Law 25 compliance milestone dates and business issues

Doing business in Quebec? You must comply with Privacy Act 25. If you are present elsewhere in Canada, you will either be subject to the laws of Ontario, Alberta or the Canadian government’s Consumer Privacy Act (LPVPC).

Doing business in Europe? you must comply with the European standard of the General Data Protection Regulation (RGPD, GDPR in English.) More globally, 71% of countries have adopted a law on the protection of personal information and 9% are in the process of drafting such a law.

Pierre Farley
Partner and CIO Eficio ​

Enforce Privacy Act 25 with milestones that need to be implemented now. In summary, Law 25 must be applied in 3 steps:

September 2022

• If this role does not already exist, appoint a Privacy Officer (sometimes named Chief Privacy Officer)

• Mandatory disclosure in the event of a privacy-threatening incident or cyber-attack. Both the citizens affected and the access to information commission.


September 2023

• Have a privacy policy, written in simple and clear terms, which must be displayed on the website or published in an appropriate manner.

• Governance of Personal Information. Internal roles and responsibilities, complaint handling process, categorization of information assets, data retention and destruction, monitoring.

• The protection of personal information must be an integral part of the corporate culture. For example, with each acquisition or process transformation, the impact assessment must be completed and documented (new system, agreement with third parties, communication of information outside the province)

September 2024

• Process and structured format of the data that can be extracted allowing the portability of the information following the request of a citizen.

• Be able to clearly explain the origin of the personal data and means of providing the required information.

The financial impacts from September 2023

It is impossible to talk about Law 25 without mentioning the potential financial impacts. The Access to Information Commissioner has the power, as of September 2023, to impose dissuasive sanctions on offenders. These penalties can be up to $25,000,000 or 4% of the organization’s worldwide revenue. In case of recidivism, these fines will be doubled. In addition to the foregoing, persons who have been harmed and such harm is intentional or the result of gross negligence, the court will award punitive damages of at least $1,000 per case. How to calculate the cost that a breach will have on the reputation of the organization?

The implementation of governance for the protection of personal information, increasing control, transparency, the consent of individuals and cybersecurity in general are items that must be put in place to limit the risk of leaks and the imposition of ‘a penalty.

The challenges and complexity to be expected

The compliance project will require planning and changes are to be expected in governance, legal, marketing, procedures, operations and information systems. One of the first elements to undertake will be to list all personal information, define the sensitive data attached to it, the reason why each recurrence of this data is necessary, the method used for collection and the associated consent.

Data mapping is therefore strongly recommended to carry out the entire project. Obviously, each organization will have a higher or lower complexity, depending on its size and the type of data it manages. In addition to data mapping, what are the elements provided for in the law that are likely to have higher implications?

Privacy policy: A citizen must be in control of his personal information. A clear policy must inform the citizen in a clear and transparent way. In particular, the personal information that is collected, the purposes for which the information is collected, the means by which the information is collected, their rights, the retention period of the information and the contact details of the person responsible for the protection of personal information.

The right to transparency, rectification, erasure and portability: Citizens have more power over their data. He may request to obtain the data concerning him from the organizations, validate them and request rectification, deletion and portability. To satisfy this right, organizations must have a mechanism for extracting data in a standard format.

Framework for decisions based exclusively on automated processing: For more advanced systems that base automated decisions on personal information, transparency will be required regarding the decision-making process that led to the decision. People will be able to obtain the decisional information used to maintain control and ensure that the right decision is made. Organizations with this type of system, based on analytics or artificial intelligence, will need to document their decision-making process and be able to explain the decision-making to a citizen.

Transparency with respect to confidentiality incidents: In the event of a confidentiality incident, organizations have an obligation to take the necessary measures to reduce the risk of harm to the persons concerned and also to act in order to prevent that this type of incident does not happen again. In cases where serious harm to the persons concerned could result, organizations are required to inform the persons concerned and notify the access to information commission of the incident. Organizations must keep a register of all confidentiality incidents, which can be consulted by the access to information commission.

Privacy by design is by default: Privacy impact assessment helps determine whether initiatives or projects involving the use of personal information pose privacy risks . This assessment of risk factors also makes it possible to measure, describe and quantify these risks as well as to propose solutions with the aim of eliminating them or reducing them to an acceptable level. It is implied that personal information is automatically protected without any further action being required by an individual. This exercise forces the organization to question itself, from the start of a project, on the risks it raises and on the measures to be taken to ensure compliance with the principles of protection of personal information.

Consent: Consent to the collection, use or disclosure of personal information must be requested separately for each type provided by law and separately from any other information communicated to individuals. Some information requires a higher degree of protection considering the greater risks of invasion of privacy. For young people under the age of 14, consent will be required from the holder of parental authority for the collection, use or communication of personal information. These obligations may have a significant impact on current collection processes and relevant systems.

Several other elements are also to be considered such as communication outside Quebec, agreement with third-party suppliers, depersonalization of data and traceability. To understand its implication, the organization will have to analyze its situation and make an action plan accordingly. Knowledge and interpretation of Law 25 on the protection of personal information is essential to the success of implementation.

Organizations must be able to demonstrate that they have acted responsibly in the application of Law 25 and that they have taken the necessary steps to protect the personal information entrusted to them. It is therefore implicit that organizations must have cybersecurity rules in place to fulfill this portion of the requirements.

Eficio has integrated into the CISO 360 (Cyber-risks posture) an impact analysis process of Law 25 as well as the establishment of an action plan. More articles on the subject will be published shortly.

Subscribe to the Eficio newsletter and be the first to receive our updates!