Law 25 (formerly Bill 64) – Quebec’s newest privacy legislation

On June 12, 2020, the Quebec government introduced a bill to modernize the province’s privacy legislation, which will apply to public bodies and private enterprises established in Quebec as well as any business that has a digital presence in Quebec.

person researching Bill 64 on phone

Law 25 (formerly Bill 64) impacts how businesses collect and store personal data pertaining to their customers, clients, employees, etc. Any business that has a digital presence in Quebec could be fined if the new Bill 64 requirements are not properly met – especially in the event of a security breach. Businesses could face fines of up to $25 million or 4% of its previous year’s worldwide turnover. Non-compliance could also damage an organization’s reputation.


Law 25 (formerly Bill 64) introduces a number of new requirements. By default, the person exercising the highest authority within the organization would be responsible to ensure that the organization implements and complies with the Act, once it’s passed. This person can delegate all or parts of that function to a Chief Privacy Officer.


Law 25 (formerly Bill 64) brings forth several new requirements that apply to all businesses in every industry if they have a digital presence in Quebec:

  • New breach notification requirements: i.e., the timely notification of any confidentiality incident to the Comission d’accès à l’information (CAI).
  • New individual rights: the right to be forgotten, the right to object automated decision-making, the right to de-indexing, etc.
  • New outsourcing requirements: written agreements need to be in place when outsourcing is involved to present the third party’s measures to ensure personal data privacy.
  • Privacy impact analysis: would be required to assess if your projects involve personal data and determine how best to secure said data.
  • More requirements include (but are not limited to): governance policies and practices, data privacy policies, employees and organizational awareness and training, and time constraints.

Learn more about how Law 25 (formerly Bill 64) impacts your business


Six questions business owners should ask themselves.

  1. Where and how is your organization’s data stored?
  2. What type of personal data is stored or used by your organization?
  3. How many third parties have access to your organization’s personal data?
  4. Do you have personal data protection policies?
  5. What measures are in place at your organization to protect the personal data of your employees and customers?
  6. Do you have efficient practices and internal controls in place to ensure personal data security?


The compliance process is long, requires many diagnostics, resources and a detailed understanding of the law. Our multidisciplinary experts can assist you in all strategic actions leading to compliance with Law 25 (formerly Bill 64) and with all tactical actions ensuring your business remains compliant going forward.

strategic actions - diagnostic of the effectiveness of internal controls; developing a risk register of all the risks surrounding data privacy; developing and implementing sustainable action plans and roadmaps; Tactical actions - implementing an operational plan for compliance; drawing up an inventory of the information collected, processed and stored by your company; identifying critical IT hardware and software assets; implementing mitigation measures; monitoring the implementation of action plans and roadmaps.