ARTICLE
14 January 2025

Quebec's Privacy Law 25: What You Need To Know

OG
Outside GC

Contributor

OGC is a unique law firm that offers the relationship and experience of a traditional law firm with the cost savings and speed of an ALSP. By combining top-notch legal talent and significant business acumen, we deliver the value and efficiency of an in-house lawyer, without adding to our client’s headcount or sacrificing quality.
The Canadian market is ripe with opportunities for U.S. companies seeking to expand beyond domestic borders. Before diving in, however, it can be helpful to have a basic understanding of Canada's legal system...
Canada Quebec Privacy

The Canadian market is ripe with opportunities for U.S. companies seeking to expand beyond domestic borders. Before diving in, however, it can be helpful to have a basic understanding of Canada's legal system, as well as the compliance obligations that may apply to your business, including potential data privacy requirements arising at both the federal and provincial/territorial levels.

Similar to the U.S., Canada is a federal state with multiple levels of government. In terms of privacy legislation, there are two federal privacy laws1 along with privacy legislations in each of the 10 provinces and 3 territories. Under this system, federal law takes precedence, except when provincial laws are deemed substantially equivalent. Currently, only 3 provincial privacy laws meet this standard – those in the Provinces of Alberta, British Columbia and Quebec.

Of the three, Quebec's privacy legislation – Law 252 – stands alone. Not only is it the most stringent and comprehensive privacy legislation ever passed in Canada, it is also groundbreaking amongst all privacy laws in North America. Given Quebec's significance as one of Canada's largest commercial markets, particularly in the information technology, aerospace, software, and multimedia sectors, U.S. companies doing business in Canada are likely to find themselves involved within the province, and potentially, within the grasp of Law 25.

Background

Law 25 is the only Canadian provincial privacy law to go through significant reform in recent years.3 Enacted in September 2021, it is intended to strengthen the data protection rights of individuals by aligning with the standards set by the EU's General Data Protection Regulation (GDPR). In this way, Law 25 diverges notably from the typical framework of North American data privacy laws. Law 25 went into effect over a three year period, concluding last year with the implementation of the right to data portability on September 22, 2024.

Scope

Law 25 applies to a wide range of organizations, including for-profit, non-profit and government entities, as well as individuals acting in a professional capacity, regardless of their location. In other words, mimicking the extraterritorial scope of GDPR, Law 25 applies to Quebec-based businesses, as well as any company outside the province that handles the personal data of individuals who reside there.

Key Provisions of Law 25

For compliance purposes, the key provisions of Law 25 include the following:

  • Sensitive Personal Information Law 25 adds a "sensitive personal information" category, by which Personal Information is deemed sensitive either due to (i) its nature, including information that is medical, biometric; or otherwise intimate; or (ii) the context of its use or communication.
  • Employment Information Law 25 covers the Personal Information of employees, and requires notice and consent before any such information can be collected and processed by an employer.
  • Accountability Law 25 introduces governance-related obligations, such as requiring the creation and implementation of policies and practices for (i) data retention and destruction, (ii) personnel roles and responsibilities, and (iii) complaint processing and publication to data subjects. Likewise, Law 25 mandates that such policies and practices be approved by the person within the organization who is responsible for personal information protection.
  • Child consent Law 25 requires parental or tutor consent for children under 14 years old.
  • Explicit Opt-In Consent Law 25 is the only North American privacy legislation requiring explicit opt-in consent for tracking technologies like cookies. Similar to the GDPR, Law 25 mandates that businesses (i) obtain explicit and informed consent before deploying any technology that tracks personal information, including cookies; and (ii) provide clear and transparent information to users about the purpose of data collection, the methods employed for collection, individual rights regarding their data.
  • Data Privacy Officer Law 25 also mandates the appointment of a privacy officer, which by default is the CEO of the organization unless he or she delegates this task in writing to someone inside or outside the organization. The responsibilities of the privacy officer include overseeing compliance activities such as fulfilling data subject access requests (DSARs), reporting data breaches, and conducting privacy impact assessments (PIAs).
  • Private Right of Action Unlike many global data privacy laws, including PIPEDA and GDPR, Law 25 empowers individuals with a private right of action, which allows citizens to take legal action, including collective action, against businesses that violate their privacy rights under the law, whether through intentional misconduct or gross negligence.
  • Data Privacy Impact Assessments Like many privacy laws, Law 25 mandates the conduct of a Privacy Impact Assessment (PIA) in specific situations, including where personal information of Quebec residents is transferred outside of Quebec.
  • Data Subject Rights Similar to the GDPR, Law 25 empowers individuals with various data subject rights, granting them control over their personal information. These rights include (i) right to access; (ii) right to rectification; (iii) right to portability; (iv) de-indexation right (right to be forgotten); (v) right to information; and (vi) right to object to automated decision-making.
  • Data Breach Notification Law 25 introduces a breach notification requirement, whereby organizations that experience a confidentiality incident involving a risk of serious injury must promptly notify the Commission d'accès à l'information du Québec (CAI), as well as affected individuals.
  • International Data Transfer Requirements Law 25 mandates that organizations transmitting personal data outside the province – including to the U.S. – must (i) assess the level of protection the data will receive in the destination jurisdiction, ensuring it is at least equivalent to the protection provided within Quebec; (ii) conduct a PIA to analyze the potential risks associated with the transfer; (iii) establish a formal contract with the receiving third party outlining the necessary safeguards to protect the personal information; and (iv) inform the individuals whose information is being transferred.
  • Enforcement and Penalties Law 25 empowers various entities to enforce the law and hold violators accountable:
    • The CAI can issue administrative monetary penalties for minor to moderate offenses. These penalties may reach 2% of the organization's worldwide turnover or CAD10 million for (i) collecting, using, communicating, holding, or destroying personal information in breach of the law; (ii) failing to report a data breach; and (iii) failing to implement security measures required under the law.
    • The Court of Quebec can impose even higher fines for (i) any of the above offenses that cause significant harm to individuals, as well as for (ii) identifying or attempting to identify a person using de-identified information without the controller's permission or using anonymized information; and (iii) failing to comply with an order of the CAI. These fines can reach up to the greater of CAD25 million or 4% of the organization's worldwide revenue.
    • Individuals have the right to take legal action against violators of their privacy rights under Law 25. This allows individuals to claim punitive damages of at least CAD1,000 and potentially pursue collective action alongside other affected individuals.

If your Canadian business venture will include Quebec, understanding Law 25 will be vital to your compliance efforts. Additionally, as Canada's only French-speaking province, Quebec also imposes a number of legal requirements not found elsewhere in Canada, including a long-standing mandate to use the French language in all legal documents (e.g., terms of use, privacy policies, sales terms and conditions, etc.). Seeking assistance from legal counsel admitted to practice within Canada, as well as in the Province of Quebec, is recommended to help untangle the complexity of federal and provincial requirements.

Footnotes

1. The Privacy Act (for the public sector) and the Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5, for the private sector).

2. Also known as the "Act to modernize legislative provisions as regards the protection of personal information."

3. Law 25 amends Quebec's previous privacy law, the 1993 "Act respecting personal information in the private sector" (CQLR, c. P-39.1)

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More