Lori-Ann Yelle, B.A., CIP, CRM

Law 25: Your new business obligations

Digital transformation is upon us. Once an idea of the distant future, the process is currently in full swing. As a business, you store, exchange, receive, and request a significant amount of personal information every day. All of this is now embedded in our daily activities. This information comes from a number of sources related to your business, such as your customers, employees, suppliers, etc. How can you be certain that all of the personal data at your disposal is adequately protected?

According to the Canadian Internet Registration Authority (CIRA, 2020), 18% of SMEs will be hit by at least one cybersecurity incident over the course of their existence, and 60% of them will shut down as a result of the attack. In 2020, Statistics Canada released a report showing that 42% of Canadians have personally had to deal with at least one type of cybersecurity incident since the start of the year. From this perspective, it’s no surprise that the National Assembly of Québec adopted Law 25, An Act to modernize legislative provisions as regards the protection of personal information, in an effort to better regulate the protection of personal information.

Bill 64 will gradually be phased in over the next few years, and businesses that don’t comply could face financial penalties. The first of three phrases began September 22, 2022.

Phase 1

As of September 22, 2022, your organization is required to designate a person who is be responsible for the protection of personal information at your disposal (s. 3.1). This person is in charge of ensuring the implementation of and compliance with Quebec’s Private Sector Act, and their contact information need to be posted on your company website.

Privacy breaches also need to be reported to the Commission d’accès à l’information (CAI) as well as to affected individuals who are at risk of serious harm. Accordingly, your business needs to keep a record of these incidents.

Phase 2

The second phase, which will came into effect on September 22, 2023, is perhaps the most complex, as involves implementing procedures and processes to provide a governance framework and ensure compliance. Your company needs to set up a team to implement and communicate the policies aimed at protecting the personal information at your disposal. It will also need to create a system for handling complaints.

Throughout this phase, several obligations need to be met, including:

  • Privacy Impact Assessments (PIAs)
  • Disclosure of information regarding the use of automated decision-making
  • If your company does business in other jurisdictions, research to ensure that personal information transferred to that jurisdiction will benefit from the same protection that is available in Quebec
  • If your company outsources the management of personal information, a written agreement outlining the vendor’s obligations with respect to such data
  • A framework for transparency requirements with respect to third parties who provide you with personal information, including the use of profiling, tracking, and identification technology

In phase 2, your business can also be subject to administrative sanctions and criminal penalties. You need to be meticulous, since these can reach up to $25 million and result in claims for punitive damages.

Phase 3

The final phase will come into effect on September 22, 2024. It gives individuals whose personal information you have collected the right to receive, upon request, a copy of their information in a structured and modern technological format.

When it comes to managing the risks associated with the personal information you have at your disposal, your business needs to be proactive. Over the past few years, the likelihood of experiencing a cybersecurity incident liable to compromise this data has skyrocketed. Time and time again, current events have shown us that all businesses, be they SMEs, multinational corporations, or companies in the agricultural sector, are vulnerable to being targeted by a cyber attack. Cyber insurance can protect you against such an attack, and your Lareau insurance broker is equipped to advise you.

For more information about the Act to modernize legislative provisions as regards the protection of personal information, please visit:

Bill 64, An Act to modernize legislative provisions as regards the protection of personal information – National Assembly of Québec (assnat.qc.ca)

Modernisation des lois sur la protection des renseignements personnels au Québec | Commission d’accès à l’information du Québec (gouv.qc.ca) (French only)


Share this article
Lori-Ann Yelle, B.A., CIP, CRM Training Principal Director and Associate Partner
Damage Insurance Broker
See the profile

Related articles

  • October 17 2023  |  Commercial,

    The Importance of Active Management

    Read the article
  • July 19 2022  |  Commercial,

    A beginner’s guide to commercial surety bonds

    Read the article


  • This field is for validation purposes and should be left unchanged.