How Quebec is different
Since the Law 25 reforms rolled out between 2022 and 2024, Quebec has the most demanding private-sector privacy rules in Canada. Organizations doing business in Quebec must comply with Law 25 for personal information of Quebec residents.
Law 25 applies in addition to (and in some areas instead of) PIPEDA for Quebec-based organizations.
Key rights under Law 25
Law 25 introduced or expanded several rights that go beyond PIPEDA:
- Right to data portability: receive your personal data in a structured, commonly used technological format.
- Right to know when an automated decision is made about you, and to request human review.
- Right to be told about the use of location tracking or identification technologies in advance.
- Right to de-indexing (to be forgotten) when certain conditions are met, including disproportionate harm.
- Right to be informed about cross-border transfers of personal information and the protections in place.
Organization obligations
Organizations in Quebec must:
- Designate a privacy officer (by default, the person with the highest authority).
- Publish policies on how personal information is handled and the role of the privacy officer.
- Conduct a privacy impact assessment (PIA) before rolling out any new system that involves personal information.
- Notify the CAI and affected individuals of any confidentiality incident that presents a risk of serious injury.
- Obtain express consent for the use of sensitive information and for uses that the person would not reasonably expect.
Enforcement and penalties
Law 25 gives the CAI order-making power and the ability to impose administrative monetary penalties of up to $10 million or 2% of worldwide turnover.
Criminal sanctions under Law 25 can reach $25 million or 4% of worldwide turnover for the most serious violations.