Quebec Law 25 in 2025: Everything Health Organizations Need to Know

Law 25 amends Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Loi sur la protection des renseignements personnels dans le secteur privé — LPRPSP) and related public sector legislation. It is the most significant overhaul of Quebec privacy law in three decades.

Scope is one of Law 25's most consequential features. It applies to any enterprise — as defined under the Civil Code of Quebec — that collects, uses, or discloses personal information (renseignements personnels) about Quebec residents. This includes:

• Quebec-based health clinics, pharmacies, laboratories, and specialist practices
• Ontario-based health organizations whose patients include Quebec residents
• Health-tech startups deploying products used by Quebec residents — telemedicine platforms, remote monitoring apps, AI diagnostic tools
• Cloud providers, EMR vendors, and IT managed service providers whose clients include Quebec-based organizations
• Any enterprise with a website, mobile app, or service accessible to Quebec residents that involves collecting personal information

Law 25 was enacted in three staggered phases to give organizations time to prepare. All three phases are now in force as of September 22, 2024. Here is what each phase introduced:

Every enterprise subject to Law 25 must designate a person in charge of the protection of personal information (responsable de la protection des renseignements personnels). This obligation has been in force since September 22, 2022.

The requirements for this designation are specific:

• The designation must be made in writing
• If no one is explicitly designated, the law assigns responsibility by default to the person with the highest authority in the enterprise — typically the CEO or president
• The name and contact information of the person in charge must be published on the organization's website
• The person in charge may delegate functions to one or more members of the enterprise, but retains accountability for all personal information protection obligations

The Privacy Impact Assessment — évaluation des facteurs relatifs à la vie privée (ÉFVP) in the official Quebec terminology — is Law 25's most operationally demanding new obligation for health organizations. EFVPs have been mandatory since September 22, 2023.

An ÉFVP is required before:

• Acquiring, developing, or significantly overhauling any information system or electronic service delivery system
• Communicating personal information outside Quebec — including to other Canadian provinces and territories
• Launching any project involving personal information that carries a medium or high risk of privacy harm

The ÉFVP must be proportionate to the sensitivity of the information involved and the risks identified. It must assess the purpose of the project, the need for the information collected, the safeguards in place, and the identified privacy risks along with mitigation measures. Privacy by default must be incorporated at the design stage — not retrofitted after deployment.

For health organizations, nearly every significant technology initiative — deploying a new EMR system, migrating to cloud hosting, launching a patient portal, integrating an AI diagnostic tool — requires an ÉFVP before it goes live. The CAI has made clear that the ÉFVP must be completed before deployment, not retroactively. Our PIA builder is designed to walk organizations through the ÉFVP process step-by-step, producing documented output that meets CAI requirements.

Law 25 uses the term 'confidentiality incident' (incident de confidentialité) rather than 'data breach.' A confidentiality incident occurs when personal information is accessed, used, communicated, lost, or stolen without authorization.

Two distinct obligations apply:

1. Confidentiality Incident Register — every enterprise must maintain an internal register of all confidentiality incidents, regardless of severity. The register must include the date and nature of the incident, the personal information involved, the number of people affected, and the corrective measures taken. The CAI can request this register at any time.
2. Notification Obligation — when a confidentiality incident presents a risk of serious injury (risque de préjudice sérieux) to affected individuals, the enterprise must notify the CAI and each affected individual as soon as possible. Factors the CAI considers in assessing 'serious injury' include: the sensitivity of the information, the anticipated consequences of the incident, and the likelihood that the information will be used for harmful purposes.

Law 25 significantly strengthens Quebec's consent framework. All consent must be manifest, free, informed, and given for a specific purpose — separate consent is required for each distinct use. Consent cannot be a condition for receiving a service beyond what is strictly necessary.

For sensitive personal information (renseignements personnels sensibles) — which under Law 25 includes medical and health information, biometric data, and information relating to private life — express (explicit) consent is required. Implied consent is not sufficient for health data.

When an enterprise uses personal information for automated decision-making that produces legal or significant effects on an individual, Law 25 requires the enterprise to: inform the individual that a decision was made about them using personal information; explain the factors and reasons for the decision; and provide the individual with the opportunity to present observations and request that the decision be reviewed by a human.

Law 25's penalty structure is tiered. At the high end, it is among the most severe in any Canadian privacy framework — and in some respects exceeds GDPR exposure for smaller organizations.

The private right of action is one of Law 25's most significant innovations in the Canadian context. An individual whose rights under the law are violated can sue the enterprise directly and claim statutory damages of at least $1,000 without having to demonstrate concrete harm. For a health-tech company with tens of thousands of Quebec users, the aggregate exposure from class actions is material.

Health organizations with operations in both Quebec and Ontario face overlapping compliance frameworks. Law 25 governs personal information of Quebec residents; PHIPA governs personal health information held by health information custodians in Ontario. The two laws are not mutually exclusive: an Ontario-based health-tech company serving Quebec patients may be subject to both simultaneously.

The key structural differences to understand:

• Scope: PHIPA applies specifically to personal health information (PHI); Law 25 applies to all personal information, with heightened requirements for sensitive information including health data
• Custodian vs. enterprise: PHIPA uses the concept of a 'health information custodian'; Law 25 applies to 'enterprises' under Quebec civil law — the triggering criteria differ
• Breach threshold: PHIPA requires notification 'at the first reasonable opportunity'; Law 25 requires notification when there is a 'risk of serious injury' — a higher, risk-based threshold
• Penalties: Law 25's ceiling ($25M or 4% of turnover) significantly exceeds PHIPA's ($500K for organizations, $200K for individuals under AMPs)

1. CAI — Law 25 Obligations. Commission d'accès à l'information du Québec — Law 25 Obligations for Enterprises
2. Quebec.ca — Law 25 Overview. Government of Quebec — Law Modernizing Provisions Regarding the Protection of Personal Information
3. LPRPSP — Full Text. Act Respecting the Protection of Personal Information in the Private Sector (P-39.1) — LégisQuébec
4. CAI — Official Website. Commission d'accès à l'information du Québec