Bill 25 redefines the protection of personal information in Quebec. Discover the implications of Bill 25, a major reform that came into force on September 22, redefining the standards for the protection of personal information in Quebec.

Some quick information

  • Name: Act modernizing legislative provisions regarding the protection of personal information, also called Bill 25.
  • Entry into force: September 22, 2023
  • History: The modifications made by Bill 25 have gradually come into force since 2022 and are spread over a period of three years, i.e. until 2024.
  • Context: This reform modernizes the rules protecting personal information in Quebec so that they are better adapted to the new challenges posed by the current digital and technological environment.

Bill 25 introduces key obligations for businesses, including designating a person responsible for the protection of personal information, proactively managing privacy incidents, disclosing biometric verifications to the Commission, and complying with a new framework for communicating personal information.

The main new obligations

In addition to complying with current obligations regarding the protection of personal information, companies must:

  • Designate a person responsible for the protection of personal information and publish their title and contact details on the company’s website;
  • In the event of a confidentiality incident, keep a record of all incidents and take prompt action to reduce the risk of harm to affected individuals. A company must also notify the Commission and the persons concerned of any incident presenting a serious risk of harm;
  • Disclose in advance to the Commission the verification or confirmation of identity made by means of biometric characteristics or measurements;
  • Respect the new framework applicable to the communication of personal information without the consent of the person concerned as part of a commercial transaction or for the purposes of study, research or statistical production.

In addition to these obligations, public bodies will also have to form a committee on access to information and the protection of personal information.

Take action in your organization

If not already done, it would be worth carrying out a full audit of your organization’s processes and tools in order to comply with the new Law 25 which contains many elements.

As for your website, it involves establishing different processes and making specific information available to users to guarantee them quality in the processing of their personal data, namely but not limited to:

  • A consent management system for the use of cookies
  • A process for requesting removal of personal information
  • Displaying required legal documents such as site use and personal data management policies

To learn more

Our team of experts is available to assist you in adapting your website and business processes to ensure compliance with Quebec’s Law 25 as well as other laws in other jurisdictions such as GDPR.

Contact us for more information