/>iIn September 2021, Quebec’s Parliament enacted Law 25, formerly known as Bill 64, (the Law), which updated Quebec’s data protection laws and added requirements for enterprises that do business within the province. The majority of the Law’s requirements become effective Sept. 22, 2023. Below is a brief list of compliance requirements and their effective dates.
Compliance Requirements Taking Effect Today
| Item | Timeline |
| Collect and Process Personal Information Legally, including proper consent mechanisms if applicable1 | Sept. 22, 2023 |
| Public Privacy Policy2 | Sept. 22, 2023 |
| Company Data Protection Governance Policies3 | Sept. 22, 2023 |
| Data Subject Request Responses4 | Sept. 22, 2023 |
| Conduct Necessary Data Protection Impact Assessments5 | Sept. 22, 2023 |
| Conform to Law and Regulations on Data Transfers Outside of Quebec6 | Sept. 22, 2023 |
| Destruction or Anonymization of Data7 | Sept. 22, 2023 |
| Monetary Penalties and Damages8 | Sept. 22, 2023 |
Previous and Upcoming Compliance Requirements
| Item | Timeline |
| Appoint a Data protection Officer9 | Sept. 22, 2022 |
| Incident (“Confidentiality”) Response Plan10 | Sept. 22, 2022 |
| Disclosure to Commission of use of Biometric Information11 | Sept. 22, 2022 |
| Collect and Process Personal Information Legally, including proper consent mechanisms if applicable12 | Sept. 22, 2023 |
| Public Privacy Policy13 | Sept. 22, 2023 |
| Company Data Protection Governance Policies14 | Sept. 22, 2023 |
| Data Subject Request Responses15 | Sept. 22, 2023 |
| Conduct Necessary Data Protection Impact Assessments16 | Sept. 22, 2023 |
| Conform to Law and Regulations on Data Transfers Outside of Quebec17 | Sept. 22, 2023 |
| Destruction or Anonymization of Data18 | Sept. 22, 2023 |
| Monetary Penalties and Damages19 | Sept. 22, 2023 |
| Right to Portability20 | Sept. 22, 2024 |
Penalties for Noncompliance
Administrative monetary penalties can result in fines up to CAD $10 million or 2% of the enterprise’s worldwide turnover, whichever is greater. Alternatively, general fines can be CAD $25 million or 4% of worldwide turnover, whichever is greater.
Entities subject to the Law should conduct a comprehensive review of their data privacy procedures and practices to ensure compliance and avoid large penalties that the Law provides.
* Greenberg Traurig is not licensed to practice law in Canada and does not advise on Canada law. Specific Canada law questions and Canada legal compliance issues will be referred to lawyers licensed to practice law in Canada.
Mike Summers, Law Clerk/JD, also contributed to this article.
1 Sections 4 and 8, among others depending on collection, Law 25.
2 Section 3.1, 3.2, and 8.2, Law 25.
3 Section 3.2, Law 25.
4 Sections 30, 32, 33, 34, 35, and 39 of Law 25.
5 Sections 3.2 and 17, Law 25.
6 Section 17, Law 25.
7 Section 23, Law 25
8 Sections 90-93, Law 25.
9 Section 3.1, Law 25.
10 Section 3.5, Law 25.
11 Section 45, Law 25.
12 Sections 4 and 8, among others depending on collection, Law 25.
13 Section 3.1, 3.2, and 8.2, Law 25.
14 Section 3.2, Law 25.
15 Sections 30, 32, 33, 34, 35, and 39 of Law 25.
16 Sections 3.2 and 17, Law 25.
17 Section 17, Law 25.
18 Section 23, Law 25.
19 Sections 90-93, Law 25.
20 Section 27, Law 25.
