Skip to main content

Understanding Quebec’s Law 25: An Overview for Medical Practices


“It is not about legal compliance; it’s about ensuring patient trust and maintaining ethical standards in handling personal health information.”

This blog provides a brief overview of Quebec’s Law 25 tailored for medical practices. It highlights the key aspects you, as the owner or privacy compliance officer, need to understand and some of the steps required to ensure compliance with the law.


Quebec’s Law 25, an evolution of Bill 64, marks a significant change in Canada’s privacy landscape. Adopted in September 2021, this legislation aims to modernize privacy laws. It  mirrors stringent international standards like the EU’s General Data Protection Regulation (GDPR). Prompted by the increasing digitization of personal information and the growing concerns surrounding data privacy, Law 25 was introduced to address the evolving challenges in safeguarding individuals’ sensitive data. The bill seeks to enhance the protection of Quebec residents’ privacy rights in the face of advancing technologies and a rapidly changing digital landscape. For medical practices, understanding and complying with these changes is crucial​​.

Who Must Comply?

Law 25’s broad language covers all private and public sector entities in Quebec, including medical practices, irrespective of their size. It applies to any entity handling Quebec residents’ personal information​​. This means a clinic, whether small or large, that processes patients’ personal data falls under this law’s jurisdiction.

Key Provisions and Rights

  • Personal Information Definition: ‘Personal information’ under Law 25 is any data identifying an individual, such as name, address, age, gender, and even certain online identifiers​​.
  • Right to Transparency: Practices must disclose their data collection and processing methods, including the purpose, method, and third parties involved​​.
  • Right to be Forgotten: Patients can request that their personal information not be shared or circulated, especially online​​.
  • Right to Consent: Explicit consent is required for collecting, using, or disclosing personal information​​.
  • Data Portability: Patients have the right to obtain their data in a commonly used digital format and request its transfer to third parties​​.
  • Automated Decision Rights and Anonymity: Patients have rights regarding automated decision-making and the right to anonymity​​. Automated decision-making involves the use of algorithms and artificial intelligence to analyze patient data and make decisions, such as treatment recommendations or risk assessments. This aspect of Law 25 reinforces the need for ethical and accountable use of automated decision-making in the medical field.
  • Privacy by Default: Starting September 2023, practices must ensure maximum privacy settings by default on their technology platforms​​.

Compliance Phases and Requirements

Law 25’s implementation is phased over three years (2022-2024), providing time for medical practices to adapt​​ to the following standards:

  • Privacy Policy: Publish a clear privacy policy on the practice’s website​​. This privacy policy should outline how they collect, process, use and safeguard personal information, specifying purposes, data processing procedures, consent mechanisms and individual rights. It serves to inform patients about data handling practices, promoting transparency, and complying with privacy regulations.
  • Privacy Impact Assessments (PIA): Conduct PIAs for certain activities involving personal data​​. This involves a systematic evaluation of the potential impact on individuals’ privacy and the implementation of measures to mitigate risks. In the context of Law 25, medical practices are required to conduct PIAs for specific activities involving the processing of personal data.
  • Consent and Transparency Systems: Update systems for consent and transparency in data collection and processing​​.
  • Anonymization and Erasure: Implement systems for anonymizing or erasing personal data​​.
  • Data Portability: Prepare to provide digital copies of personal information upon request​​.

Penalties for Non-Compliance

Non-compliance can result in substantial penalties, including fines up to CAD $25,000,000 or 4% of global turnover for the preceding fiscal year. Additionally, consumers can bring claims against practices for specific breaches of privacy law​​.


For medical practices in Quebec, adapting to Law 25 is not just about legal compliance; it’s about ensuring patient trust and maintaining ethical standards in handling personal health information. By understanding and implementing these guidelines, practices can navigate this new privacy landscape effectively. For a detailed guide on navigating these important changes, click here for more insights, or reach out to our expert team at MARAMEL by calling (438) 940-9452 today. 



  1. OneTrust. “Quebec’s Law 25: What Is It and What Do You Need to Know?” [Online]. Available: Accessed on [Date].
  2. CHEQ. “Quebec Law 25 Compliance: Everything You Need to Know.” [Online]. Available: Accessed on [Date].