By NHI Mgmt Group Editorial TeamDomain: Cyber SecuritySource: OneTrustPublished December 8, 2025

TL;DR: Quebec’s Law 25 expands breach notification, privacy impact assessments, enhanced consent, and subject rights obligations for organisations handling personal information of Quebec residents, with penalties reaching 4% of worldwide turnover, according to OneTrust. The practical issue is not just legal scope but whether privacy, security, and identity workflows can prove control across collection, sharing, retention, and incident response.


At a glance

What this is: Quebec’s Law 25 modernises the province’s privacy regime by tightening breach, consent, assessment, and governance requirements for organisations handling Quebec residents’ personal information.

Why it matters: It matters to IAM, privacy, and security teams because the law forces stronger control over who can access personal data, how consent is captured, and how incidents and third-party sharing are governed.

By the numbers:

👉 Read OneTrust’s explanation of Quebec’s Law 25 requirements and compliance timeline


Context

Quebec’s Law 25 is a privacy governance overhaul, not a narrow policy update. It expands obligations around breach notification, privacy impact assessments, enhanced consent, and individual rights for organisations processing personal information of Quebec residents, including some out-of-province businesses that offer goods or services into the province. For privacy, security, and identity teams, the operational question is whether data handling can now be evidenced, not merely described.

The article is especially relevant where privacy governance overlaps with identity and access control. Law 25 requires organisations to disclose categories of people who can access personal information, maintain records of incidents, and review service provider contracts, which puts access governance, third-party oversight, and retention controls into the compliance picture. That makes it a practical IAM and privacy coordination problem, not only a legal one.


Key questions

Q: What breaks when privacy governance and access governance are not aligned under Law 25?

A: When privacy notices, consent records, and access control do not line up, organisations cannot prove who accessed personal information, why it was collected, or whether sharing matched the stated purpose. Under Law 25, that weakens breach response, transfer oversight, and accountability for individuals’ rights. It also makes audits and regulator inquiries far harder to defend.

Q: Why does Quebec’s Law 25 matter for organisations outside Quebec?

A: Law 25 can apply to out-of-province organisations that offer goods or services to Quebec residents or monitor their behaviour. That makes it a broader governance issue than a local privacy rule. Companies with national or cross-border operations need to assess whether their collection, sharing, retention, and notification processes meet Quebec’s requirements.

Q: How do security teams know whether privacy controls are actually working?

A: Look for evidence that discovery, classification, DSR routing, and consent enforcement update when the environment changes. If privacy artifacts only refresh on calendar cadence or after manual chases, the programme is operating on stale assumptions. Working controls produce current inventory, traceable approvals, and audit-ready logs without depending on memory.

Q: Who is accountable when Law 25 breach or consent failures occur?

A: Accountability starts with the designated privacy officer, but it extends to the executives and teams that control data collection, access, sharing, and incident response. Law 25 expects the organisation to maintain records, respond to requests, and demonstrate compliance. In practice, that means legal, privacy, security, and system owners share responsibility for evidence and execution.


Technical breakdown

Enhanced consent and privacy notice requirements

Law 25 tightens the conditions under which consent is valid. Consent must be free, informed, specific, clear, and requested separately from other information, with express consent required for certain sensitive uses. The law also requires people to be told who outside Quebec receives their information, who inside the business can access it, how long it will be kept, and whether a request is mandatory. That pushes privacy notices closer to an accountable control surface rather than a static legal statement.

Practical implication: map consent language to actual data flows, access groups, and retention rules so notices reflect operational reality.

Breach notification and incident records

Law 25 requires breach notifications to the provincial regulator and affected individuals when unauthorised access creates a risk of serious injury, and it also requires organisations to keep a record of all security incidents. This is significant because the reporting trigger is based on harm assessment, not only on whether data was technically exposed. Teams therefore need incident triage processes that can quickly classify sensitivity, access scope, and downstream impact.

Practical implication: build a breach triage workflow that links incident severity to personal-data sensitivity, access evidence, and notification decisions.

Privacy impact assessments for system changes and transfers

The law requires privacy impact assessments in specific cases, including when organisations acquire, develop, or overhaul systems that collect, use, release, keep, or destroy personal information, especially when information moves outside Quebec. A PIA is not just a checklist. It forces documentation of sensitivity, purpose, safeguards, and the legal context in the receiving jurisdiction, which makes it a governance tool for change management and third-party transfers.

Practical implication: gate system changes and cross-border transfers through a PIA workflow before implementation, not after deployment.


Threat narrative

Attacker objective: The objective is not traditional intrusion alone but unlawful access, misuse, or transfer of personal information that creates regulatory liability and harms affected individuals.

  1. Entry occurs when personal information is collected, shared, or transferred without controls that reflect the law’s notice, consent, and assessment requirements.
  2. Escalation happens when organisations cannot evidence who accessed the data, whether consent was valid, or whether a transfer outside Quebec had been assessed properly.
  3. Impact is regulatory and operational exposure, including breach reporting obligations, recordkeeping failure, and significant fines tied to non-compliance.

NHI Mgmt Group analysis

Law 25 turns privacy governance into an access-governance problem. The article’s most important implication is that privacy teams can no longer treat consent text, access lists, and incident records as separate workstreams. Once the law requires disclosure of who can access personal information and how it is shared, IAM and privacy controls become part of the same evidence chain. Organisations should treat data access governance as a compliance control, not just an IT control.

Privacy impact assessments are becoming the control point for change, not documentation after the fact. The article makes clear that PIAs apply to system acquisition, development, and overhaul, especially where information moves outside Quebec. That means modernisation projects now need privacy review before implementation, with security safeguards and transfer terms documented up front. Practitioners should use PIAs as a gating mechanism for change approvals.

Cross-border transfers under Law 25 expose the verification trust gap. When organisations cannot show where personal information goes, who receives it, and under what legal safeguards, the issue is not only compliance but trust in the underlying identity and access model. In identity-heavy programmes, this reinforces that governance over access categories and third-party entitlements must be auditable. Practitioners should align transfer oversight with access governance evidence.

Law 25 elevates incident records from administration to defensible control evidence. The requirement to maintain security incident records means organisations must be able to reconstruct what happened, what data was involved, and why a notification decision was made. That expectation fits a broader regulatory trend toward provable accountability rather than informal judgment. Practitioners should build evidence retention into incident management from the start.

Enhanced consent is a signal that privacy rules are moving closer to machine-readable governance. The law’s requirements for clear, separate, purpose-specific consent, plus disclosures about retention and access, point toward structured data governance rather than purely legal drafting. That matters for programmes that use automated decisions or process sensitive personal data at scale. Practitioners should make consent data, not just consent text, auditable.

What this signals

Verification trust gap: Law 25 reinforces a broader pattern that security and privacy programmes are being judged on evidence, not intent. Where organisations cannot show who accessed personal information, how consent was captured, or whether transfers were assessed, governance failure becomes operational failure. For teams with identity-heavy data flows, the control conversation now starts with proof.

The practical challenge is that many privacy programmes still rely on manual policy updates while the underlying access environment changes continuously. That is where identity governance, third-party entitlement review, and incident recordkeeping need to converge. Teams should expect regulators to look for consistency between declared privacy practices and the way data access is actually administered.


For practitioners

  • Tie consent records to real access groups Map each consented purpose to the internal teams, systems, and third parties that can actually access the data so disclosures about access categories are defensible.
  • Gate system changes through PIAs Require a privacy impact assessment before new systems, major redesigns, or cross-border transfers go live, with security safeguards and legal transfer terms recorded in the approval path.
  • Build breach records into incident workflow Maintain an incident log that captures access scope, data types, harm assessment, and notification rationale so regulator reporting is based on evidence, not recollection.
  • Review service-provider contracts for transfer obligations Reassess contracts for vendors that collect, store, or process Quebec personal information, including clauses covering transfer conditions, safeguards, and breach reporting responsibilities.

Key takeaways

  • Quebec’s Law 25 expands privacy obligations into a full governance problem that touches consent, access, transfers, and incident response.
  • The most consequential requirement is evidentiary, because organisations must show how they handled personal information, not only claim compliance.
  • Teams should treat privacy impact assessments, breach records, and access governance as linked controls rather than separate compliance tasks.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while GDPR and ISO/IEC 27001:2022 define the regulatory obligations.

FrameworkControl / ReferenceRelevance
GDPRArt.32Law 25 mirrors privacy governance patterns around personal data protection and accountability.
NIST CSF 2.0PR.AC-4Law 25’s access disclosure and auditability needs map to access control governance.
NIST SP 800-53 Rev 5AU-6Incident records and breach accountability depend on reviewable audit evidence.
ISO/IEC 27001:2022A.5.34Privacy impact and transfer governance align with information privacy and protection requirements.

Use GDPR-style accountability to align notices, processing records, and transfer safeguards with actual practice.


Key terms

  • Privacy Impact Assessment: A privacy impact assessment is a structured review of how a system, process, or transfer handles personal information before it is deployed or changed. It identifies the sensitivity of the data, legal risks, safeguards, and whether the proposed processing is compatible with applicable privacy obligations.
  • Enhanced Consent: Enhanced consent is a stricter form of consent that requires clear, specific, and separate agreement for particular purposes, especially when sensitive personal information is involved. In practice, it forces organisations to align what they ask for with what they actually do with the data.
  • Breach Notification: Breach notification is the process for determining, documenting, and reporting impermissible access or disclosure of PHI. It depends on evidence from identity systems, logs, and entitlement records, because organisations must show what happened and whether access was authorised or compromised.

What's in the full article

OneTrust's full blog covers the operational detail this post intentionally leaves for the source:

  • Step-by-step interpretation of Quebec Law 25 requirements for privacy officers, PIAs, and breach notification.
  • The article’s timeline for when specific obligations entered into effect across the three-year transition period.
  • Practical guidance on updating privacy policies, staff training, and service-provider contracts for compliance.
  • A breakdown of the law’s consent, subject-rights, and cross-border transfer obligations in implementation terms.

👉 OneTrust’s full article covers the law’s obligations, timing, and operational compliance questions in more detail.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, workload identity, and secrets management in a way that complements privacy and access oversight. It helps practitioners connect identity control with the broader governance demands that modern security programmes now face.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org