Law 25 Guide

This guide explains, in plain language, how a Quebec SMB can comply with the Act to modernize legislative provisions as regards the protection of personal information: commonly called Law 25 (enacted as Bill 64 in 2021, fully in force as of September 22, 2024).

It is written for executives, IT leads and privacy officers of SMBs that operate in Quebec and collect, use or communicate personal information, which is effectively every business based in the province.

Who this guide is for#

• SMB executives: to understand the legal obligations, risk exposure and decisions ahead.
• Internal IT leads: to map the technical controls required (logging, access, encryption, backup, incident response).
• Newly designated privacy officers: to understand the role, its powers and responsibilities, now mandatory for every private business in Quebec (s. 3.1 PPIPSA).
• Legal and compliance teams: as an operational reference to cross-check against formal legal opinions.

Primary sources cited in this guide#

This guide is not a substitute for legal advice. It draws on:

• Act respecting the protection of personal information in the private sector (CQLR, c. P-39.1): official guidance from the Commission d'accès à l'information (CAI), Quebec's regulator administering the Act.
• Commission d'accès à l'information du Québec (CAI): the Quebec authority responsible for enforcement, oversight and investigations.
• Bill 64, An Act to modernize legislative provisions as regards the protection of personal information: sanctioned version from Publications du Québec.
• CAI guides, opinions and decisions: including information sheets for businesses.

When we cite a specific rule, we reference the corresponding section of the PPIPSA so you can return directly to the statute.

How to use this guide#

Chapters are designed to be read in order, but each is self-contained. Start with Scope and definitions if this is your first exposure to Law 25, or jump to the chapter that answers the question at hand (e.g. "a laptop has been stolen, what do we do?" → Breach notification).

Each chapter closes with:

• a quick checklist of obligations,
• common mistakes we see in the field,
• questions to ask your IT provider or legal counsel.

Our role: the IT layer, in partnership with a lawyer#

Hilo Tech is not a law firm. We are a managed IT services firm. On a Law 25 compliance engagement, our contribution covers the technology and operational side:

• technical mapping of personal information flows (where it lives, who has access, how it moves);
• implementation of the required IT controls (encryption, logging, access management, backup, incident response plan);
• authoring internal procedures (breach notification, access requests, retention and destruction);
• configuration of the tools (Microsoft 365, Azure, Canadian backups, EDR, identity management) to meet the requirements.

For the legal analysis, the drafting of official policies, and the interpretation of the Act in complex cases, we partner with a lawyer appointed by the client (or, if the client does not have one, we can suggest an external firm). Every Law 25 compliance project is carried out jointly with legal counsel, the lawyer validates the legal scope, Hilo Tech handles the IT execution.

If you want your current posture assessed, Pascal Dupuis: Hilo Tech's designated privacy officer, offers a free discovery call to identify the major IT-side gaps, help prioritize action, and flag where outside legal counsel will also be needed.

Hilo Tech also delivers a structured Law 25 compliance audit (IT track): review of existing technical controls, mapping of processing activities, infrastructure-side risk assessment, prioritized action plan, and follow-through on implementation. Deliverables are agreed before the engagement begins, and pricing is set after the discovery call.