Understanding and applying Law 25

Why is Law 25 essential?

Formerly known as Bill 64, Bill 25 has become the cornerstone of personal information protection in Quebec. It also aligns with international standards such as the GDPR (General Data Protection Regulation) and imposes new and enhanced responsibilities on private and public organizations.

• By 2025, all provisions of Law 25 are fully in force. Violating this law exposes you to severe penalties, but above all, to a loss of customer confidence.

What Law 25 actually changes

-Entry into force in stages:

• September 2022: the obligation to appoint a Personal Data Protection Officer (PDO) and incident reporting.
• September 2023: new transparency obligations, data portability, data destruction, and clear policies.
• September 2024: the right to use data for automated decisions, respect for the right to be forgotten, and explicit consent required..

-Organizations concerned:

• Any company or public body operating in Quebec or processing the data of Quebec citizens

-In case of non-compliance:

• Fines of up to $25 million or 4% of global turnover
• Penalty for failure to report incidents within 72 hours
• Civil proceedings facilitated by class action

-Customers or citizens demand:

• More transparency
• More control over their data
• Guarantees on the use of AI and the algorithms used

Seven (07) Key Obligations of Law 25

1. Appoint an official data protection officer
2. Maintain a record of privacy incidents
3. Inform affected individuals in the event of, or for specific purposes of, the collection of personal information (Data)
4. Obtain free, informed, and explicit consent
5. Implement a clear, public, and accessible privacy policy
6. Allow data portability upon request
7. Implement a process for the right to be forgotten

Key recommendations

For SMEs:

• Produce an inventory of personal data processed
• Implement minimum security measures (encryption, restricted access, logging)
• Use clear consent forms
• Adopt a simple and up-to-date privacy policy

For large companies:

• Integrate privacy by design
• Conduct Personal Information Protection Impact Assessments (ATIP) before any new digital project
• Monitor external data flows (vendors, cloud)
• Develop an incident response procedure based on Act 25

Law 25 aims to examine the digital posture with a view to gaining the trust of customers or citizens and restructuring the governance of personal data.