Skip to main content
Privacy Horizon
Privacy & Security

Privacy & Security Services in Quebec

End-to-end privacy and security support for organizations in Quebec.

Québec operates under Canada's most demanding private-sector privacy regime. Law 25 — the legislation that substantially modernized Québec's privacy framework between 2022 and 2024 — introduced obligations that in several respects go further than PIPEDA and further than the laws of any other Canadian province. The Commission d'accès à l'information du Québec, the CAI, is the oversight authority, and it has real enforcement tools: Law 25 brought significant administrative monetary penalties into the regime for the first time, applying to organizations that fail to meet their obligations. That shift from a complaints-based model with limited sanctions to one that includes financial consequences has changed the calculus for organizations operating in Québec.

The specific obligations that Law 25 introduced include mandatory breach reporting to the CAI and notification to affected individuals, a privacy-by-default requirement, stricter rules around the collection of personal information and around consent — including new requirements for the disclosure of personal information outside Québec — and enhanced individual rights. Organizations that were already PIPEDA-compliant often found, after Law 25's phased implementation, that meaningful gaps remained. The laws are not identical, and compliance with one does not equal compliance with the other. PIPEDA continues to apply to federally regulated businesses and to cross-border information flows, so organizations with a national footprint must manage both frameworks.

Privacy Horizon works with organizations across Québec to build compliance programs that are accurate to what Law 25 actually requires rather than a generic Canadian privacy framework. We conduct privacy impact assessments that meet CAI expectations, gap analyses that benchmark the current state against the full scope of Law 25 obligations, and compliance programs that turn assessment findings into workable internal processes. Our senior advisory service is available when your team faces a time-sensitive decision — a new vendor arrangement, a data-sharing question, or a breach that requires judgment about reporting thresholds. We also deliver training calibrated to Law 25 for both staff and leadership, because an organization's privacy obligations are only as strong as the people carrying them out day to day.

Privacy & security regulation in Quebec

Regulator: Commission d'accès à l'information du Québec (CAI)

Québec has Canada's most prescriptive private-sector privacy regime following Law 25, enforced by the Commission d'accès à l'information, with obligations that often exceed PIPEDA.

Law 25Act to modernize legislative provisions as regards the protection of personal information

Québec's Law 25 substantially modernized the province's private-sector privacy regime. Phased in between 2022 and 2024, it introduced mandatory breach reporting, privacy-by-default, stricter consent and transparency obligations, and significant administrative monetary penalties.

Read the legislation

PIPEDAPersonal Information Protection and Electronic Documents Act

PIPEDA is Canada's federal private-sector privacy law. It sets out ten fair information principles governing how organizations collect, use, and disclose personal information in the course of commercial activity. It applies wherever a province has not enacted substantially similar legislation — and, even in provinces that have (Alberta, British Columbia, Québec), it continues to apply to federally regulated businesses such as banks, airlines, and telecommunications, and to personal information that flows across provincial or national borders.

Read the legislation

What Privacy & Security includes

From assessments to compliance programs and ongoing advisory, we provide the full range of privacy and security support organizations need under Canadian law.

Assessments

Privacy impact assessments, threat & risk assessments, and gap analysis.

Compliance Programs

Guided programs to reach and maintain compliance.

Advisory

On-call senior privacy and security guidance.

Training

Practical training for staff and leadership.

Law 25 compliance programs that reflect what the CAI actually enforces

Law 25's phased implementation is complete, but many organizations still operate under compliance programs built for an older version of Québec's privacy regime — or under PIPEDA templates that have never been fully reconciled with provincial requirements. Privacy Horizon builds compliance programs grounded in Law 25's current obligations: privacy-by-default, the consent requirements for out-of-province disclosures, breach notification to the CAI, and the governance structures — including the designation of a person in charge of personal information protection — that the law requires. The result is a program that holds up under CAI scrutiny rather than one that looks adequate on the surface.

Breach readiness in a mandatory-reporting environment

Law 25's breach notification obligations require organizations to assess incidents quickly, apply the correct risk threshold, report to the CAI in prescribed circumstances, and notify affected individuals — all under time pressure and with documentation requirements attached. Privacy Horizon helps organizations build the incident response processes they need before a breach occurs, so the assessment and reporting decisions are made against a clear framework rather than under improvised pressure. We also support organizations through active incidents, providing senior judgment on notification obligations and helping prepare the communications and regulatory submissions the situation requires.

What's Protecting Your Business from the Next Threat?

Don't wait for a breach to expose your vulnerabilities. Let Privacy Horizon secure your data, ensure compliance, and build lasting trust.