A poorly handled confidentiality incident can cost far more than a fine — it erodes client trust. Bill 25 imposes concrete obligations every Quebec firm must document, regardless of size.
The Act to modernize legislative provisions as regards the protection of personal information (Bill 25) applies to any organization that collects, holds or uses personal information in Quebec — including law firms.
Obligations by phase
Since September 2022
- Designation of a person responsible for the protection of personal information.
- Register of confidentiality incidents and CAI notification process.
- Contractual safeguards for vendors with access to data.
Since September 2023
- Governance policies on personal information.
- Privacy policy accessible to affected individuals.
- Privacy impact assessments (PIA) for certain projects.
Since September 2024
- Right to portability of personal information.
- Greater transparency on tracking technologies and automated decisions.
Each deadline adds a layer — ignoring one phase does not suspend the others.
Risks for a firm
Penalties can reach $25M or 4% of global revenue in the most serious cases. Beyond fines, a confidentiality incident damages the firm's reputation and erodes client trust.
Compliance is not just a regulatory matter — it is a client trust matter.
Putting it into practice
- Centralize data rather than scattering it across email and spreadsheets.
- Limit access by role (lawyer, assistant, student).
- Maintain an audit log of access and changes.
- Encrypt data at rest and in transit.
- Document PIAs before any new cloud software.
« Every processor handling personal information must be assessed before deployment. »
These measures do not guarantee zero incidents — they prove the firm acted with diligence.