Bulletins

September 21, 2023

343

Law 25: An Act to Modernize Legislative Provisions as Regards the Protection of Personal Information

Important amendments will be applicable as of September 22, 2023

Law 25 amends the Act respecting the protection of personal information in the private sector (hereinafter the “Act”), applicable to companies in the private sector. While Law 25 itself came into force on September 22, 2022, the most important amendments will come into force as of September 22, 2023.

An official version of the Act, incorporating all changes by Law 25 is not yet available. The best working document at this time can be found at CanLII. All references in the following text are to the Act, as it will be on September 22, 2023.

Below is an outline of the main obligations companies will be required to respect in order to comply with Law 25. Several issues presented here should be further discussed.

1) Privacy Officer and Privacy Policy

  1. Businesses must appoint a Privacy Officer ( 3.1). The Privacy Officer is responsible for ensuring compliance with the Act. The role may be delegated in writing, in whole or in part, to any person (a member of the personnel of the Company or a third party). In any event, steps must be taken to ensure that the title and contact details of the Privacy Officer are available on the Company’s website. Since the implementation of Law 25, on September 22, 2022, the default Privacy Officer is the person exercising the highest authority within the company;
  1. The most pressing issue at the time is that the Company must establish and implement a Privacy Policy ( 3.2), which must include:
    1. The general principles relating to the collection, use and communication of personal information, in regards to Law 25 requirements ( 8 to 9);
    2. A data retention policy and schedule (i.e., particulars on how much time personal information will be kept);
    3. A procedure for the destruction of personal information ( 12);
    4. A procedure for receiving and processing requests from individuals wishing to exercise their rights ( 28.1; 30; 32; 34);
    5. A procedure relating to data security;
    6. A procedure for handling confidentiality incidents and a response plan;
    7. If applicable: a policy on the use of surveillance cameras and a policy on the use of biometric systems;
  1. Businesses must keep a register of confidentiality incidents ( 3.6; 3.8) for five years and, if there is risk of serious harm, the Commission d’accès à l’information (hereafter the “CAI”) and the concerned persons must be notified (s. 3.5; 3.7);

2) Consent and Transparency

  1. Law 25 provides for new requirements with respect to consent to the collection, communication and use of personal information, as well as exemptions to the requirement of consent. Valid consent must be manifest, free, informed and given for specific purposes, and be requested for each of those purposes in clear and simple language ( 14);
  1. Businesses should prepare a list of uses of personal information, including collection and communication, to determine those that may be exempted. Consider for instance the following exceptions ( 12): the collection, communication or use (1) is necessary for the supply or delivery of a product or the provision of a service requested by the individual; (2) is clearly for the benefit of the individual and (3) is consistent with the purposes for which the information was collected;
  1. In some cases, the communication of personal information to a third party may be exempt from consent requirements, in particular when necessary for carrying out a mandate or performing a business contract ( 18.3). A contract template for the processing of personal information in compliance with Law 25 requirements should be prepared (s. 3.6; 10; 12; 23);

3) Privacy by default

  1. Businesses should (1) prepare a list of the technological products or services offered to the public that collect personal information and that have privacy parameters, and determine whether these parameters need to be adjusted (in particular to ensure the highest level of confidentiality, as well as privacy by default, 9.1); (2) prepare a list of all technologies used to collect personal information and determine whether they include functions that allow an individual to be profiled, located or identified;

4) Privacy Impact Assessments (PIA)

  1. Starting September 22, 2023, a PIA should be conducted for any project involving personal information ( 3.3). This requirement is not retroactive, and any system already in place is not subject to it. For example, a should be conducted when a business (1) develops a new information system or a personalization feature for a product or service; (2) searches for new customers or explores new markets; (3) installs a video surveillance system;
  1. If a business is to transfer personal information outside Quebec or if it entrusts personal information to a third party located outside Quebec, it is required to conduct a PIA that takes into account the following factors ( 17): (1) the sensitivity of the information; (2) the purposes for which it will be used; (3) the safeguards, including contractual safeguards, that will be applied, and (4) the legal regime applicable in the receiving jurisdiction;

5) Penalties for Non-Compliance with the Act

  1. Failure to comply with the Act can result in two types of penalties: monetary administrative penalties and penal sanctions. The maximum penalty for the former is 10M $ or 2% of worldwide turnover for the preceding year (s. 90.12). For the latter, it is 25M $ or 4% of worldwide turnover for the preceding year (s. 91);
  1. A business in default receives a notice of non-compliance and can take all measures necessary to comply. Throughout the CAI’s investigation and before it reaches the point of imposing a monetary administrative penalty, the company has the opportunity to submit observations, produce documents to complete the record and make undertakings ( 90.1; 90.3);
  1. Penal sanctions can result if the CAI initiates penal proceedings before the Court of Quebec. These proceedings may arise after the CAI’s investigation and from the same facts as the monetary administrative sanctions ( 90.5); Similar criteria is applied in both administrative penalties and penal sanctions with the inclusion, in the latter case, of criteria relating to intentionality, negligence and failure comply or to mitigate (s. 90.2; 91).

Our team members can help you comply with these new requirements.

Contact us to find out more. We will be happy to organize a virtual meeting to discuss your needs.

343

Authors

Articles in the same category

Labour and Employment Law / Newsletters

April 1, 2026

Office Parties and the Employer’s Duty to Prevent Harassment

In De Sousa and Corporation interactive Eidos, 2026 QCTAT 4, the Quebec Administrative Labour Tribunal (ALT) appears to have broadened the scope of an employer’s obligation to prevent harassment. The decision arose from a complaint filed by a former employee who had been sexually assaulted at her home by a colleague following an office party organized by the […]
Labour and Employment Law

February 9, 2026

New CAI Guidance on Preventing Confidentiality Incidents: A Practical Roadmap for Businesses in Quebec

On January 30, 2026, Quebec’s privacy regulator, the Commission d’accès à l’information (“CAI”), published fresh guidance aimed at strengthening how organizations prevent confidentiality incidents involving personal information. Confidentiality incidents are one of the most significant privacy risks facing organizations today. In Quebec, these incidents are governed by several laws, including the Act respecting the protection […]
Labour and Employment Law / Newsletters

November 5, 2025

Bill 89 and the Future of Labour Disputes in Quebec

Passed by the National Assembly on May 29, 2025, Bill 89 (An Act to give greater consideration to the needs of the population in the event of a strike or a lock-out, hereinafter the “Bill”) will come into force on November 30, 2025. The Bill, which has faced strong opposition from unions, will bring significant […]
Labour and Employment Law / Newsletters

November 11, 2024

Medical Certificates and Bill C-68: What Are the Consequences for Employers?

Scope of Application and Entry into Force The Act mainly to reduce the administrative burden of physicians (“Bill 29”) was passed on October 8, 2024. These provisions amend the Act respecting labour standards (the “ALS”) and will come into force on January 1, 2025. These new prohibitions also apply to employees governed by the Act […]
Labour and Employment Law / Newsletters

September 13, 2024

“Anti-Scab” Bill: What C-58 Means for Your Business, Part 1

General remarks Coming into force. On June 20, 2024, Bill C-58, An Act to amend the Canada Labour Code and the Canada Industrial Relations Board Regulations, 2012 (Bill C-58) received Royal Assent. Bill C-58 will come into force on June 20, 2025. Prohibition. Bill C-58 prohibits employers from using, during a legal strike or lockout intended […]
Labour and Employment Law / Newsletters

September 6, 2024

The Right to Data Portability in Quebec: What Organizations Need to Know

As of September 22, 2024, the last chapter of a significant shift in data privacy will unfold in Quebec. The right to data portability takes effect under the newly amended Quebec Act respecting the protection of personal information in the private sector (“Quebec Act”). This represents a major development in privacy legislation, aligning closely with […]