Quebec Law 25

An Act to Modernize Legislative Provisions as Regards the Protection of Personal Information (Law 25)

Quebec's major privacy reform modernizing data protection laws with extraterritorial scope similar to GDPR. First Canadian provincial framework to directly address AI implications through automated decision-making provisions requiring disclosure, explanation rights, and human intervention options.

Jurisdiction

Quebec

Enacted

Sep 22, 2021

Effective

Sep 22, 2022

Enforcement

Commission d'accès à l'information du Québec (CAI)

Enacted September 22, 2021; phased implementation through 2024; right to data portability implemented September 22, 2024

Quebec Official Gazette: Law 25

Why It Matters

Most comprehensive Canadian privacy law with AI provisions. Extraterritorial scope affects any company with Quebec users. Private right of action allows individuals to sue directly. Lower threshold than GDPR - applies to all automated processing, not just significant/legal impact. Sets precedent for Canadian provincial AI regulation.

Recent Developments

Fully in effect as of September 22, 2024 with data portability rights. First Canadian provincial AI/automated decision-making regulation. Private right of action allows individuals to claim punitive damages (minimum CAD $1,000) and pursue collective action.

At a Glance

Applies to

Automated Decision System

Harms addressed

Discrimination

Requires

Risk Assessment Transparency Human Oversight User Rights

Who Must Comply

For-profit, non-profit, government entities, and individuals acting in professional capacity
Extraterritorial scope: Quebec-based businesses and any company outside Quebec handling personal data of Quebec residents

Obligations fall on:

Safety Provisions

Right to be informed about automated decision-making using personal information
Right to explanation: personal information used, reasons/factors/parameters leading to decision
Right to object to automated decisions and request human intervention
Right to have personal information used in automated decisions corrected
Privacy Impact Assessments required for automated decision-making
Data Protection Officer (DPO) designation required
Data breach notification to CAI and affected individuals
Data subject rights: access, rectification, portability, de-indexation, information, objection

Compliance & Enforcement

Key Dates

Sep 22, 2022

Initial requirements active

Sep 22, 2023

Majority of requirements take effect

Sep 22, 2024

Final requirements including data portability take effect

Penalties

C$10M or 2% revenue (whichever higher); C$1K/violation

Private Right of Action

Individuals can sue directly without waiting for regulatory action.

Primary Source

Quebec Official Gazette: Law 25

https://www.publicationsduquebec.gouv.qc.ca/fileadmin/Fichiers_client/lois_et_reglements/LoisAnnuelles/en/2021/2021C25A.PDF

View on map

Quebec

Focus Areas

Algorithmic accountability

Active safeguards required

Compliance Help

Organizations using automated decision-making must inform individuals, provide explanations of personal information used and decision factors, allow correction of data, and offer human intervention. Must conduct PIAs for automated processing. Significant human intervention exempts from automated processing obligations.

See how NOPE helps

Cite This

APA

Quebec. (2021). An Act to Modernize Legislative Provisions as Regards the Protection of Personal Information (Law 25).

Related Regulations

Enacted NZ

NZ Biometric Code

Sets specific legal requirements under Privacy Act for collecting and using biometric data such as facial recognition and fingerprint scans. Prohibits particularly intrusive uses including emotion prediction and inferring protected characteristics like ethnicity or sex.

In Effect AU

AU Privacy Amendment 2024

Strengthens Privacy Act requirements for biometric data collection, raising the standard of conduct for collecting biometric information used for automated verification or identification. Cannot collect such information unless individual has consented and it is reasonably necessary.

In Effect DO

Dominican Republic Law 172-13

Dominican Republic's data protection law establishing Habeas Data remedy but lacking dedicated supervisory authority.

Pending BR

Brazil AI Bill

Risk-based framework similar to EU AI Act. Would prohibit excessive-risk AI (social scoring, autonomous weapons), require impact assessments for high-risk AI, with penalties up to BRL 50M or 2% Brazilian turnover.

Pending US-MN

MN AI Disclosure Act

Requires businesses to disclose when individuals communicate with AI in textual or spoken conversations. Prohibits deception about AI vs. human interaction. Provides private right of action with damages up to $1,000 plus attorney fees. AG can impose civil penalties up to $5 million.

Enacted US-NY

NY RAISE Act

Requires large AI developers of frontier models operating in New York to create safety protocols, report critical incidents within 72 hours, conduct annual reviews, and undergo independent audits. Creates dedicated DFS office funded by developer fees.

All regulations Check if this applies to you

Last updated February 17, 2026. Verify against primary sources before relying on this information.