CA-QC

Québec Law 25 — Automated Decisions & Privacy (Act 25): AI Compliance Requirements

Québec's Act to modernize legislative provisions respecting the protection of personal information (Law 25 / Bill 64) is Canada's strictest provincial privacy law, fully in force since September 22, 2024. Section 12.1 requires organizations to disclose when decisions significantly affecting individuals are made exclusively by automated means (AI), explain the factors involved on request, and allow individuals to present observations to a human reviewer. Also requires: Privacy Impact Assessments for AI systems, a designated Privacy Officer with published contact info, and 72-hour breach notification. Applies to all enterprises handling Québec residents' personal information — including foreign companies with Québec users.

Check your compliance — freeDownload checklist

Key Facts

Effective Date

September 22, 2023

Enforcement Begins

September 22, 2024

Maximum Penalty

C$25,000,000 or 4% of worldwide turnover per violation (Commission d'accès à l'information)

What Your Business Must Do

3 compliance requirements identified. Critical requirements carry the highest risk of enforcement action.

Automated Decision Disclosure (Section 12.1)

Critical

Inform individuals whenever a decision that significantly affects them is made exclusively by automated means (AI). Upon request, you must: (1) Explain the factors that led to the decision. (2) Identify the personal information used. (3) Inform them how to request corrections. (4) Provide the right to present observations to a human reviewer who can actually change the decision.

Privacy Impact Assessment (PIA) for AI

High Priority

Before implementing any AI system that collects, uses, or discloses personal information about Québec residents, conduct a Privacy Impact Assessment. Document purposes, legal bases, safeguards, and risks. Keep on file for potential inspection by the Commission d'accès à l'information (CAI).

Designated Privacy Officer (Published)

High Priority

Appoint a Privacy Officer responsible for overseeing AI data practices and handling personal information. Publish the officer's name and contact information on your website. This person handles access requests, correction requests, and breach notifications.

Frequently Asked Questions

Does Québec Law 25 — Automated Decisions & Privacy (Act 25) apply to my business?

Québec's Act to modernize legislative provisions respecting the protection of personal information (Law 25 / Bill 64) is Canada's strictest provincial privacy law, fully in force since September 22, 2024. Section 12.1 requires organizations to disclo. Use ComplianceIQ's free scanner to get a personalized assessment in under 5 minutes.

What is the penalty for non-compliance?

The maximum penalty under Québec Law 25 — Automated Decisions & Privacy (Act 25) is: C$25,000,000 or 4% of worldwide turnover per violation (Commission d'accès à l'information). Fines are typically scaled by company size, severity of violation, and whether violations were willful or accidental.

How do I comply with Québec Law 25 — Automated Decisions & Privacy (Act 25)?

The 3 requirements above cover the core obligations. The fastest path to compliance is: (1) conduct an AI risk assessment, (2) document your AI systems, (3) implement transparency disclosures where required. ComplianceIQ generates all required documents automatically.

Official Source

https://www.rcgt.com/en/insights/expert-advice/law-25-issue-automated-decisions/

Last updated: 2026-04-12 — verify at source before relying on this information.

Don't leave compliance to chance

ComplianceIQ scans your AI tools, tells you exactly which regulations apply, and generates all required documents — in 30 minutes.

Start your free compliance scan