Quebec Law 25: What’s New?

In 2021, Quebec passed Law 25, significantly expanding the data privacy rights of Quebecois residents relative to Canada’s federal data privacy regime, the Personal Information Protection and Electronic Documents Act (PIPEDA).

The tables below illustrate the key similarities and differences between PIPEDA and Law 25. Compliance with PIPEDA is necessary but not sufficient to be compliant with Law 25, as the latter introduces several new or enhanced data privacy rights and protections.

As this side-by-side comparison shows, the most important differences between PIPEDA and Law 25 are that the latter includes:

• The duty to perform DPIAs in certain circumstances;
• More granular consent requirements;
• Broader breach notification requirements; and
• Additional rights for data subjects, bringing Quebec law more in line with the GDPR

Law 25 was phased in over a period of three years, and is now in full effect. Organizations that fail to comply face fines from $15,000 to $25,000,000 CAD, or 4 percent of gross revenues from the previous year, whichever is higher.

‍How Cyera Helps

Cyera’s unified, AI-native data security platform scans your entire data estate, including SaaS, IaaS, PaaS, DBaaS, and on-prem data stores. It comes with pre-trained classifiers aligned to most major regulatory frameworks - including PIPEDA - so you can quickly identify your customers’ personal information wherever it resides and apply policies to keep it safe.

Cyera’s best-in-class data discovery and classification capabilities make it much easier to respond to Subject Access Requests, including validating the destruction of data pursuant to a subject’s request for erasure, or tracing the source of a subject’s PII. 

Cyera also simplifies the process of preparing DPIAs. By monitoring for changes to data security configurations and access controls, Cyera helps you analyze the data security impact of adopting, developing, or overhauling your information systems. Furthermore, Cyera can issue an alert when customer PII is discovered outside of Quebec. This way, you can ensure that personal information is sent only to those jurisdictions for which DPIAs have been performed.

Moreover, Cyera’s Identity Access helps you create a catalog of users with access to your data, including internal and external entities, and human as well as non-human identities (NHIs) like IoT devices and AI copilots. It helps you implement zero trust practices by highlighting identities who are using insecure passwords or failing to enable multifactor authentication. And by helping to identify excessive permissions and stale identities, it also supports the principle of least privilege.

Cyera not only shows you who has access to your data, but also what they’re doing with it. This capability is important for complying with Law 25’s enhanced breach notification requirements, which include not only unauthorized access but also unauthorized use of personal information in the definition of a “confidentiality incident.” 

Cyera’s recently released DataPort and Cyera MCP server tools can also help you remain compliant with Law 25. DataPort is a managed Snowflake instance that uses your Cyera data to build clean, analytics-ready data sets. And Cyera MCP lets you plug your preferred AI chatbot into your Cyera data warehouse. With natural language prompts, you can quickly identify your biggest compliance risks and get suggestions for remediation.

Finally, Cyera’s Data Risk Assessment and Breach Readiness services help you get the most out of your Cyera deployment. Leveraging its data security platform, Cyera will provide you a comprehensive risk report, mapping your data attack surface and highlighting its most vulnerable points. Our virtual CISOs will evaluate your security posture and incident response capabilities based on a targeted set of controls from major industry frameworks like ISO 27001 or NIST CSF. Based on these findings, Cyera can deliver a prioritized list of recommendations and a roadmap for continuous improvement, including timelines and milestones.

‍Minimize Risk, Maximize Benefits

Cyera helps you identify, classify, and secure your data throughout its lifecycle, from collection to eventual destruction. With respect to this last point, data minimization is a key use case for the Cyera platform. Many Cyera customers are discovering petabytes of redundant, obsolete, or trivial (ROT) data that ought to be securely destroyed. In addition to achieving compliance with data minimization and retention requirements, these entities are also saving tens of thousands of dollars each month in reduced data storage costs.

At the same time, they’re also able to confidently deploy AI tools to get the most value possible out of their data, even as they secure that data against unauthorized use or access. Request a demo today to see how Cyera can transform your personal data from compliance liability into business assets.