A Practical Guide to Québec’s Law 25: What Municipalities Must Do for Data Privacy Compliance

Data protection has become a critical responsibility for municipal governments. Cities and public organizations manage large volumes of sensitive personal information—from citizen records and tax data to permits, licensing, and employee files.

Québec’s Law 25 (formerly Bill 64) significantly modernized the province’s privacy legislation and introduced stricter rules for how organizations—including municipalities—collect, manage, and protect personal information.

For municipal leaders and IT teams, understanding these requirements is essential to avoid regulatory penalties and maintain public trust.

What Is Québec’s Law 25?

Law 25 is a comprehensive reform of Québec’s privacy framework that strengthens the rights of individuals and imposes new obligations on organizations handling personal data.

The law was adopted in September 2021 and implemented in phases, with its final provisions fully in force by September 2024.

It is often compared to Europe’s GDPR because it introduces similar principles such as transparency, consent, privacy-by-design, and stronger enforcement mechanisms.

Municipalities are directly affected because they collect and manage large amounts of personal information about residents, employees, contractors, and service users.

Key Law 25 Requirements for Municipalities

1. Appoint a Privacy Officer

Every organization subject to Law 25 must designate a person responsible for personal information protection.

For municipalities, this often means appointing:

• A Chief Privacy Officer

• A Data Protection Lead within IT or legal

• A privacy governance committee

The name and contact information of this person must be publicly available so citizens can submit privacy requests or complaints.

2. Implement Data Governance Policies

Municipalities must establish formal data governance policies and procedures covering the full lifecycle of personal information.

These policies should define:

• How personal information is collected

• Where it is stored

• Who can access it

• How long it is retained

• When it must be destroyed

Policies must also describe staff responsibilities and the process for handling privacy complaints or requests from citizens.

3. Conduct Privacy Impact Assessments (PIA)

A Privacy Impact Assessment (PIA) is now mandatory when municipalities:

• Deploy new IT systems

• Launch online citizen services

• Use cloud platforms

• Transfer personal data outside Québec

These assessments evaluate the risks associated with personal data processing and identify mitigation measures before systems are deployed.

For example, a city launching an online permit portal or grant management system must conduct a PIA before going live.

4. Strengthen Data Security Measures

Municipalities must implement appropriate technical and organizational safeguards to protect personal information.

Typical safeguards include:

• Encryption of sensitive data

• Access control and identity management

• Network monitoring and cybersecurity tools

• Secure cloud environments

• Regular security audits

Security measures must be proportional to the sensitivity and volume of data being handled.

5. Mandatory Breach Notification

If a privacy incident occurs—such as unauthorized access, data loss, or disclosure—municipalities must:

1. Evaluate the risk of harm

2. Notify the Commission d’accès à l’information (CAI)

3. Inform affected individuals if there is a risk of serious harm

Organizations must also maintain a register of all security incidents, even minor ones.

6. Ensure Transparency and Consent

Law 25 requires organizations to clearly inform individuals about:

• What personal information is collected

• Why it is collected

• How it will be used

• Who it may be shared with

Consent must be clear, informed, and explicit, especially when dealing with sensitive personal data.

Municipal websites and online services must provide clear privacy notices.

7. Respect Citizen Data Rights

Law 25 grants individuals stronger rights over their personal data, including:

• Right to access their personal information

• Right to correct inaccurate data

• Right to withdraw consent

• Right to data portability (in a machine-readable format)

Municipalities must implement processes to respond to these requests within a reasonable timeframe.

Potential Penalties for Non-Compliance

Law 25 introduces some of the strongest privacy penalties in Canada.

Organizations that fail to comply may face:

• Administrative penalties up to $10 million or 2% of global revenue

• Penal fines up to $25 million or 4% of global revenue

Individuals can also bring civil actions against organizations that violate privacy rights.

Practical Steps for Municipal Compliance

Municipal governments can begin preparing for compliance by following a structured approach:

Step 1 — Map Personal Data

Identify where personal information exists across municipal systems.

Step 2 — Review Existing Systems

Audit databases, software platforms, and data flows.

Step 3 — Implement Privacy Governance

Create formal privacy policies and assign a privacy officer.

Step 4 — Upgrade Security

Adopt modern cybersecurity tools and identity management systems.

Step 5 — Introduce Privacy-by-Design

Ensure new software platforms integrate privacy controls from the start.

The Future of Municipal Data Protection

Law 25 represents a major shift toward stronger privacy protection in Québec. As municipalities continue to digitize public services—such as online permits, grant programs, and citizen portals—privacy governance must become a central component of digital transformation.

Cities that adopt modern data governance frameworks, secure cloud platforms, and strong cybersecurity practices will be better positioned to protect citizen data while delivering efficient public services.