Law 25: we get you there, painlessly.

Frequently asked questions

Frequently asked questions about Law 25.

Can't find your answer? write to us.

• Who is subject to Law 25?

  Any organization operating in Québec that collects, uses or stores personal information: SMBs, nonprofits, professionals (CPAs, lawyers, notaries, physicians), municipalities, public bodies, healthcare institutions. The obligations are scaled to the size and sensitivity of the data, but no organization is exempt.

• What are the main obligations in 2026?

  Designate a Privacy Officer, publish a compliant privacy policy, maintain a register of processing activities and incidents, carry out Privacy Impact Assessments (PIAs), assess transfers outside Québec, enable data portability (since Sept. 2024), inform individuals about automated decisions (Article 12.1), and notify the CAI in the event of an incident.

• What are the real penalties for non-compliance?

  Three cumulative levels of risk: (1) Administrative monetary penalties of up to $10M or 2% of worldwide turnover, imposed by the CAI without trial. (2) Penal sanctions of up to $25M or 4% of worldwide turnover for more serious offenses. (3) Private civil remedies (Art. 93.1) since Sept. 2023: anyone harmed can now sue your organization directly, with punitive damages of at least $1,000. For a Québec SMB, a poorly handled incident can cost several hundred thousand dollars.

• How does Law 25 apply to Copilot and AI tools?

  Article 12.1 requires any organization using a system that makes decisions based exclusively on automated processing to inform the individual concerned. Microsoft 365 Copilot and AI agents fall under this obligation as soon as they influence a decision about an employee, customer or supplier. In addition, a Copilot rollout often reveals SharePoint/Teams oversharing situations that are themselves potential Law 25 violations. That's why we always combine an oversharing audit with a Copilot deployment.

• What's the difference between Law 25 (Québec), C-27 (Canada) and GDPR (Europe)?

  Québec's Law 25 has been in force since 2022–2024 (in phases). The federal Bill C-27 (CPPA) is still at the legislative stage and will replace PIPEDA once adopted. The European GDPR applies if you process the data of European residents. Law 25 is inspired by the GDPR but stricter on data residency and transfers outside Québec. For a Québec-based multinational, we document a unified compliance posture that satisfies all three regimes.

• How long does it take to become compliant?

  For an SMB: 4 to 8 weeks with our methodology. For a professional firm: 6 to 10 weeks. For a public body or a CIUSSS: 12 to 20 weeks depending on complexity and the number of systems. We always deliver: a register of processing activities, a privacy policy, sample PIAs, internal procedures, training for the Privacy Officer and teams, and an annual audit plan.