Quebec Law 25: A Practical Guide to Your Rights

How to exercise your rights under Quebec's landmark private-sector privacy reform, including data portability, de-indexing, and automated decision review.

TL;DR

Law 25 gives you rights beyond PIPEDA: access and correction, data portability in a structured electronic format, the right to request de-indexing of certain information, and the right to know about and contest automated decisions. Complaints go to the CAI, which can impose penalties up to $10 million or 2% of turnover.

Exercising your rights

Each right has its own process:

Access: write to the organization's privacy officer with proof of identity.
Correction: identify the inaccuracy and provide supporting evidence.
Portability: request information in a commonly used technological format.
De-indexing: request removal of specific links where their continued publication causes serious harm.
Automated decision review: request a human review of any significant automated decision.

Timelines

Organizations must respond within 30 days. If they refuse, they must give written reasons. If you do not receive a response or are unsatisfied, you can apply to the CAI.

CAI complaints and penalties

Complaints can be filed online with the CAI. The CAI can investigate, order corrective action, and impose administrative monetary penalties.

Penalties can reach $10 million or 2% of worldwide turnover for administrative violations, and $25 million or 4% for criminal violations.

Privacy impact assessments for organizations

Law 25 requires organizations to conduct a PIA for any system involving personal information. If you are an organization needing help, you may want to engage privacy counsel.

Sources & References

Quebec Law 25 (Act respecting the protection of personal information in the private sector)—Quebec's modernized privacy regime introducing mandatory breach notification, privacy impact assessments, data portability, right to be forgotten, and automated decision-making transparency.Publications du Québec
Commission d'accès à l'information du Québec (CAI)—Quebec's privacy regulator overseeing public-sector access to information and the private-sector privacy regime (Law 25). Investigates complaints, authorizes research projects, and issues binding orders.Government of Quebec

All sources link directly to official government websites. This page provides legal information, not legal advice. Consult a qualified professional before acting on any information presented here.