Law 25: An unknown law… but a law that belongs to you!

As computer attacks have become more frequent and are not limited to a specific sector of activity and can even affect all companies operating in Canada and around the world, it is more important than ever to protect yourself to minimize the theft of personal information. from employees, suppliers and customers. Financial information is one of the main motivations of a hacker who may even attempt to disrupt production and operations to harm an industry or a country’s economy.

Given the importance of this data, which is sold at exorbitant prices on the Dark Web, the Quebec government Act on modernization of legislative provisions on personal data protectionKnown as Bill 25, it puts Quebec at the forefront in this area.

First phase (effective from September 22, 2022)

  • Obligation to act as a privacy officer or to delegate it in writing to another person and to publish the contact information of the person in charge;
  • Obligation to establish a committee on access to information and protection of personal data;
  • Obligation to inform the Commission and the concerned person of any privacy incident that creates a serious risk of harm related to personal data and to maintain a register that must be submitted to the Commission upon request;
  • A new framework for the transfer of personal data without the consent of the person concerned for the purposes of research, investigation or statistical production and in the context of a commercial transaction;
  • Obligation to disclose any bank of biometric features or measurements to the Commission at least 60 days prior to deployment.

Second phase (effective from September 2023)

  • Obligation to implement and publish detailed information about policies and practices governing the management of personal information;
  • New transparency obligations, such as:
    • publish rules governing the management of personal information;
    • if you collect personal information through technological means, publish a simple and clearly written privacy policy and inform the relevant persons about its updates;
    • inform the data subject exclusively when he is the subject of a decision based on automated processing;
    • to inform the individual when using identification, location or profiling technology and the means offered to enable these functions.
  • Anonymization of personal data;
  • Follow new people Privacy Acteg provincial political parties;
  • Obligation to carry out a privacy impact assessment in certain cases;
  • New rules on consent;
  • the right to de-indexing (or the right to erasure or oblivion);
  • New conditions for the transfer of personal data outside of Quebec;
  • New conditions for the transfer of personal data to facilitate the grieving process;
  • New conditions related to the collection of personal data about a minor under the age of 14;
  • the obligation to conditionally provide parameters that ensure the highest level of confidentiality of the technological product or service offered to the public;
  • The Commission’s ability to impose monetary administrative fines.

Third phase (effective from September 2024)

At this stage, the right to carry will be the final provision to come into effect in both the public and private sectors. It is important to prepare for this as soon as possible, as this commitment may involve more structural changes on the part of organizations.


Recovery mechanisms from September 2023

Bill 25 recognizes a person’s right to compensation by way of compensation for damages caused by unlawful interference with their rights.


  • It depends on the amount of the assigned compensation.
  • In the case of gross or willful misconduct, the court must impose a fine of at least $1,000.

Administrative fines

Note that CAI may impose administrative fines for violations. Similarly, a company that has been the subject of administrative sanctions and continues to violate the law may be punished under the criminal regime.


  • For an individual: Maximum amount of USD 50,000.
  • In other cases: Maximum amount is 10 million USD or 2% of worldwide turnover.

Legal searches

CAI may initiate criminal proceedings for violations. In fact, any criminal case must be brought within five years of the offense being committed.


  • For an individual: from USD 5,000 to USD 100,000.
  • In other cases: $15,000 to $25 million or 4% of worldwide turnover.

Failure to comply with the law may make the directors of the legal entity liable.

Towards a provincial event record?

According to my analysis, it would not be surprising to see a provincial registry listing events with sanctions that occurred in September 2024. This tool will undoubtedly be an important incentive to ensure good practices in terms of corporate data protection.

Good communication

When an event occurs, good communication should be one of the top priorities and meet the expectations of investors and customers. Formatted communications from marketing tools will no longer hold their place. This type of crisis management should aim to reassure and at the same time demonstrate the mechanism created to stop the incident.

The result

Let’s just say right away, if you’re expecting a subsidy under Bill 25, it’s a waste of time. This enforcement is the responsibility of all companies and will be as legal as voting rights in 2024! Nothing less.

Leave a Reply

Your email address will not be published. Required fields are marked *