Support & Downloads

Quisque actraqum nunc no dolor sit ametaugue dolor. Lorem ipsum dolor sit amet, consyect etur adipiscing elit.

s f

Contact Info
198 West 21th Street, Suite 721
New York, NY 10010
+88 (0) 101 0000 000
Follow Us


Law 25/Bill 64 will Change Privacy Compliance in Quebec

What are the Implications of Law 25 in Quebec, Canada?

Law 25/Bill 64 will Change Privacy Compliance in QuebecLaw 25 is the most recent Privacy Act of Quebec, Canada. It follows the 2018 adoption of Bill 64, an act that modernized the laws concerning protecting personal data that has significantly changed the rules concerning storing, processing, and sharing information. This law applies to businesses throughout Quebec, and its scope will be significant. Compared to other privacy laws, including GDPR and CCPA, the financial impact on the organization for violations is far more costly and explicit.


Figure 1 - Bill 64 Becomes Law 25, the New Law of the Land in Quebec

Figure 1 – Bill 64 Becomes Law 25, the New Law of the Land in Quebec


Quebec’s Law 25 Compared to the EU GDPR

Compared to the EU’s General Data Protection Regulation (GDPR), Law 25 sets out several steps for public bodies and private companies to take to improve their data privacy policies. It doesn’t require specific technological solutions but outlines various criminal and monetary penalties if the solutions are implemented incorrectly.

  • For instance, with this law, Multi-Factor Identification or MFA becomes necessary for all organizations, as it will effectively prevent them from incurring heavy penalties if they suffer a security breach. Encryption is also an excellent idea to implement.
  • Another essential part of this law is that companies must have a confidentiality policy, so they don’t make things more difficult for people who want their personal information erased.


What Expectations of Privacy do Quebec Consumers have under Law 25?

This new law strengthens the citizen’s data protection and grants individuals’ greater access and control of stored data in Quebec. 

Right of Action

The law gives private citizens the right to claim against companies and enables individual plaintiffs to claim damages if they breach their contractual duty of care. Indictable breaches are, e.g., illegal processing or improper data protection and not providing security notices. This law enforced this right with strict financial penalties.


Role of Privacy Supporting Law 25

Under the new law, public bodies and private sector entities that don’t adequately secure their systems against cyberattacks could face hefty penalties.

Law 25 requires several critical elements with the organization, including:

  • Designated Privacy Officer
  • Management and Event Log Tracking System with 5-year retention


The Role of the Privacy Officer

Many regulated organizations, including banking/financial, healthcare, and government contractors, designate either a person or a team of people as data privacy officers (DPO). Under Law 25, this critical role within any organization handles policy, enablement, and consumer data compliance. The DPO has several responsibilities, including reporting all data breaches or accidental exposure of consumer data to the public.

Law 25 has several provisions, including an entity’s mandate to share personal data obtained during a commercial activity with third parties for study or statistical purposes. Organizations are required to perform privacy impact assessments to ensure the protection of personal data before release to a third party.

The DPO helps draft the process and procedure dictating how the organization can access and leverage consumer information without violating privacy rights and Canadian privacy law. The DPO also logs and manages any violations of LAW 25, like GDPR, PCI, or HIPAA.


Maintaining Incident Logging

Under federal and provincial privacy laws, businesses must notify the Canadian Information Commissioner’s Office when they discover a personal information breach that could put an individual at risk.

Organizations governed by Law 25 must keep an incident log of potential breaches or violations for five years. The logging systems show the organization’s diligence, reasonable expectation of data protection, and governance. This record-keeping requirement assists the organization in establishing a duty to disclose the framework.


What is the Duty to Disclose?

In the event of an actual data breach or data exposure, organizations within Quebec, Canada, and businesses have a legal obligation and mandate to notify all individuals of the event. Like other privacy laws, failure to report will cause a fine. The impactful fines make Law 25 different from other privacy laws. Organizations that violate Law 25 will be subject to a penalty of up to 25 million dollars CAD or 4% of the organization’s global revenue. Other privacy also have significant fines, including GDPR, however, the amount of the penalties for Law 25 is considered more significant and more impactful.


Cybersecurity Protection Control Supporting Law 25

Like CCPA and GDPR, Law 25 doesn’t mandate explicit cybersecurity controls. However, like other mandates, organizations should deploy adaptive cybersecurity controls to reduce the risk of fines for data breaches and mistakes in data handling and notification. These controls should include the following:

  • Multi-Factor Authentication
  • Data Encryption
  • Microsegment
  • End-user Education
  • Email Security
  • Data Loss Prevention
  • System-wide monitoring and violation logging

By enabling these adaptive controls, the organization is showing the best effort to protect consumer data. Investment by organizations in these adaptive controls should positively affect the potential fines in case of a data breach.


Handling a Confidentiality Incident or Breach Under Law 25

One of the major areas of Law 25 that organizations should pay close attention to is the Law’s definition of a security breach or confidentiality incident. Let’s lay it out as plain as possible; if an organization has reason to believe a confidentiality incident has occurred, does the obligation to take reasonable measures to reduce the risk of injury and prevent future incidents of the same nature arise solely from the new Québec law?

The entire answer is according to SecureOps’ Erik Montcalm is that “while the definition of what is an incident or a breach affecting personal information may differ from a legislation to another, Law 25 is not the only regulation requiring taking appropriate actions to reduce the associated risks. Indeed, similar requirements may be seen under PIPEDA, or the General Data Protection Regulation (GDPR) in the European Union.”

Thus, when such event occurs and that the organization discovers the breach, Law 25, PIPEDA, or GDPR will require the organization to investigate the breach to assess the risk and take appropriate actions, including:

  • Notify the relevant supervisory authorities of the event
  • Communicate about the breach to the individuals concerned
  • Document the event internally in a dedicated record.

Indeed, under Law 25, while documenting the breach is always required to demonstrate compliance with privacy legislations (accountability principle), notification of such event will be required in case of a “risk of serious injury”, which is similar to a “real risk of significant harm” under PIPEDA.
The assessment of the risk will be performed on a case-by-case basis, considering for example:

The type of breach (i.e., breach of integrity, confidentiality, or availability of personal information),

  • The nature, sensitivity and volume of the personal data concerned,
  • The profile and number of individuals affected by the breach,
  • The possible consequences of the breach for the individuals, including the anticipated repercussion of the data and the likelihood that such data will be used for harmful purposes

The existing measures at the time of the incident and the additional measures taken and/or proposed to mitigate the risks should also be considered for the risk assessment.


The Role of a Managed Security Service Provider

MSSPs continue to play a critical role in supporting clients with compliance and privacy mandates. Many global providers have experts in cybersecurity compliance monitoring to keep clients’ data protected. Organizations need help hiring and retaining experienced SecOps, and NetOps resources to meet the company’s compliance, governance, and privacy mandates. MSSPs provide expertise, global coverage, and experience to clients to monitor and log events to support Law 25 and other privacy mandates, including NIST.

In addition, organizations must conduct Privacy Impact Assessments or PIA’s under a few scenarios. First, organization must conduct PIAs regarding any upgrades, acquisitions, or developments of any of the organization’s IT infrastructure or digital products involving the processing of personal information. 

Second, firms must conduct PIAs prior to transferring covered data out of Quebec. In conducting PIAs prior to transfer, the firm must consider the sensitivity of the information, the purposes for which it will be used, and the protection measures used in the transfer. Firms must also assess whether the information will receive adequate protection in compliance with “generally accepted data protection principles” in the jurisdiction to which it is sent. 

Lastly, an organization must conduct a PIA when it discloses covered personal information “for study or research purposes” without data subjects’ consent.


Figure 2 - Basic Framework for Conducting a Privacy Impact Assessment – Simon Fraser University -

Figure 2 – Basic Framework for Conducting a Privacy Impact Assessment – Simon Fraser University –



Law 25 brings Québec’s privacy laws closer in line with the GDPR, the leading data protection framework in the world. Because, like Canada, the USA is not governed by an overarching federal privacy law, the California Consumer Privacy Act (CCPA) is seen as one of the most important privacy developments in the country.

This new bill will bring positive changes in consumer protection. The new framework is designed to strengthen data protection and gives individuals greater access to stored data. All rights are, as a result, granted to the consumer.


Short Q&A

  1. Are countries outside Quebec, Canada, required to comply with LAW 25
    • Answer: Yes, any country with data from Quebec becomes stored in its systems, including the cloud.
  2. Are all organizations required to have a chief privacy officer?
    • Answer: Under LAW 25, yes. Every organization governed by Law 25 must have someone designated as the chief privacy officer.


To Learn More About How to Secure Your Organization Please Call Us – as Always, We Are Happy to Help – 1 (888) 982-0678.

You Can Also Fill Out Our Contact Us Form to Talk with a Security Specialist –