Quebec Law 25
An Act to Modernize Legislative Provisions as Regards the Protection of Personal Information (Law 25)
Quebec's major privacy reform modernizing data protection laws with extraterritorial scope similar to GDPR. First Canadian provincial framework to directly address AI implications through automated decision-making provisions requiring disclosure, explanation rights, and human intervention options.
Jurisdiction
Quebec
CA-QC
Enacted
Sep 22, 2021
Effective
Sep 22, 2022
Enforcement
Commission d'accès à l'information du Québec (CAI)
Enacted September 22, 2021; phased implementation through 2024; right to data portability implemented September 22, 2024
What It Requires
Risk Assessment
Must evaluate and document potential harms before deployment
Transparency
Must disclose AI nature, data practices, or algorithmic decisions
Human Oversight
Must have human review for high-stakes decisions
User Rights
Must honor access, correction, and deletion requests
Incident Reporting
Must notify authorities of specific incidents
Harms Addressed
Who Must Comply
This law applies to:
- • For-profit, non-profit, government entities, and individuals acting in professional capacity
- • Extraterritorial scope: Quebec-based businesses and any company outside Quebec handling personal data of Quebec residents
Capability triggers:
Who bears obligations:
Safety Provisions
- • Right to be informed about automated decision-making using personal information
- • Right to explanation: personal information used, reasons/factors/parameters leading to decision
- • Right to object to automated decisions and request human intervention
- • Right to have personal information used in automated decisions corrected
- • Privacy Impact Assessments required for automated decision-making
- • Data Protection Officer (DPO) designation required
- • Data breach notification to CAI and affected individuals
- • Data subject rights: access, rectification, portability, de-indexation, information, objection
Compliance Timeline
Sep 22, 2022
Initial requirements active
Sep 22, 2023
Majority of requirements take effect
Sep 22, 2024
Final requirements including data portability take effect
Enforcement
Enforced by
Commission d'accès à l'information du Québec (CAI)
Penalties
C$10M or 2% revenue (whichever higher); C$1K/violation
Administrative fines up to CAD $10M or 2% of worldwide turnover (whichever higher); penal sanctions up to CAD $25M or 4% of global revenue for severe violations
Private Right of Action
Individuals can sue directly without waiting for regulatory action. This significantly increases liability exposure.
Quick Facts
- Binding
- Yes
- Mental Health Focus
- No
- Child Safety Focus
- No
- Algorithmic Scope
- Yes
- Private Action
- Yes
Why It Matters
Most comprehensive Canadian privacy law with AI provisions. Extraterritorial scope affects any company with Quebec users. Private right of action creates litigation risk. Lower threshold than GDPR - applies to all automated processing, not just significant/legal impact. Sets precedent for Canadian provincial AI regulation.
Recent Developments
Fully in effect as of September 22, 2024 with data portability rights. First Canadian provincial AI/automated decision-making regulation. Private right of action allows individuals to claim punitive damages (minimum CAD $1,000) and pursue collective action.
What You Need to Comply
Organizations using automated decision-making must inform individuals, provide explanations of personal information used and decision factors, allow correction of data, and offer human intervention. Must conduct PIAs for automated processing. Significant human intervention exempts from automated processing obligations.
NOPE can helpCite This
APA
Quebec. (2021). An Act to Modernize Legislative Provisions as Regards the Protection of Personal Information (Law 25). Retrieved from https://nope.net/regs/ca-qc-law-25
BibTeX
@misc{ca_qc_law_25,
title = {An Act to Modernize Legislative Provisions as Regards the Protection of Personal Information (Law 25)},
author = {Quebec},
year = {2021},
url = {https://nope.net/regs/ca-qc-law-25}
} Related Regulations
NZ Biometric Code
Sets specific legal requirements under Privacy Act for collecting and using biometric data such as facial recognition and fingerprint scans. Prohibits particularly intrusive uses including emotion prediction and inferring protected characteristics like ethnicity or sex.
Dominican Republic Law 172-13
Dominican Republic's data protection law establishing Habeas Data remedy but lacking dedicated supervisory authority.
Uruguay Law 18.331
Uruguay's comprehensive data protection law with EU adequacy status. Establishes automated decision-making rights and requires explicit consent for sensitive data.
Brazil AI Bill
Risk-based framework similar to EU AI Act. Would prohibit excessive-risk AI (social scoring, autonomous weapons), require impact assessments for high-risk AI, with penalties up to BRL 50M or 2% Brazilian turnover.
NY RAISE Act
Requires large AI developers of frontier models operating in New York to create safety protocols, report critical incidents within 72 hours, conduct annual reviews, and undergo independent audits. Creates dedicated DFS office funded by developer fees.
CT SB 1295
Creates COMPLETE BAN on targeted advertising to under-18s regardless of consent. Requires AI impact assessments. Connecticut issued first CTDPA fine ($85,000) in 2025.