Quebec Law 25 — Modernization of Personal Information Protection

Scope and territorial reach

Where it applies — 1 jurisdictions

🇨🇦Quebec

CA-QC

Seven principles (Article 5)

The constitutional backbone — every processing activity must satisfy all seven simultaneously.

01

Privacy by default Sec 9.1

Highest privacy settings must apply by default for any technological product or service offered to the public — most demanding default-deny rule globally. User must take action to lower the bar, not raise it.
02

Privacy by design Sec 3.2

Privacy obligations must be considered before any new project, system, or technology that handles personal information is built or deployed.
03

Purpose limitation Sec 12

Personal information may be used only for the purposes for which it was collected. Any secondary use requires fresh consent or a specific statutory ground.
04

Express consent for sensitive data Sec 14

Consent must be clear, free, informed, given for specific purposes, and granular. For sensitive personal information (health, biometric, financial detail) consent must be express and separate from any other request.
05

Privacy Officer mandatory Sec 8.1

Every enterprise carrying on activities in Quebec must designate a Person in Charge of the Protection of Personal Information. By default this is the most senior person; the role and contact must be published on the website.
06

Privacy Impact Assessment (PIA) Sec 3.3

A PIA is required for any project to acquire, develop, or overhaul an information system that involves personal information, and for any release or sharing outside Quebec.
07

Cross-border transfer impact assessment Sec 17

Before communicating personal information outside Quebec — even to another Canadian province or to a federally-regulated entity — the enterprise must assess whether the destination jurisdiction provides equivalent protection. Unique to Quebec; stricter than PIPEDA.
08

Breach notification & record Sec 3.5–3.8

Confidentiality incidents posing a risk of serious injury must be reported to the CAI and to affected individuals promptly. A register of all incidents (regardless of severity) must be maintained for 5 years and made available on request.

Six lawful bases (Article 6)

You must identify and document one before processing — and consent isn't always the right one.

Sec 12, 14

Express consent

Required as default for collection, use, or disclosure outside the original purpose; mandatory and granular for sensitive data.

Common for: Marketing, analytics cookies, profiling, biometric or health data

Sec 12 ¶1(1)

Contract performance

Use is necessary to perform a contract with the individual or to take pre-contractual steps at their request.

Common for: Account creation, order fulfilment, billing

Sec 18, 67

Public interest / authorized by law

Disclosure is expressly authorized or required by another Quebec or federal statute, or by court order.

Common for: Tax records, regulatory reporting, public-health authorities

Sec 12 ¶1(2)

Legal obligation

Processing is required to comply with a specific legal obligation imposed on the enterprise.

Common for: Anti-money-laundering checks, employment records, mandatory retention

Sec 12 ¶3

Legitimate interest (proportionality)

Use for a secondary purpose is permitted only when the purpose is consistent with the original, has a serious and legitimate interest, and the individual could reasonably expect it. Narrower than GDPR Art 6(1)(f).

Common for: Internal fraud prevention, security logging, analytics necessary to deliver the service

Sec 18 ¶7

Vital interests

Processing is necessary to prevent or lessen a serious and imminent threat to a person's life or health.

Common for: Medical emergencies (rare for web)

Cookie banner under GDPR Consent Mode v2

Eight data-subject rights (Articles 12–22)

What individuals can demand from you, with the response window and scope.

Right	Article	Response	Scope
Right of access	Sec 27	30 days	Receive confirmation of processing and a copy of the personal information held, in a structured form. Default response within 30 days; refusals must be reasoned and reference appeal rights.
Right to correct or delete	Sec 28	30 days	Have inaccurate, incomplete, or equivocal information corrected. De-indexing/de-listing of online content available where dissemination causes serious injury and is disproportionate to public interest.
Right to data portability	Sec 27 ¶3	30 days	Effective 22 September 2024 (Phase 3). Receive computerized personal information in a structured, commonly used technological format and have it transmitted to another person or body.
Right to be informed of automated decision-making	Sec 12.1	30 days	When a decision is made exclusively by automated processing, the enterprise must inform the individual at or before the decision and, on request, disclose the personal information used, the principal factors, and the right to have the decision reviewed by a human.
Right to file a complaint with the CAI	Sec 42, 81 et seq.	—	Any individual may lodge a complaint with the Commission d'accès à l'information for review of a decision or breach of obligations. Free of charge.
Right to seek civil remedy	Sec 93.1	—	Private right of action — minimum statutory damages of CAD $1,000 for unlawful infringement, with punitive damages where the breach is intentional or grossly negligent.

Topic: DSARs in practice Template: DSR reply (Art 15)

National addons

GDPR is a Regulation — directly applicable, no transposition required. But Member States layer additional rules on top via national acts.

Country	National act	Stricter than GDPR baseline?	Note
⚜️ Quebec (Canada) QC	Act respecting the protection of personal information in the private sector (CQLR c. P-39.1) — modernized by Law 25	Stricter	Primary jurisdiction. Strictest privacy regime in North America. Phased in 2022/2023/2024. Enforced by CAI; private right of action with minimum CAD $1,000 statutory damages.
🇨🇦 Canada (federal) CA	PIPEDA — Personal Information Protection and Electronic Documents Act	Aligned	PIPEDA continues to apply to federally-regulated industries (banking, telecom, transport) and to inter-provincial/international flows. For most Quebec-based businesses Law 25 displaces PIPEDA in private-sector activities.
🍁 Alberta (Canada) AB	Personal Information Protection Act (PIPA)	Aligned	Substantially-similar to PIPEDA. Less prescriptive than Law 25 — no mandatory PIA, no privacy-by-default rule.
🍁 British Columbia (Canada) BC	Personal Information Protection Act (PIPA)	Aligned	Substantially-similar to PIPEDA. Enforced by OIPC BC. Less prescriptive than Law 25.

Compared to other laws

Side-by-side rule comparison with the same field on each side.

COMPARE · 2 ENTITIES

GDPR vs CCPA / CPRA

Opt-in EU baseline against opt-out California — same rows on each side.

COMPARE · 2 ENTITIES

GDPR vs UK GDPR

Post-Brexit divergence — DPA 2018, ICO, UK Extension to DPF.

COMPARE · 2 ENTITIES

GDPR vs LGPD

EU baseline vs Brazilian privacy law modeled on it.

Common questions

Does Quebec Law 25 apply to non-Quebec businesses?

Yes, by extraterritorial reach. Law 25 applies to any enterprise that collects, holds, uses, or communicates personal information of individuals in Quebec, regardless of where the enterprise is established. A US or Ontario business with a Quebec-facing website, Quebec customers, or Quebec employees falls in scope. The CAI has confirmed this position in published guidance.

What's the maximum fine under Law 25?

Two regimes run in parallel. Administrative monetary penalties (Sec 90.1 et seq.) reach the higher of CAD $10M or 2% of worldwide turnover for the preceding fiscal year. Penal/criminal proceedings (Sec 91) reach the higher of CAD $25M or 4% of worldwide turnover. On top, Sec 93.1 creates a private right of action with minimum statutory damages of CAD $1,000 per individual plus punitive damages for intentional or grossly-negligent breaches.

How does Law 25 interact with the French-language requirements (Charter of the French Language / Bill 96)?

Bill 96 (Act respecting French, the official and common language of Québec, 2022) requires that contracts of adhesion, consumer-facing notices, and most online communications be available in French at least as prominently as any other language. In practice, your privacy policy, consent banners, cookie banners, and data-subject-request forms must be available in French and the French version must be at least as prominent. Operating only in English on a Quebec-facing site is a Charter violation independent of, but parallel to, Law 25.

When does each phase of Law 25 take effect?

Phase 1 — 22 September 2022: Privacy Officer designation; breach notification and incident register; biometric-database declaration; consent for commercial transactions. Phase 2 — 22 September 2023: PIAs; cross-border transfer assessments (Sec 17); express consent rules; automated-decision disclosure; expanded individual rights; administrative monetary penalty regime. Phase 3 — 22 September 2024: Right to data portability fully effective.

Who must appoint a Privacy Officer?

Every enterprise carrying on activities in Quebec — there is no employee-count or revenue threshold. By default the role falls to the most senior person in the organisation, who may delegate it in writing. The name, title, and contact information must be published on the enterprise's website.

What are the cross-border transfer rules under Law 25?

Section 17 requires a written assessment before any communication of personal information outside Quebec — including to other Canadian provinces, federally-regulated entities, and foreign vendors. The assessment must consider the sensitivity of the data, the purposes of use, the protection measures in place, and the legal regime of the destination jurisdiction. The transfer is permitted only if the assessment concludes that adequate protection is provided. The agreement with the recipient must be in writing and include specified safeguards. This obligation is unique to Quebec — PIPEDA has no direct equivalent.

Quebec Law 25 vs PIPEDA — which one applies to my business?

If you carry on activities in Quebec and process the personal information of Quebec residents in the private sector, Law 25 generally applies. PIPEDA continues to govern federally-regulated industries (banking, telecommunications, inter-provincial transport, broadcasting) regardless of province, and applies to inter-provincial and international flows of personal information. Many businesses are dual-regulated; in case of overlap, the stricter requirement prevails.

When is a Privacy Impact Assessment required?

Section 3.3 requires a PIA for any project to acquire, develop, or overhaul an information system or service that involves personal information. Section 17 requires a transfer-impact PIA before any cross-border release. CAI guidance also expects a PIA for high-risk processing such as biometrics, profiling, or large-scale monitoring. The PIA must be documented, proportionate to the sensitivity of the data, and updated when the project changes.

How does Bill 96 interact with Law 25 in practice?

Bill 96 (in force since June 2022) strengthened the Charter of the French Language. For privacy compliance this means: privacy notices, consent forms, cookie banners, automated-decision disclosures, and breach notifications must be available in French; the French text must be at least as prominent; standardized forms imposed by the enterprise on consumers must be drawn up in French. Failure to provide French versions can lead to Charter complaints and to consent being held invalid under Law 25 for lack of clarity.

What is covered by the right to data portability under Sec 27?

Effective 22 September 2024 (Phase 3). Individuals can request that the personal information they provided be communicated to them, or transmitted to another person or body, in a structured, commonly-used technological format. Scope is limited to computerized personal information actively provided by the individual — it does not extend to derived or inferred data, nor to information held only on paper. The enterprise must respond within 30 days; refusals must be reasoned and reference appeal rights to the CAI.