Blogpost

Quebec Privacy Law 25

Not every business organization needs to achieve every bullet point mentioned above unless new Law 25 requires it. Some of the above activities are better suited to larger organizations with complex IT security infrastructure or to smaller business that process highly sensitive data (such as health records, financial information, or criminal history). The size of the company does not release or absolve the business of its full liability in the event of a privacy breach or a major security incident.

In September 2021, the Government of Quebec enacted a new privacy law that introduced sweeping changes to how companies doing business administer personal information within that province. These changes were initiated in the aftermath of Bill C-11, the proposed federal privacy reform that did not go through the legislative process due to the early call of the General Federal Elections. Unlike the federal Bill C-11, the Quebecois legislation, An Act Respecting the Protection of Personal Information in the Private Sector (AKA Law 25, formerly “Bill 64”), passed into law in September 2021, involving data protection requirements that are heavily modelled on the European Union’s General Data Protection Regulation (GDPR). As a result, Law 25 is far ahead of other comparable Canadian data privacy laws in terms of the obligations it imposes on companies and the privacy rights given to members of the public.

New Law 25 applies to all private-sector and public bodies entities based across Quebec, as well as to any out-of-province business organizations handling the personal information of Quebec residents. Therefore, Law 25 applies to not only other domestic entities, but also to any foreign entities doing business in the Province of Quebec.

Read on our article published on IN-SEC-M.