HB Ad Slot
HB Mobile Ad Slot
Quebec’s Law 25: Many Provisions Take Effect Today
Friday, September 22, 2023

In September 2021, Quebec’s Parliament enacted Law 25, formerly known as Bill 64, (the Law), which updated Quebec’s data protection laws and added requirements for enterprises that do business within the province. The majority of the Law’s requirements become effective Sept. 22, 2023. Below is a brief list of compliance requirements and their effective dates.  

Compliance Requirements Taking Effect Today

Item Timeline
Collect and Process Personal Information Legally, including proper consent mechanisms if applicable1 Sept. 22, 2023
 
Public Privacy Policy2 Sept. 22, 2023
Company Data Protection Governance Policies3 Sept. 22, 2023
Data Subject Request Responses4 Sept. 22, 2023
Conduct Necessary Data Protection Impact Assessments5 Sept. 22, 2023
Conform to Law and Regulations on Data Transfers Outside of Quebec6 Sept. 22, 2023
Destruction or Anonymization of Data7 Sept. 22, 2023
Monetary Penalties and Damages8 Sept. 22, 2023

Previous and Upcoming Compliance Requirements  

Item Timeline
Appoint a Data protection Officer9 Sept. 22, 2022
Incident (“Confidentiality”) Response Plan10 Sept. 22, 2022
Disclosure to Commission of use of Biometric Information11 Sept. 22, 2022
Collect and Process Personal Information Legally, including proper consent mechanisms if applicable12 Sept. 22, 2023
Public Privacy Policy13 Sept. 22, 2023
Company Data Protection Governance Policies14 Sept. 22, 2023
Data Subject Request Responses15 Sept. 22, 2023
Conduct Necessary Data Protection Impact Assessments16 Sept. 22, 2023
Conform to Law and Regulations on Data Transfers Outside of Quebec17 Sept. 22, 2023
Destruction or Anonymization of Data18 Sept. 22, 2023
Monetary Penalties and Damages19 Sept. 22, 2023
Right to Portability20 Sept. 22, 2024

Penalties for Noncompliance

Administrative monetary penalties can result in fines up to CAD $10 million or 2% of the enterprise’s worldwide turnover, whichever is greater. Alternatively, general fines can be CAD $25 million or 4% of worldwide turnover, whichever is greater.  

Entities subject to the Law should conduct a comprehensive review of their data privacy procedures and practices to ensure compliance and avoid large penalties that the Law provides.    

Greenberg Traurig is not licensed to practice law in Canada and does not advise on Canada law. Specific Canada law questions and Canada legal compliance issues will be referred to lawyers licensed to practice law in Canada.

Mike Summers, Law Clerk/JD, also contributed to this article.


1 Sections 4 and 8, among others depending on collection, Law 25.

2 Section 3.1, 3.2, and 8.2, Law 25.

3 Section 3.2, Law 25.

4 Sections 30, 32, 33, 34, 35, and 39 of Law 25. 

5 Sections 3.2 and 17, Law 25.

6 Section 17, Law 25.

7 Section 23, Law 25

8 Sections 90-93, Law 25.

9 Section 3.1, Law 25.

10 Section 3.5, Law 25.

11 Section 45, Law 25.

12 Sections 4 and 8, among others depending on collection, Law 25.

13 Section 3.1, 3.2, and 8.2, Law 25.

14 Section 3.2, Law 25.

15 Sections 30, 32, 33, 34, 35, and 39 of Law 25. 

16 Sections 3.2 and 17, Law 25.

17 Section 17, Law 25.

18 Section 23, Law 25.

19 Sections 90-93, Law 25.

20 Section 27, Law 25.

HTML Embed Code
HB Ad Slot
HB Ad Slot
HB Mobile Ad Slot
HB Ad Slot
HB Mobile Ad Slot
 
NLR Logo
We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins