TL;DR: Quebec Law 25 has its own teeth separate from PIPEDA. Territorial scope follows the data subject plus the business activity, not the organization headquarters. Maximum administrative penalties under the 2026 amendments can reach 4 percent of worldwide turnover. Breach notification threshold is risk of serious injury (different definition from PIPEDA real risk of significant harm). Mandatory privacy officer designation applies to every organization holding Quebec resident personal information.
What Quebec Law 25 Actually Is
Quebec Law 25 (formerly Bill 64) is the comprehensive amendment to the Act respecting the protection of personal information in the private sector that took effect in stages starting 22 September 2022. The law applies to organizations conducting business in Quebec or holding personal information of Quebec residents regardless of where the organization is headquartered. Enforcement runs through the Commission d access a l information (CAI), the provincial regulator with both investigative plus administrative-penalty authority.
The territorial scope point is the one most often missed by Canadian organizations outside Quebec. A Vancouver company with Quebec customers is in scope. A Toronto company with Quebec employees is in scope. A nationwide e-commerce platform with any Quebec resident customers is in scope. The law follows the data subject plus the business activity, not the organization headquarters.
The 2026 Amendments
The 2026 amendments to Quebec Law 25 tightened three areas of the existing framework. First, the maximum administrative monetary penalty cap raised to 4 percent of worldwide turnover or \$25 million CAD, whichever is greater. Second, the cross-border transfer regime now requires a documented privacy impact assessment for every transfer of personal information outside Quebec, even to jurisdictions previously treated as having adequate protection. Third, the Commission d access a l information received expanded investigative authority including the power to compel production of documents under timelines as short as five business days for confirmed breach investigations.
The cross-border transfer change is the practical sleeper. Many Canadian organizations move Quebec resident data to non-Quebec processing locations as a matter of routine: payroll providers in Ontario, customer support platforms in the US, cloud infrastructure in Virginia or Oregon. Every one of those transfers now requires a documented privacy impact assessment. The 2026 amendments did not add a flat prohibition but they did add a paperwork plus assessment burden that organizations need to plan around.
The Breach Notification Threshold
Quebec Law 25 requires notification to the Commission d access a l information plus to affected individuals when a confidentiality incident presents a risk of serious injury (un risque qu un prejudice serieux soit cause). The threshold is similar in concept to PIPEDA real risk of significant harm but is legally distinct plus has its own interpretive history. Serious injury includes bodily harm, moral harm (humiliation, damage to reputation) plus material harm (financial loss, identity theft). The risk threshold is met when the incident creates a reasonable possibility of serious injury, weighed against the sensitivity of the information plus the probability of misuse.
Organizations must also maintain a register of every confidentiality incident regardless of whether the notification threshold was triggered. The register must be retained for at least five years plus must be available for inspection on Commission request. The record-keeping obligation is a separate compliance burden from the notification obligation; many organizations meet the notification obligation but fall short on the register.
The Mandatory Privacy Officer Designation
Quebec Law 25 requires every organization in scope to designate a privacy officer responsible for compliance with the law. The designation must be in writing, must be publicly available (on the organization website or equivalent) plus must specify a contact mechanism. The privacy officer does not need to be an employee; outsourced privacy-officer services are permitted. The designation is not optional plus the Commission has investigated organizations for failing to make the designation publicly visible.
The combination of mandatory designation, breach notification register plus cross-border transfer privacy impact assessment means that Quebec Law 25 compliance requires actual documented processes plus identified responsible personnel. Reactive incident-only compliance does not satisfy the framework.
What Canadian Organizations Should Do in 2026
If your organization holds personal information of Quebec residents, the first step is confirming the privacy officer designation is current, in writing plus publicly available. The second step is auditing the cross-border transfer surface: every routine data flow that leaves Quebec needs a documented privacy impact assessment. The third step is building (or updating) the confidentiality incident register: even non-notifiable incidents need to land in the register within reasonable time of detection.
If you experience a confidentiality incident that may trigger notification, Sherlock Forensics provides the forensic record needed to document what was accessed plus by whom plus when. The Sherlock Forensics methodology produces evidence that meets the Commission expectations for forensic record, access assessment plus contextual analysis (the same three elements that PIPEDA notification requires). The Sherlock after-data-breach-Canada page walks through the operational sequence; Quebec residents trigger both Quebec Law 25 plus PIPEDA obligations plus organizations must satisfy both regulators.