Compliance Briefing — September 22, 2023
Phase two of Quebec's Law 25 now enforces privacy officer designation, PIA, and incident reporting rules, requiring boards to tighten governance, embed implementation sprints across systems and vendors, and elevate DSAR and automated decision transparency for Quebec residents.
On 22 September 2023 the second phase of Quebec's Act to modernize legislative provisions respecting the protection of personal information—commonly known as Law 25—entered into force. This milestone introduces sweeping obligations for private-sector enterprises and public bodies, including mandatory appointment of a privacy officer, expanded transparency requirements, privacy impact assessments (PIAs), confidentiality incident reporting, and enhanced data subject rights. Organisations operating in Quebec, regardless of whether their headquarters are elsewhere, must respond with rigorous governance, disciplined implementation, and strengthened data subject access request (DSAR) operations to avoid penalties that can reach CAD 25 million or 4% of worldwide turnover.
Phase two builds on 2022's initial obligations by operationalising core components of modern privacy governance. Controllers must publish clear privacy policies, notify individuals when using automated decision systems, obtain express consent for profiling or certain marketing practices, and establish mechanisms for reporting confidentiality incidents to the Commission d’accès à l’information du Québec (CAI). Because Law 25 applies to both personal information collected from Quebec residents and data held by organisations established in the province, boards need to consider the law's extraterritorial reach and harmonise compliance with federal PIPEDA and international frameworks.
Governance imperatives for boards and executives
Boards should designate the privacy officer—called the person in charge of the protection of personal information—and document the officer's mandate, resources, and reporting line to senior leadership. The default is the chief executive, but boards may delegate in writing to a qualified executive; this decision and rationale should appear in board minutes. Audit committees ought to oversee a Law 25 compliance plan that inventories obligations, target dates, and responsible owners. Key focus areas include policy updates, PIA methodology, incident response, DSAR enhancements, and third-party management.
Governance frameworks must incorporate Law 25 into enterprise risk management. Risk registers should identify high-impact processing activities—such as large-scale behavioural analytics, AI-driven decisioning, or cross-border outsourcing—and document controls, mitigation actions, and residual risk. Boards should request quarterly dashboards summarising DSAR metrics, confidentiality incident reports, PIA status, and compliance training completion. Where organisations operate across multiple provinces or countries, governance documents should describe how Law 25 compliance integrates with global privacy programs to avoid conflicting instructions.
Executives must ensure that the privacy officer has authority to influence product roadmaps, procurement decisions, and incident response. This includes approving PIA templates aligned with CAI guidance, chairing a privacy steering committee, and escalating systemic risks to the board. Senior management should also maintain regulatory engagement strategies, monitoring CAI publications, guidance, and enforcement actions to update policies promptly.
Implementation roadmap: policies, PIAs, incident response, and vendors
Policy updates represent a foundational implementation step. Organisations must publish privacy policies that detail personal information collected, purposes, means of collection, use and disclosure, and rights available to individuals. If personal information is transferred outside Quebec, policies must disclose the jurisdictions, safeguards, and the possibility of data being subject to foreign laws. Policies should be accessible, written in clear language, and available on the organisation's website and at physical locations.
Privacy impact assessments become mandatory for any project involving the acquisition, development, or overhaul of information systems that process personal data, as well as for disclosures outside Quebec. Implementation teams should develop PIA procedures that trigger during procurement, system design, or vendor onboarding. PIAs must evaluate necessity and proportionality, identify risks to the confidentiality of personal information, and recommend mitigation measures. Governance committees should track PIA completion and ensure that project approvals depend on documented risk treatment.
Confidentiality incident management requires significant operational enhancement. Organisations must maintain an incident register documenting description, personal information affected, risk evaluation, and remedial measures. If an incident presents a risk of serious harm, controllers must notify the CAI and affected individuals without delay, describing the data involved, mitigation steps, and assistance offered. Incident response teams should integrate Law 25 thresholds into playbooks, establish communication templates in French and English, and rehearse escalation protocols. Boards should receive summaries of incidents, root causes, and lessons learned.
Vendor management is equally critical. Law 25 holds organisations accountable for third parties processing personal information on their behalf. Contracts must specify responsibilities, include clauses requiring processors to notify incidents promptly, assist with DSARs, and delete or return data upon termination. Procurement should update due diligence questionnaires to assess vendors' Law 25 readiness, localisation capabilities, and security certifications. Organisations should maintain a vendor risk register and schedule periodic audits or attestation reviews, particularly for cloud and analytics providers handling large volumes of Quebec data.
Automated decision-making transparency introduces new implementation tasks. When decisions are made exclusively through automated processing, organisations must inform individuals of the decision, the personal information used, and the main factors and parameters leading to the decision. Systems should be engineered to log model inputs and outputs, enable human review, and support explanation requests. Governance teams should collaborate with data science units to establish model risk management procedures, fairness testing, and documentation protocols suitable for DSAR responses.
DSAR excellence under Law 25
Law 25 expands individual rights, including rights to access, rectification, portability (effective 2024), and the right to request cessation of dissemination of personal information in certain circumstances. DSAR programs must therefore be redesigned to capture new rights categories, verify identities, and fulfil requests within the statutory 30-day timeframe, with the possibility of a 30-day extension. Request portals should allow submissions in French and English, provide acknowledgement receipts, and present clear instructions for appeals.
Identity verification must balance security and accessibility. Organisations can use multi-factor authentication for existing customers, secure document upload portals for new requesters, and notarised authorisations when representatives act on behalf of data subjects. DSAR management tools should log verification methods, data sources consulted, and redactions applied. When responding to access requests, controllers must provide the categories of personal information collected, the purposes, the sources, and categories of recipients. If a request is denied, the response must cite the applicable Law 25 exemption (such as information protected by professional secrecy) and inform the individual about recourse options with the CAI.
Automated decision rights require additional DSAR capabilities. Individuals may request that the organisation provide the personal information used to render a decision and the reasons behind it. DSAR workflows should connect with AI governance repositories to pull model documentation, explainability summaries, and human review notes. Organisations should train specialists who can interpret model outputs for non-technical audiences and collaborate with data scientists to refine explanations over time.
Because confidentiality incidents can trigger numerous DSARs, response teams should coordinate with incident response to ensure consistency in messaging and remediation. Metrics such as average completion time, backlog volume, escalation count, and satisfaction scores should be presented to the privacy steering committee. Regular tabletop exercises can help validate DSAR playbooks, test communication channels, and improve collaboration with legal and IT.
Training, monitoring, and communication
Law 25 success depends on organisational awareness. Training programs should include mandatory modules for all employees on privacy fundamentals and incident reporting, advanced workshops for marketing and analytics teams on consent and profiling, and specialised sessions for executives on governance obligations. Training materials must be updated to reflect CAI guidance and should be delivered in French and English to reach diverse workforces. Completion rates should be tracked and reported to the board.
Monitoring ensures sustained compliance. Privacy teams should deploy dashboards tracking key indicators: number of PIAs completed, DSAR volumes and turnaround, incidents recorded, vendor assessments, and training completion. Internal audit should schedule independent reviews to test control effectiveness, focusing on consent capture, incident reporting, automated decision transparency, and cross-border disclosures. Findings should feed into remediation plans with clear accountability and deadlines.
External communication builds trust with Quebec residents. Organisations should update privacy notices, customer agreements, and digital channels to explain Law 25 rights, DSAR submission methods, and contact details for the privacy officer. Trust centres can host PIA summaries for high-risk projects, incident statistics, and FAQs about automated decisioning. When engaging with the CAI—whether for incident reporting or consultations—organisations should maintain records of correspondence, decisions, and follow-up actions to support regulatory audits.
By elevating governance oversight, executing implementation workstreams, and optimising DSAR operations, organisations can navigate Law 25 phase two requirements effectively. This groundwork positions them to meet phase three obligations in 2024, including data portability, privacy by default, and enhanced anonymisation standards, while strengthening privacy culture across the enterprise.
Continue in the Compliance pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Third-Party Risk Oversight Playbook — Zeph Tech
Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.
-
Compliance Operations Control Room — Zeph Tech
Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.
-
SOX Modernization Control Playbook — Zeph Tech
Modernize Sarbanes-Oxley (SOX) compliance by aligning PCAOB AS 2201, SEC management guidance, and COSO 2013 controls with data-driven testing, automation, and board reporting.