105 - Hero Simple Text

New safety measures under Law 25

New updates to Quebec's Law 25.

There are new updates to Québec’s Law 25, which seeks to create an environment of respect and security when it comes to collecting personal information in the private sector. We’ve talked previously about Bill 64 (the policy’s previous name) and about the initial changes under Law 25 last year. Most important of which was the appointing of a privacy officer and recording any privacy incidents.


Now, under the new rules, companies will be expected to take further action, or else risk facing heavy fines and penalties for non-compliance. To offer additional guidance navigating the new rules, XMA has put together this brief overview of Law 25 and the new policies that are currently in place.


A Reminder About Law 25

All businesses in Québec are under legal obligations under Law 25. Originally under the name Bill 64 in September 2021, the updated policies are now under the title Law 25. This law is meant to bring peace-of-mind to citizens, as their private information must be handled with care.


In 2022, Law 25 rolled out its first set of rules, which included the requirement to provide verbal or written notification to the Commission d’accès à l’information du Québec (CAI) if incidents are suspected to put individuals at risk. They are also legally required to maintain a register of confidentiality incidents for at least five years following an incident.


Prior regulations also include:

  • The requirement of organizations to respond to requests for access to personal information. Any refusal must have a justification given, as well as information provided to the requester on the appeals processes available to them through the commission d’accès à l’information du Québec.

  • All persons must be informed by the organization about the collection of personal information, reason for collection, how the information will be used, and who will have access to it.

  • All organizations are required to have proper safety measures in place that will protect any personal information gathered.

  • All organizations are required to ensure persons they work with outside of the province are equally as careful with how private information is managed.


As of September 2023, new policies have been introduced under Law 25. These are meant to further protect private information and enhance the law should businesses fail to meet the criteria.


New Policies Under Law 25 as of September 2023

The recent amendments took effect in September of 2023. These new rules set in place several new steps for businesses to take, as well as more concrete information about the penalties should the law be ignored. Changes to the law include:

Administrative Penalties and Fines for Non-Compliance

Penalties are now fully able to be enforced by the Commission d’accès à l’information (CAI), which includes the right to fine individuals up to $50,000 and other legal entities $10,000,000 or 2% of their global turnover for the preceding fiscal year, depending on which is greater. These fines are imposed should the organization fail to follow compliance, in alignment with the European Union’s GDPR.


Further fines can occur if a business is non-compliant with Law 25, such as if:

  • There has been unlawful use of personal information.

  • Confidentiality incidents are not properly reported.

  • Any impede the CAI’s inquiries and inspections.


In these instances, the fines can range from $5,000 to $100,000 for individuals and $15,000 to $25,000,000 or 4% of the worldwide turnover for other legal entities, depending on which is greater.


Additional Transparency: Clear and Simple Informing

Under the new rules, anyone collecting personal information from individuals must inform them using clear and simple language. This is meant to keep the gathering of information transparent and further enforce privacy.


Under the new rule, those collecting information must tell them: 

  • Why the information is being collected.

  • How the information is being collected.

  • The rights of access and rectification under the law.

  • That the individual can withdraw consent for the communication or use of their information.


Anonymizing and Disposing of Data 

Any personal information gathered must be destroyed or anonymized once the purpose for its collection has been achieved. This will mean that businesses and individuals will need to assess whether or not information is being kept for a reason, or if the time has come to safely purge outdated files and information.


Meet New Compliance and Maintain a Strong Reputation By Working with XMA

Above are just a few examples of the newest amendments to Law 25. There are further rules, which include the consent of information of minors, privacy impact assessments, and cookie banners.


To ensure that your team is meeting compliance and doing everything you can to keep data safe, consider consulting with technology experts, such as those at XMA.


Our team is available to answer any questions you might have about Law 25 and the security resources available to you. Contact us to learn more.

Back to blog Back to blog
118 - Featured Blog