Quebec Law 25 – privacy reform

Quebec Law 25 (formally: An Act to modernize legislative provisions as regards the protection of personal information) is the Quebec privacy reform that substantially modernized the province's Act respecting the protection of personal information in the private sector. It rolled out in three phases between 2022-09-22 and 2024-09-22 and is supervised and enforced by the Commission d'accès à l'information (CAI). Penalties reach CAD 25 million or 4% of worldwide turnover, whichever is greater – the highest privacy-violation ceiling in Canada.

Who is in scope

Any private-sector enterprise carrying on activities in Quebec that collects, holds, uses, or communicates personal information about Quebec residents. The reach extends beyond entities physically located in Quebec; the test is activities affecting Quebec residents. Fintechs serving Quebec consumers from outside the province are within scope. Federal works and undertakings (federally regulated banks, telecoms, airlines) generally remain under PIPEDA, but the boundary is contested in specific areas and is best clarified with counsel.

The three-phase rollout

• 2022-09-22 – designation of a Privacy Officer, mandatory incident notification, requirement to maintain an incident register, expanded CAI investigative powers.
• 2023-09-22 – consent rules tightened, transparency obligations expanded, individual rights including access and rectification refined, Privacy Impact Assessment requirement for technology projects involving personal information, privacy-by-default and privacy-by-design obligations.
• 2024-09-22 – right to data portability, with the data communicated in a structured, commonly used technological format either to the individual or to another enterprise the individual designates.

Privacy Officer and Privacy Impact Assessments

Every enterprise must designate a Privacy Officer responsible for the implementation and application of the privacy regime. By default, the Privacy Officer is the person with the highest authority in the enterprise (typically the CEO), but the function may be delegated in writing. The Privacy Officer's identity must be published and they must be reachable by individuals exercising their rights.

Before deploying technology that collects, uses, or communicates personal information, the enterprise must conduct a Privacy Impact Assessment. The PIA must be proportional to the sensitivity, the volume, and the risk profile of the project. PIA documentation is examined by the CAI during investigations and is a routine subject of complaint-driven review.

Consent and transparency

Consent must be clear, free, informed, and specific. It must be given for specific purposes and presented in clear and simple language. Bundled consents that mix multiple purposes into a single checkbox have been treated as deficient by the CAI. For sensitive personal information, consent must be express. For minors under 14, consent must be given by a parent or guardian. Consent obtained for a stated purpose cannot be silently extended to a new purpose without renewed consent.

Incident notification

An enterprise that has cause to believe a confidentiality incident has occurred must take reasonable measures to reduce the risk of injury. The enterprise must maintain an incident register, retained for five years. If the incident presents a risk of serious injury, the enterprise must notify both the CAI and the affected individuals using prescribed forms and content.

"Risk of serious injury" is assessed against factors including the sensitivity of the information, anticipated consequences, and the likelihood of misuse. The threshold is lower than the GDPR's "high risk" standard in some respects and the notification clock runs "promptly," not on a fixed 72-hour window.

Cross-border transfers

Before communicating personal information outside Quebec, an enterprise must conduct a Privacy Impact Assessment that considers the legal framework applicable in the destination jurisdiction. The assessment must verify that the destination provides adequate protection. The transfer must be the subject of a written agreement that takes the assessment's results into account. The CAI publishes guidance and has issued findings clarifying how the test applies to common destinations including the United States and the European Union.

Penalties

Sanctions reach CAD 25 million or 4% of worldwide turnover, whichever is greater. Administrative monetary penalties, penal proceedings, and individual-rights litigation each operate as separate exposure vectors. The CAI has published several enforcement decisions since the 2022 phase came into force, signaling its intention to use the full range of authority.

How FinQub supports Law 25 compliance

FinQub is built for jurisdiction-aware data handling. Tenant data residency can be locked to Canada or specifically to Quebec for organizations that need it. Every workflow event – data access, consent capture, individual-rights request, confidentiality incident – is logged to a hash-chained audit trail tagged with the applicable framework. Cross-border transfer assessments are tracked as first-class records linked to the data flows they govern. The incident register is queryable rather than maintained as a separate artifact.

Privacy Officer evidence packs draw from the same substrate. PIA documentation, consent versions, individual-rights workflows, and breach response timelines are produced as exports rather than reassembled across systems.