Quebec Law 25 and the Private Sector Act, explained

Last reviewed 2026-06-29 · Plain-language summary, not legal advice.

Law 25 — introduced as Bill 64 and formally the Act to modernize legislative provisions as regards the protection of personal information — is the law that transformed Quebec's private-sector privacy rules. It did not create a standalone statute; it heavily amended the existing Act respecting the protection of personal information in the private sector. You can read the consolidated Act, as amended, on the official Légis Québec site: Act respecting the protection of personal information in the private sector (CQLR, c. P-39.1). Phased in from 2022 to 2024, Law 25 is the most demanding privacy regime in Canada and the closest to the European GDPR.

The person in charge of the protection of personal information

Every enterprise must designate a person in charge of the protection of personal information. By default this role falls to the person with the highest authority in the organization, who may delegate it in writing. Their title and contact details must be published on the enterprise's website. This is Quebec's equivalent of a privacy officer, but the default-to-the-top rule makes accountability unavoidable.

Privacy impact assessments and transfers outside Quebec

Law 25 requires a privacy impact assessment (PIA) for any project to acquire, develop, or overhaul an information system involving personal information. Separately, before communicating personal information outside Quebec, an enterprise must assess factors including the sensitivity of the information, the purposes, the protections in place, and the legal framework of the destination jurisdiction. This transfer-assessment duty is one of the most operationally significant differences from PIPEDA, which imposes accountability but no formal pre-transfer assessment.

Confidentiality incidents: the register and the reports

Law 25 uses the term confidentiality incident rather than "breach." Where an incident presents a risk of serious injury, the enterprise must notify the Commission d'accès à l'information (CAI) and the affected individuals promptly. Critically, every enterprise must keep a register of confidentiality incidents — including those that did not require notification — much like PIPEDA's breach-record duty, but with its own Quebec framing.

Consent, transparency, and new individual rights

Consent under Law 25 must be clear, free, and informed, and given for specific purposes; for sensitive information it must be express. There are heightened rules for minors under 14, a transparency duty around automated decision-making, a right to de-indexing (cessation of dissemination), and — since September 2024 — a right to data portability. Privacy-by-default settings are required for technology that collects personal information.

Enforcement and how Law 25 sits with PIPEDA

The CAI oversees the regime and can levy administrative monetary penalties up to CAD $10 million or 2% of worldwide turnover, with penal fines reaching CAD $25 million or 4% — plus a private right of action. For organizations operating in Quebec, Law 25 governs intra-provincial activity, while PIPEDA continues to apply to personal information that crosses provincial or national borders. If you are unsure which applies, start with federal vs provincial: which privacy law applies? When a Quebec buyer tests your posture, our Law 25 questionnaire guide shows how to answer.