Definition
The Act to modernize legislative provisions as regards the protection of personal information ("Law 25"), adopted in 2021, is the main Québec privacy law in the private sector. It came fully into force on September 22, 2023.
Obligations imposed on mortgage brokers and platforms like Courteo: (1) appointment of a Privacy Officer (RPRP), (2) maintenance of an accessible governance policy, (3) free, informed, separate consent for each purpose, (4) notification of confidentiality incidents to the CAI and affected persons, (5) rights of access, rectification, de-indexing, and portability.
Since September 22, 2024 (Phase 3), it also adds the Privacy Impact Assessment (PIA) for any project involving personal information and automated portability. Penalties: up to CA$25M or 4% of global revenue for serious breaches. In Québec, Law 25 prevails over federal PIPEDA in the private sector.