Law 25: Personal Data Protection in Quebec

Law 25 Personal Data Protection represented by a digital scale.

Organizations face a multitude of legal requirements and obligations, including the notorious Law 25 Personal Data Protection Act. Knowing all the intricacies of this new legislation is essential to ensuring your compliance.

Browse through our guide to Law 25 and personal data protection to understand the impact on your organization, your risks and how to comply.

Law 25 Overview: A Quick Guide from our Cybersecurity Experts

What is Law 25 in Quebec?

Law 25 is the final name given to Law 64, the « Act to modernize legislative provisions respecting the protection of personal information». This law is inspired by the General Data Protection Regulation (GDPR) in Europe.

To Which Organizations Does Law 25 Apply?

If you’re wondering whether you’re concerned by the law on the protection of personal information, the answer is most likely yes. After all, any individual or organization that collects data from Quebecers must comply. This includes both private and public sector organizations, and even NPOs and self-employed workers.

Does Law 25 Extend to Your Organization's Employees?

Law 25 imposes obligations on both employers and employees to ensure sound data security management. Employers must respect employee rights, such as the right to protection of personal information, to information, to access and rectification, and to erasure. As for employees, they are required to comply with the privacy policy, use of personal information, participate in training and report violations.

Law 25 Personal Data: Effective Since When?

The first requirements of Law 25 came into force in September 2022, then in September 2023. The final phase is in September 2024.

However, Law 25, with its original title Law 64, was assented to on September 22, 2021, and substantially amended the Act respecting the protection of personal information in the private sector (LPRPSP). This legislation was passed on June 12, 2020 and became effective on January 1, 2021. This means that all organizations operating in Quebec must comply with the provisions of the law as of this date.

4 Requirements Under Law 25

  • Appointment of a Chief Privacy Officer (CPO)
  • Privacy Impact Assessment (PIA)
  • Obligation to notify in the event of a data breach
  • Transparency and consent

How to Comply with Law 25 on the Protection of Personal Data?

  • Your CPO's name and contact details are easy to find on your website
  • Implement measures to reduce your vulnerability to cyber threats
  • Maintain a log of all violations for tracking purposes
  • Ask for clear and informed consent prior to collecting or using sensitive data

 

Examples of Confidentiality Incidents

The Commission d’Accès à l’Information defines privacy incidents as:

  • Unauthorized access to sensitive personal information
  • Fraudulent use or unauthorized disclosure of personal data
  • Loss or impairment of information protection

These incidents occur when an organization is the victim of a cyber attack (phishing, ransomware, etc.), or when a member of staff fails to comply with the security policy in place. For example, by consulting or communicating personal information without authorization or to the wrong person.

What Are the Risks for Your Private or Public Organization?

Financial Sanctions

he law provides for fines of up to $10 million for organizations that fail to comply.

Financial losses

Privacy violations can also entail significant financial costs, such as:
• Legal fees
• Notification costs
• Data recovery
• Compensation to victims

 

Reputational Damage

Privacy breaches can lead to a loss of trust from customers and business partners, with potentially damaging consequences for your organization's reputation.

 

Legal Proceedings

Individuals whose personal information has been disclosed are entitled to sue you for damages, which entails additional costs.

 

Ensure Law 25 Compliance with Victrix, Your Cybersecurity Expert

Victrix offers a personalized compliance service to help your organization meet the requirements of Law 25 and avoid financial penalties. Our public and private sector cybersecurity experts are with you every step of the way, from identifying compliance risks to implementing corrective measures.

Tailored law 25 Support from Victrix

Need professional support to comply with Law 25?

Get started with Victrix