure that the standard level of security is maintained. Merely exporting personal data to a jurisdiction with less stringent privacy regulations is not an acceptable approach; it’s crucial to reveal how data will be utilized.

Furthermore, once its intended purpose is fulfilled and the intended objective accomplished, the law mandates destruction or anonymization of the data. Most organizations lack a mechanism to cleanse data in this way, which allows data to persist indefinitely. However, this practice must now be addressed. Enforcement of Law 25 rests with the CAI, underscoring the urgency of compliance and the evolving landscape of data lifecycle management.

Significance and implications

Law 25 reshapes power dynamics, empowering individuals with unparalleled control over their personal data. A range of rights, including access, correction, and the ability to revoke consent, are bestowed upon individuals. For businesses, this paradigm shift necessitates recalibrating data management practices to align with the law’s elevated standards. Law 25 highlights the value of transparent data collection and utilization as a foundation for building trust between businesses and stakeholders, rather than stifling data usage.

The significance of Law 25 goes beyond surface-level legislative changes; it necessitates a fundamental shift in how businesses manage and protect personal information. Key provisions within this legislation have far-reaching operational impacts:

Heightened privacy requirements

Law 25 encompasses mandatory impact assessments (PIA) to evaluate privacy-related factors, cross-border communication assessments to ensure sufficient protection, a requirement for specific and detailed consent, and the establishment of new individual rights, including data portability. The importance of obtaining informed consent has grown significantly.

Seeking permission is now the primary approach. Businesses are obligated to ensure that individuals have a comprehensive understanding of how their personal information will be used, collected, and disclosed. Express consent is required for certain uses or disclosures of sensitive personal information.

For consent to hold legal validity under Law 25, it must adhere to the following criteria:

  • it must be freely and adequately given;
  • it must be requested for each specific purpose;
  • it must be granted for distinct purposes; it must be presented in clear and easily comprehensible language;
  • it must be solicited separately from any other information; and
  • it must be expressly and proactively obtained for sensitive personal information, barring the use of pre-selected checkboxes that automatically share the information.

Additionally, individuals must be informed about: their right to withdraw and revoke consent (applies to private organizations), also known as “de-indexation”; the identities of third parties within and outside Quebec with whom their personal information may be shared; categories of individuals within the business who can access their personal information; the duration for which their data will be retained; contact details of the responsible individual, such as the Privacy Officer; whether the consent request is obligatory or voluntary (exclusive to the public sector); ramifications of declining to respond or retracting consent (exclusive to the public sector).

The legislation provides individuals with expanded rights concerning their personal information. Individuals have more authority over their personally identifiable information (“PII”). They will possess the rights to deletion, data portability, and limitations on automated decision-making.

Businesses utilizing algorithms and technology to identify or profile individuals will be mandated to disclose their engagement in such activities, along with instructions on activating or deactivating their profiling technology. This empowers individuals who wish to avoid profiling to opt out of personalized experiences. Notably, this includes monitoring within workplaces, necessitating clear communication to employees about monitoring practices.

Notification of data breaches

Under Law 25, there are now obligatory protocols for reporting data breaches. If a data breach occurs that could potentially cause significant harm, companies are required to promptly inform the affected individuals and the appropriate governing bodies. While major data breaches have historically received media coverage, smaller breaches occur frequently and often go unnoticed. The responsibility of disclosing such breaches now extends to individuals themselves.

Financial penalties

Law 25 introduces new financial penalties for failing to adhere to privacy regulations. Private companies that do not comply could face fines ranging from $15,000 CAD to $25,000,000 CAD, or an equivalent of 4% of their global revenue from the previous fiscal year, whichever amount is higher. Individual business owners are also subject to penalties of up to $100,000 CAD. Additionally, consumers gain a private right of action to bring claims for statutory damages relating to specific privacy breaches. The speed at which these penalties will be enforced remains uncertain. However, drawing parallels from other Canadian laws like Canada’s Anti-Spam Legislation (CASL), it’s evident that violators will indeed be penalized, especially in cases involving sending messages.

Readiness of Quebec businesses for law 25 compliance

To assess the readiness and awareness of businesses regarding Law 25’s changes, PwC Canada, in collaboration with the Canadian Life and Health Insurance Association and the Fédération des chambres de commerce du Québec, conducted a comprehensive survey in May 2021. This survey targeted around 75 senior decision-makers responsible for privacy and data concerns across various sectors and businesses of varying sizes in Quebec.

Survey results and key insights

  • Limited Full Compliance Anticipation: Only 35% of businesses anticipate being fully compliant.
  • Challenges for SMEs: Many companies, especially small to medium-sized enterprises, lack robust privacy programs and struggle to grasp the full extent of Law 25’s impact.
  • Resource Reallocation: Businesses anticipate needing to double the size of their privacy teams to accommodate the evolving demands.
  • Impact of Data Transfers: Data transfer obligations across Quebec’s borders are expected to have the most significant impact.

The survey conducted by PwC Canada underscores the readiness gap among businesses regarding Law 25. Despite the willingness to comply, only 35% of businesses are fully prepared. This statistic highlights the urgency for comprehensive knowledge and strategic adaptation.

Preparation strategies

While larger businesses are proactively setting up preparatory programs, numerous small to medium-sized enterprises are grappling with the financial implications of compliance in an already challenging economic landscape. Drawing from lessons learned from the General Data Protection Regulation (GDPR), prioritizing customers over mere compliance through data discovery, governance, protection, and minimization can enhance the customer experience, foster trust, and unlock data’s potential for innovation and growth. However, this approach requires a strategic mindset, executive support, and dedicated resources.

Compliance facilitated: leveraging Borealis stakeholder engagement software

Law 25 compliance mandates that businesses review and update their privacy policies, conduct PIAs, assess all personal data intake flows, and institute suitable security procedures.

As organizations navigate the intricate landscape of privacy compliance, Borealis Software emerges as an indispensable solution. The platform aligns seamlessly with Law 25’s requirements, helping organizations streamline data protection practices while improving stakeholder engagement with data-driven insights. Borealis helps organizations efficiently manage:

  • Stakeholder Data: Borealis acts as a secure, centralized repository for stakeholder data, even allowing organizations to restrict access to information on a need-to-know basis through the Team Data Segregation add-on. Information can also be submitted anonymously through the online feedback portal. This aligns seamlessly with Law 25’s amplified data protection mandates.
  • Consent Tracking: The software streamlines consent documentation, ensuring meticulous adherence to Law 25’s stringent consent criteria.
  • Incident Reporting: Borealis simplifies the process of prompt data breach reporting, a cornerstone of Law 25’s robust mandatory disclosure framework.
  • Custom Workflows: Borealis facilitates privacy impact assessments through tailored workflows, fostering accountability across organizational levels.
  • Auditing and Reporting: Borealis’ advanced auditing features empower organizations to provide a comprehensive view of their commitment during regulatory audits.

Insights from Law 25

Law 25 reflects the evolving nature of privacy and data security. The government’s commitment to refining the law over time underscores its intention to remain relevant amid technological advancements. This adaptability has the potential to inspire other provinces and nations to follow suit.


Law 25 represents more than a mere legal framework; it serves as a dynamic catalyst propelling transformation within privacy regulations. As businesses adapt to meet these new responsibilities, Borealis Stakeholder Engagement Software emerges as an indispensable cornerstone for compliance, illuminating the path toward seamless adherence to this revolutionary legislation.

Businesses stand at a crossroads, compelled not only to embrace these changes but to fortify data protection, foster trust, and flourish within an era where privacy takes center stage. The dynamic capabilities of Borealis Stakeholder Engagement Software empower organizations on their compliance journey, offering a robust tool to navigate the intricate labyrinth of Law 25.

In the tapestry of Law 25, it becomes evident that knowledge and collaboration are the keys to empowerment. This legislation symbolizes a seismic shift in how personal data is handled, underscoring the paramount significance of preserving privacy rights for both individuals and businesses. With the evolving landscape of privacy regulations, Law 25 marks a transformative juncture, propelling Quebec’s businesses into an era where data protection and compliance pave the way forward.

DISCLAIMER: The information provided in this article is for general informational purposes only and does not constitute legal advice. Organizations should consult with qualified legal professionals to ensure compliance with specific laws and regulations.

Get started with
Borealis stakeholder engagement software today!