FEATURED STORY February 24, 2023

Quebec Has New Privacy Requirements Already in Place, With More on the Way in 2023

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all OnPractice content.
Register Now

Bill 25 Requires Immediate Action and a Compliance Plan for This Year

In September 2021, Quebec's Parliament enacted Law 25 (formerly Bill 64) (the "Law"), which updated Quebec's data protection laws and added requirements for enterprises that do business within the province. Specifically, as of September 2022 companies should have 1) appointed a data protection officer, 2) disclosed to the Quebec data protection commission certain processing and uses of biometric data, and 3) updated incident response requirements. Starting in 2023, failure to comply may result in GDPR-like fines with monetary penalties potentially ranging from 2% to 4% of worldwide turnover.


The Law subjects any enterprise, as defined by the Quebec Civil Code, that collects, holds, uses, or communicates personal information to its requirements.[1]

The law does not make the familiar distinction between "controllers" and "processors." Instead, some provisions apply only to "persons carrying on an enterprise," while others apply more broadly to any "person" or "person or body." As a result, the applicability of any given provision depends on what term is used.[2]

Additionally, the Law uses a broad definition of personal information, defined as "any information which relates to a natural person and allows that person to be identified."[3] 

Upcoming Requirements

The Quebec government opted for a three-year rollout of the Law. The table below outlines some compliance areas and the relevant timeframes for compliance, some of which have already passed[4]:

Item Timeline
Appoint a Data Protection Officer[5]  September 2022
Incident ("Confidentiality") Response Plan[6] September 2022
Disclosure to Commission of use of Biometric Information [7] September 2022
Collect and Process Personal Information Legally[8] September 2023
Public Privacy Policy[9] September 2023
Company Data Protection Governance Policies[10] September 2023
Data Subject Request Responses [11] September 2023
Conduct Necessary Data Protection Impact Assessments[12] September 2023
Conform to Law and Regulations on Data Transfers Outside of Québec[13] September 2023
Right to Portability[14] September 2024


The Law imposes two types of fines: administrative and penal. Administrative fines come from the Quebec data commission and can be up to $10 million CAD or, if greater, 2% of worldwide turnover.[15] Penal fines, on the other hand, can be between $15,000 CAD and $25 million CAD or, if greater, 4% of worldwide turnover.[16] Whether penal or administrative fines apply depend on the violation, the actor (business), and the history of such violations by the actor.

Key Takeaways

Companies subject to this law should consider immediately addressing any past-due 2022 requirements. One of the first items would be appointing a data protection officer in compliance with the law. If the company handles and uses biometric information to verify or confirm the identity of a person or creates a bank or database of biometric characteristics, notification to the Quebec data protection authority may be necessary. Lastly, a company may wish to create and implement a data breach response plan in accordance with the law to help avoid any delay if a breach does occur. Moving into 2023, companies subject to Quebec law may need to start complying with the more rigorous requirements prior to September.

  • Greenberg Traurig is not licensed to practice law in Canada and does not advise on Canada law. Specific Canada law questions and Canada legal compliance issues will be referred to lawyers licensed to practice law in Canada.

[1] Section 1, Law 25.

[2] For example, the sections that contemplate data protection officers and data breaches (3.1-3.5) apply to any person carrying on an enterprise.

[3] Section 2, Law 25.

[4] This is not an exhaustive list as there may be other actions organizations need to take depending on the specific situation.

[5] Section 3.1, Law 25.

[6] Section 3.5, Law 25.

[7] Section 45, Law 25.

[8] Sections 4 and 8, among others depending on collection, Law 25.

[9] Section 3.1, 3.2, and 8.2, Law 25.

[10] Section 3.2, Law 25.

[11] Sections 30, 32, 33, 34, 35, and 39 of Law 25. 

[12] Sections 3.2 and 17, Law 25.

[13] Section 17, Law 25.

[14] Section 27, Law 25.

[15] Section 90.12, Law 25.

[16] Section 91, Law 25.

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From Greenberg Traurig

International Entrepreneur Parole Program: USCIS Issues Policy Guidance

By Linnea Porter Greenberg Traurig March 22 , 2023

On March 10, U.S. Citizenship and Immigration Service (USCIS) issued an announcement with comprehensive guidance on parole for international entrepreneurs.

New UK Sanctions Package Would Target Russia's Arms Exports, Front-Line Resources

By Annabel Thomas Greenberg Traurig March 22 , 2023

The UK announced a further round of sanctions and trade measures on 24 February 2023 to coincide with the first anniversary of Russia’s invasion of Ukraine.

PFAS in Drinking Water: EPA Proposes Historic New Regulation

By Bernadette M. Rappold Greenberg Traurig March 17 , 2023

On March 14, 2023, the U.S. Environmental Protection Agency (EPA) issued a proposed National Primary Drinking Water Regulation (NPDWR) which, if finalized, would set enforceable limits, known as Maximum Contaminant Levels (MCLs), for six Per- and Polyfluoroalkyl Substances (PFAS).

More From Privacy

Is a business required to include an 'opt out of targeted advertising' link on its homepage (i.e., a Do Not Share link) if it recognizes opt-out preference signals?

By David A. Zetoony Greenberg Traurig March 13 , 2023

Three modern privacy statutes incorporate the concept that individuals should be able to broadcast a signal from their browser or device that directs an organization to cease providing their personal information to third parties for the purposes of targeted advertising.

Massachusetts Gov. Proposes Reorganization Plan for Housing Development Under Article 87

By Robert C. Ross Greenberg Traurig March 13 , 2023

Massachusetts Gov. Maura Healey recently filed legislation under Article 87 of the Massachusetts Constitution that would make organizational changes to the Commonwealth’s oversight of housing development.

Trade Associations Urge Illinois High Court to Reconsider BIPA Decision in Cothron

By Nadine C. Abrahams Jackson Lewis P.C. March 13 , 2023

The Illinois Supreme Court’s decision that a separate claim under Illinois’ Biometric Information Privacy Act (BIPA) accrues each time an entity scans or transmits an individual’s biometric identifier or biometric information will lead to absurd and unjust results not intended by the Illinois General Assembly, Jackson Lewis argued in a friend-of-the-court brief filed on behalf of a coalition of trade associations representing the interests of thousands of Illinois businesses employing approximately 2.9 million individuals in Illinois.

Featured Stories