Skip to main content

Quebec’s Law 25: Many Provisions Take Effect Today

In September 2021, Quebec’s Parliament enacted Law 25, formerly known as Bill 64, (the Law), which updated Quebec’s data protection laws and added requirements for enterprises that do business within the province. The majority of the Law’s requirements become effective Sept. 22, 2023. Below is a brief list of compliance requirements and their effective dates.

Compliance Requirements Taking Effect Today

Item

Timeline

Collect and Process Personal Information Legally, including proper consent mechanisms if applicable[1]

Sept. 22, 2023

Public Privacy Policy[2]

Sept. 22, 2023

Company Data Protection Governance Policies[3]

Sept. 22, 2023

Data Subject Request Responses[4]

Sept. 22, 2023

Conduct Necessary Data Protection Impact Assessments[5]

Sept. 22, 2023

Conform to Law and Regulations on Data Transfers Outside of Quebec[6]

Sept. 22, 2023

Destruction or Anonymization of Data[7]

Sept. 22, 2023

Monetary Penalties and Damages[8]

Sept. 22, 2023

.
Previous and Upcoming Compliance Requirements

Item

Timeline

Appoint a Data protection Officer[9]

Sept. 22, 2022

Incident (“Confidentiality”) Response Plan[10]

Sept. 22, 2022

Disclosure to Commission of use of Biometric Information[11]

Sept. 22, 2022

Collect and Process Personal Information Legally, including proper consent mechanisms if applicable[12]

Sept. 22, 2023

Public Privacy Policy[13]

Sept. 22, 2023

Company Data Protection Governance Policies[14]

Sept. 22, 2023

Data Subject Request Responses[15]

Sept. 22, 2023

Conduct Necessary Data Protection Impact Assessments[16]

Sept. 22, 2023

Conform to Law and Regulations on Data Transfers Outside of Quebec[17]

Sept. 22, 2023

Destruction or Anonymization of Data[18]

Sept. 22, 2023

Monetary Penalties and Damages[19]

Sept. 22, 2023

Right to Portability[20]

Sept. 22, 2024

.
Penalties for Noncompliance

Administrative monetary penalties can result in fines up to CAD $10 million or 2% of the enterprise’s worldwide turnover, whichever is greater. Alternatively, general fines can be CAD $25 million or 4% of worldwide turnover, whichever is greater.

Entities subject to the Law should conduct a comprehensive review of their data privacy procedures and practices to ensure compliance and avoid large penalties that the Law provides.

* Greenberg Traurig is not licensed to practice law in Canada and does not advise on Canada law. Specific Canada law questions and Canada legal compliance issues will be referred to lawyers licensed to practice law in Canada.

* Special thanks to Mike Summers˘ for his valuable contributions to this GT Alert.
˘ Not admitted to the practice of law.


[1] Sections 4 and 8, among others depending on collection, Law 25.

[2] Section 3.1, 3.2, and 8.2, Law 25.

[3] Section 3.2, Law 25.

[4] Sections 30, 32, 33, 34, 35, and 39 of Law 25. 

[5] Sections 3.2 and 17, Law 25.

[6] Section 17, Law 25.

[7] Section 23, Law 25

[8] Sections 90-93, Law 25.

[9] Section 3.1, Law 25.

[10] Section 3.5, Law 25.

[11] Section 45, Law 25.

[12] Sections 4 and 8, among others depending on collection, Law 25.

[13] Section 3.1, 3.2, and 8.2, Law 25.

[14] Section 3.2, Law 25.

[15] Sections 30, 32, 33, 34, 35, and 39 of Law 25. 

[16] Sections 3.2 and 17, Law 25.

[17] Section 17, Law 25.

[18] Section 23, Law 25.

[19] Sections 90-93, Law 25.

[20] Section 27, Law 25.