Quebec’s Law 25 (formerly Bill 64) is now fully in force.
The final phase—the right to data portability—took effect on September 22, 2024, completing a three-year rollout. Organizations “carrying on an enterprise” in Quebec must meet stricter consent, transparency, governance, and rights obligations, with administrative monetary penalties up to C$10M or 2% of worldwide turnover and penal fines up to C$25M or 4% for serious violations.
The guide below clarifies requirements, compares Law 25 and GDPR, and shows how modern data governance—particularly a data catalog, lineage, and a governed Data Products Marketplace—helps you comply and keep pace with change. Let’s dive in!
Law 25 modernizes Quebec’s private-sector privacy framework and strengthens individuals’ control over their data. Crucially, it applies broadly to any organization “carrying on an enterprise” in Quebec, including many Canada-wide and U.S. brands with Quebec customers or employees. If you do business in Quebec and handle personal information about Quebec residents, you’re in scope.
Why this matters now:
Final phase completed. The last tranche (data portability) took effect on Sept 22, 2024. Organizations must be able to return computerized personal information in a structured, commonly used technological format and, on request, transmit it to an authorized third party. Response timelines align with access requests (~30 days).
Enforcement has teeth. The regulator (CAI) can impose administrative monetary penalties and pursue penal proceedings; maximums reach C$10M/2% (AMPs) and C$25M/4% (penal).
The bottom line? In 2023–2024, the CAI received 444 confidentiality-incident reports and tracked hundreds of related files—evidence that oversight is active and expectations are rising. (CAI 2023–2024 Annual Report, Oct 1, 2024).
Date | What took effect |
Sept 22, 2022 | Privacy officer designation; incident reporting; initial transparency and governance changes. |
Sept 22, 2023 | Privacy by default; detailed consent rules; PIAs for systems/projects; cross-border transfer assessments; children’s data safeguards. |
Sept 22, 2024 | Right to data portability (final phase) – provide data in a structured, commonly used technological format and, on request, transmit it to an authorized recipient; respond ~within 30 days. |
Law 25 is no longer “upcoming.” It’s here. Ask yourself: Can we evidence consent, complete PIAs, answer portability requests within ~30 days, and prove governance at every step?
Meanwhile, privacy enforcement globally keeps trending up—GDPR fines have reached ~€5.65B cumulatively as of March 1, 2025, signaling regulators’ sustained focus on data rights and controls.
Topic | Law 25 (Quebec) | GDPR (EU) |
Scope | Applies to anyone carrying on an enterprise in Quebec handling Quebec residents’ PI. | Applies to controllers/processors offering goods/services to or monitoring EU residents. |
Legal basis | Consent emphasized; rules for communication without consent (e.g., research, transactions) under conditions. | Multiple legal bases (consent, contract, legitimate interests, etc.). |
PIAs/DPIAs | Mandatory for systems/services involving PI; proportionate to risk. | Required for high-risk processing (Art. 35). |
Consent | Must be manifest, free, informed, specific; written requests distinct; special safeguards for minors (<14 generally require parental consent). | Freely given, specific, informed, unambiguous; children’s age varies by country. |
Cross-border | Must perform a privacy assessment; allow only if protection is adequate + written agreement. | Transfers require adequacy, SCCs, BCRs, etc. |
Data portability | In force Sept 22, 2024; provide computerized PI in structured, commonly used format; ~30-day response. | Art. 20 right; typically within one month. |
Penalties | AMPs: up to C$10M or 2% of global revenue; Penal fines: up to C$25M or 4%. | Up to €20M or 4% of global revenue. |
Quebec Law 25 empowers individuals with the right to data portability, enabling them to access their personal data in a structured, commonly used, and machine-readable format. To meet this requirement, organizations must:
Verify data subject identities and authenticate portability requests.
Develop secure methods for extracting, formatting, and transmitting personal data.
Fulfill data portability requests within 30 days of receipt.
Collaborate with other organizations to facilitate data transfers when requested by individuals.
Achieving data portability compliance demands close coordination among privacy, IT, and data governance teams to ensure accuracy, security, and timeliness in data transfers.
Requirement | What “good” looks like | Owner(s) |
Appoint Privacy Officer | Title + contact published; delegated responsibilities documented. | C-suite, Legal |
Consent & Notices | Purpose-specific, plain-language notices; separate written consent; records of preferences; parental consent workflows for <14. | Marketing, Product, Legal |
PIAs | Risk-proportionate PIAs for new/changed systems and cross-border flows; residual risk logged + mitigations tracked. | Security, Architecture, Privacy |
Cross-Border Governance | Transfer assessments; contracts updated; monitoring of recipients’ safeguards. | Legal, Procurement |
Incident Response | Record of confidentiality incidents; CAI + individuals notified when “risk of serious injury.” | SecOps, Privacy |
Portability | Self-service intake; identity verification; export in structured, commonly used format; respond in ~30 days. | Privacy Ops, Data Eng |
Training & Governance | Policy refresh; role-based training; visible data-handling rules. | HR, Privacy |
Documentation & Reporting | Evidence repository for audits: policies, PIAs, transfer assessments, incident logs, DSR metrics. | Privacy PMO |
To operationalize Law 25, focus on these priority actions:
Run a portability “fire drill.” Simulate a full end-to-end request: intake, authentication, extraction, formatting, and delivery. Time the process and stress-test your workflows. This not only proves readiness but highlights weak links before regulators or customers do.
Re-baseline PIA coverage. Review all systems and projects that process personal information. Ensure Privacy Impact Assessments are documented, risk-ranked, and updated for any material changes since 2023. Regulators expect living documents, not one-off exercises.
Publish and verify your privacy officer details. Confirm your designated officer’s name and contact information are easy to find on your website and in internal policies. CAI guidance emphasizes visibility, so test by asking: “Can a consumer or employee find this in two clicks?”
Validate cross-border transfer safeguards. Inventory all vendors and affiliates receiving Quebec personal data outside Canada. Check that transfer assessments are documented, contracts reflect Law 25 requirements, and monitoring mechanisms are in place. This is a recurring compliance pressure point for global organizations.
Adopt technology solutions to automate and streamline compliance processes. Data leaders should:
Automate consent and data portability processes: Manual management of consent and data portability requests is often time-intensive and prone to errors. Consent management platforms can streamline the collection, tracking, and management of user consent preferences across channels. Data portability solutions enable secure and automated transfers of personal data upon individual request.
Prioritize minors' data protections: Quebec Law 25 enforces stringent safeguards for minors' personal information. Organizations must secure parental consent before collecting, using, or disclosing data of children under 14. Implement robust age verification systems and mechanisms for obtaining verifiable parental consent.
Implement data discovery and classification tools for identifying sensitive data, privacy-enhancing technologies (PETs) for data anonymization and pseudonymization, and incident response platforms for managing data breaches
Explore data catalog solutions that provide centralized visibility into data assets and automated compliance monitoring—essential for streamlined PIAs and data subject rights management
Automation reduces the risk of human error and ensures consistent adherence to privacy requirements.
Compliance with Law 25 at enterprise scale requires more than policies written in binders. Organizations need consistent metadata, auditable processes, and controlled access—backed by automation. A modern data catalog gives leaders the ability to embed policies directly into data workflows, automate enforcement through bulk actions, and reduce manual overhead.
Crucially, data catalogs also serve as the bridge between governed data products and compliant self-service analytics. By curating and enforcing rules at the data layer, organizations empower business users to innovate with confidence—driving data democratization that’s safe, auditable, and aligned with regulatory obligations.
A Data Products Marketplace gives business users a curated, governed way to discover and request data with embedded policies, approvals, and access controls—reducing unauthorized processing and aligning use with consent and purpose. It also supports lifecycle stewardship so product owners can update data products as regulations evolve.
Compliance is not a project—it's a product. Treat governed data products as living assets with owners, SLAs, and controls that evolve as laws change.
A data product operating model also supports lifecycle stewardship, enabling product owners to update, retire, or re-certify data products as laws evolve. In this model, compliance isn’t an afterthought or one-off initiative—compliance becomes a product. Governed data products are treated as living assets with assigned owners, SLAs, and controls that adapt alongside regulatory change.
A Data Products Builder Agent can can speed the creation and upkeep of compliant data products. These AI-powered assistants can:
Auto-suggest business-friendly descriptions.
Tag sensitive fields such as identifiers or health data.
Recommend and wire appropriate approval workflows.
By embedding compliance controls directly into the build process, AI agents reduce administrative burden and help ensure that controls follow the data wherever it travels. This scalability is key to staying compliant over time, even as your data ecosystem grows.
Under Law 25, Privacy Impact Assessments (PIAs) are required for projects and systems that involve personal information. These assessments evaluate the potential risks to individual privacy and identify safeguards. Without the right tools, PIAs can be time-intensive and fragmented.
Catalog for context. A data catalog centralizes both technical and business metadata, links steward ownership, and connects policies to specific assets. This foundation streamlines PIAs, helps privacy officers demonstrate compliance to the CAI, and reduces the time needed to validate risk assessments.
Lineage for traceability. Data lineage provides an end-to-end map of how personal information flows across systems, who has access, and which reports or dashboards consume it. This transparency is essential for impact assessments, cross-border data checks, and fulfilling portability requests within the ~30-day requirement.
Think of lineage as the “flight path” for personal data—from source to every downstream table, model, dashboard, and export—so you can answer “where is this PI used, and what happens if we change or delete it?”
(Learn more about data lineage.)
The most effective compliance programs meet users where they work. By embedding policies and usage rules into the everyday data experience—whether in the marketplace, catalog search, or browser extensions—organizations nudge employees toward compliant behavior naturally, without slowing them down.
This approach turns governance from a barrier into an enabler: employees discover not just the right data, but also the right way to use it safely and legally.
For a vision of where catalogs are going—and why governance + AI agents are converging—see Alation’s perspective on Reinventing Data Catalogs for Governance with AI Agents.
Quebec Law 25 raises the bar for data protection in North America, and enforcement is already active. For organizations, the challenge is twofold: avoiding penalties while also enabling innovation.
By investing in a modern data catalog, governed data products, AI-assisted automation, and end-to-end lineage, businesses can transform compliance from a reactive project into a repeatable, scalable discipline. Done right, Law 25 compliance doesn’t just protect your organization—it builds trust, fuels compliant self-service analytics, and unlocks a foundation for responsible innovation.
Ready to operationalize Law 25? See a demo of how a catalog, lineage, and a governed marketplace simplify PIAs, portability, and proof of compliance.
Commission d’accès à l’information du Québec – Principaux changements (overview of obligations, AMPs, PIAs, transfers). (CAI Québec)
CAI – Rapport annuel d’activités 2023–2024 (incidents and activity statistics). (CAI Québec)
McMillan LLP – Québec’s New Data Portability Law (final phase date and scope context). (McMillan LLP)
DLA Piper – Right to data portability in Quebec (30-day response timeline guidance). (DLA Piper)
Osler – Enforcement scheme (penal fines up to C$25M/4%). (Osler, Hoskin & Harcourt LLP)
CMS – GDPR Enforcement Tracker Report 2024/2025 (global fines ~€5.65B). (CMS Law)
Yes—if you carry on an enterprise in Quebec and handle Quebec residents’ personal information, you’re in scope. (McMillan LLP)
Private-sector organizations generally follow the ~30-day access timeline for portability responses. Plan exports in structured, commonly used formats (e.g., CSV/JSON/XML). (DLA Piper)
The CAI can issue administrative penalties and pursue penal fines (up to C$25M/4%). Activity indicators—like 444 confidentiality-incident declarations in 2023–2024—show active oversight. (CAI Québec)
GDPR maturity helps, but Law 25 has local specifics (e.g., cross-border assessments under Quebec law; marketplace notices; Quebec-specific governance rules). Map your GDPR controls to Law 25 requirements and fill the gaps. (CAI Québec)
Loading...