TL;DR: Quebec’s Law 25 expands breach notification, privacy impact assessments, enhanced consent, and subject rights obligations for organisations handling personal information of Quebec residents, with penalties reaching 4% of worldwide turnover, according to OneTrust. The practical issue is not just legal scope but whether privacy, security, and identity workflows can prove control across collection, sharing, retention, and incident response.
NHIMG editorial — based on content published by OneTrust: Quebec’s Law 25 and the privacy obligations it introduces
By the numbers:
Questions worth separating out
Q: What breaks when privacy governance and access governance are not aligned under Law 25?
A: When privacy notices, consent records, and access control do not line up, organisations cannot prove who accessed personal information, why it was collected, or whether sharing matched the stated purpose.
Q: Why does Quebec’s Law 25 matter for organisations outside Quebec?
A: Law 25 can apply to out-of-province organisations that offer goods or services to Quebec residents or monitor their behaviour.
Q: How do security teams know whether privacy controls are actually working?
A: Look for evidence that discovery, classification, DSR routing, and consent enforcement update when the environment changes.
Practitioner guidance
- Tie consent records to real access groups Map each consented purpose to the internal teams, systems, and third parties that can actually access the data so disclosures about access categories are defensible.
- Gate system changes through PIAs Require a privacy impact assessment before new systems, major redesigns, or cross-border transfers go live, with security safeguards and legal transfer terms recorded in the approval path.
- Build breach records into incident workflow Maintain an incident log that captures access scope, data types, harm assessment, and notification rationale so regulator reporting is based on evidence, not recollection.
What's in the full article
OneTrust's full blog covers the operational detail this post intentionally leaves for the source:
- Step-by-step interpretation of Quebec Law 25 requirements for privacy officers, PIAs, and breach notification.
- The article’s timeline for when specific obligations entered into effect across the three-year transition period.
- Practical guidance on updating privacy policies, staff training, and service-provider contracts for compliance.
- A breakdown of the law’s consent, subject-rights, and cross-border transfer obligations in implementation terms.
👉 Read OneTrust’s explanation of Quebec’s Law 25 requirements and compliance timeline →
Quebec’s Law 25: what privacy teams need to operationalize now?
Explore further
Law 25 turns privacy governance into an access-governance problem. The article’s most important implication is that privacy teams can no longer treat consent text, access lists, and incident records as separate workstreams. Once the law requires disclosure of who can access personal information and how it is shared, IAM and privacy controls become part of the same evidence chain. Organisations should treat data access governance as a compliance control, not just an IT control.
A question worth separating out:
Q: Who is accountable when Law 25 breach or consent failures occur?
A: Accountability starts with the designated privacy officer, but it extends to the executives and teams that control data collection, access, sharing, and incident response. Law 25 expects the organisation to maintain records, respond to requests, and demonstrate compliance. In practice, that means legal, privacy, security, and system owners share responsibility for evidence and execution.
👉 Read our full editorial: Quebec’s Law 25 raises the bar for privacy governance and controls