Quebec's modernized privacy law introduces GDPR-like requirements including mandatory Privacy Impact Assessments, 72-hour incident notification, and automated decision-making transparency. We help you navigate all three implementation phases.
Quebec Law 25 (Bill 64) is the Act to modernize legislative provisions as regards the protection of personal information. Enacted in 2021, it significantly strengthens privacy protections in Quebec by amending the Act Respecting the Protection of Personal Information in the Private Sector.
Why this matters now: All three implementation phases are now in force as of September 22, 2024. Organizations must comply with mandatory PIAs, 72-hour incident notification, privacy by default, and automated decision-making transparency. Maximum penalties of CAD $25 million now apply.
Similar scope and penalties to EU regulation
Mandatory reporting to CAI and individuals
Complements GDPR and CCPA compliance for organizations operating across jurisdictions.
Quebec-based organizations
Any organization operating in Quebec collecting personal information
Processing Quebec residents' data
Organizations outside Quebec processing Quebec residents' information
Public sector entities
Government bodies subject to Law 25 modernization provisions
AI system operators
Organizations using automated decision-making affecting Quebec residents
Data processors
Service providers handling personal information on behalf of Quebec entities
Cross-border data transfers
Organizations transferring personal information outside Quebec
Comprehensive capabilities addressing mandatory privacy obligations
Conduct mandatory PIAs for high-risk processing activities with structured questionnaires aligned with CAI guidance. The platform documents necessity, proportionality, safeguards and generates compliance evidence for regulatory review.
Addresses: Art. 3.3 - PIA obligations for high-risk processing
Track privacy incidents with automated 72-hour notification workflows to CAI and affected individuals. The platform maintains incident timelines, impact assessments and remediation actions required under Law 25.
Addresses: Art. 3.5-3.8 - Incident notification within 72 hours
Document AI systems making decisions exclusively through automated means. The platform tracks disclosure obligations, individual notification requirements and provides workflows for observation submission as mandated.
Addresses: Art. 12.1 - Automated decision transparency and individual rights
Establish privacy governance structures with designated privacy officers, accountability frameworks and policy management. The platform maintains governance documentation and ensures organizational compliance readiness.
Addresses: Art. 3.1-3.2 - Privacy governance and officer designation
Implement technical and organizational measures ensuring privacy protection from system design through deployment. The platform tracks privacy controls, data minimization practices and default privacy settings.
Addresses: Art. 3.4 - Privacy by design and by default
Evaluate equivalent protection for personal information transfers outside Quebec. The platform documents transfer mechanisms, adequacy assessments and contractual safeguards required for international data flows.
Addresses: Art. 17 - Equivalent protection for transfers outside Quebec
All privacy activities are tracked with timestamps, assigned owners and approval workflows. This creates the audit trail demonstrating systematic compliance required for CAI investigations.
VerifyWise provides dedicated tooling for all major Law 25 obligations
Law 25 key requirements
Requirements with dedicated tooling
Coverage across all categories
Policies, accountability, privacy officer, governance structure
Access, portability, erasure, consent withdrawal, automated decisions
PIAs, privacy by default, security safeguards, retention limits
72-hour notification, individual alerts, CAI reporting, remediation
CAI-aligned Privacy Impact Assessment templates and processes
Automated incident tracking and CAI reporting workflows
AI system documentation and individual notification tools
Crosswalk to GDPR and CCPA requirements
Law 25 came into force gradually between September 2022 and September 2024
All provisions are now fully in force. Organizations must comply with all Law 25 requirements including PIAs, incident notification, privacy by default, and automated decision-making transparency.
Core requirements organizations must implement under Law 25
Mandatory PIAs required for processing activities likely to create a significant risk of serious injury to privacy. Must be completed before processing begins and updated when circumstances change.
Key requirements
Organizations must notify CAI and affected individuals within 72 hours of becoming aware of an incident involving personal information that presents a risk of serious injury.
Key requirements
When decisions are made exclusively by automated processing, individuals must be informed and have the right to submit observations, obtain human intervention, and contest the decision.
Key requirements
Enhanced transparency obligations require clear privacy notices. Consent must be specific, express, and obtained separately for different purposes. Special protections apply to minors.
Key requirements
A practical path to achieving full compliance
Commission d'accès à l'information du Québec has broad powers and significant penalties
Whichever is greater, for serious violations
Examples
For criminal violations and repeated non-compliance
Examples
Independent authority with investigation and enforcement powers
Examples
The Commission d'accès à l'information du Québec (CAI) is Quebec's independent privacy authority. CAI has powers to investigate complaints, conduct audits, issue orders, and impose penalties.
Visit CAI website →Understanding Quebec's privacy law in the context of global regulations
| Aspect | Quebec Law 25 | GDPR | CCPA |
|---|---|---|---|
Jurisdiction | Quebec (Canada) | European Union + EEA | California (USA) |
Legal status | Provincial law (Quebec) | EU Regulation (mandatory) | State law (California) |
Applicability | Quebec residents' data | EU residents' data | California consumers' data |
Penalties | Up to CAD $25M or 4% turnover | Up to €20M or 4% turnover | Up to $7,500 per intentional violation |
Breach notification | 72 hours to CAI + individuals | 72 hours to DPA + individuals | No mandatory breach notification timeline |
Consent model | Opt-in (especially minors) | Opt-in (explicit consent) | Opt-out (right to say no) |
Impact assessments | Mandatory PIAs for high-risk | Mandatory DPIAs for high-risk | No mandatory impact assessments |
Data portability | Yes (new right under Law 25) | Yes (comprehensive right) | Limited portability rights |
Enforcement | CAI (Quebec) | National DPAs | California Attorney General + CPPA |
Pro tip: Organizations complying withGDPRwill find Law 25 requirements familiar. Many GDPR practices (PIAs, breach notification, privacy by design) transfer directly to Law 25 with Quebec-specific adjustments.
Discuss multi-jurisdiction complianceAccess ready-to-use privacy policy templates aligned with Law 25, GDPR, and CCPA requirements
Common questions about Quebec Law 25 compliance
Start your Quebec privacy compliance journey with our comprehensive assessment and implementation tools.