Global fintech and funding innovation ecosystem

Primer on Quebec’s New Data Portability Law

Data Privacy | May 27, 2024

Freepik data - Primer on Quebec's New Data Portability Law

Image: Freepik/

This September, Quebec's Law 25 mandates data portability rights, impacting organizations handling Quebec residents' personal information

On September 2024, Quebec's Law 25—namely, An Act to Modernize Legislative Provisions as Regards the Protection of Personal Information—will begin, creating a sea change in data privacy regulation that governs all transactions of companies in Quebec. This law intends to increase individuals' control over their personal data and provide additional responsibilities for firms in terms of data processing, transparency, and security. With these looming changes, Law 25 is something a fintech firm must understand now to stay compliant in the future and to deter hefty fines.  NCFAs industry partner, Gowling WLG has put together this handy guide called, 'The Right to Data Portability: Everything You Need to Know"


  • Starting September 22, 2024, Quebec individuals will be able to request their computerized personal information in a structured, commonly used format (e.g., JSON, CSV, XML) see Right to data portability, which shall allow them to have their personal data transferred from one company to another. This requires a fintech firm to develop robust systems that enable the transfer of data seamlessly, without compromise to the security and integrity of the data.  This affects organizations collecting, using, or disclosing personal information of Quebec residents.

See:  The Formation of the Canadian Digital Regulators Forum and its Impact on the Digital Economy and Consumer Privacy

  • Non-compliance with Law 25 can lead to severe fines, from $15,000 to $25,000,000 CAD, or up to 4% of the corporation's worldwide annual turnover, whichever is higher. That means failure to fully comply with the new regulations regarding operations for data protection can result in significant financial costs.
  • Personal data may not be transmitted to a third country unless a mandatory Privacy Impact Assessment (PIA) has been carried out, the risks have been assessed, and remediation measures have been implemented. This is intended to prevent any risk of breach or misuse of that data.
  • The law strengthens requirements for obtaining consent and shall be explicit, informed and collected separately from other stipulations of the general terms of use. Under these conditions, fintech companies must ensure that users are perfectly aware of how their data is going to be used and have the ability to withdraw consent at any time.
  • Technological products and services should, by design, provide the highest privacy levels with an onus on the default privacy settings (in other words, 'privacy by default'. This way, it shall ensure that the data of the users is protected from the start and thus reduce any risks attributed to its collection and processing.

Takeaways for Fintech Companies

  • Prepare now and ensure systems can export data in required formats
  • Implement an efficient process and secure method for handling requests
  • Educate and train staff on new requirements and procedures

See:  2023 Data Privacy in North America – Year in Review

  • Continuously monitor compliance to avoid severe penalties
  • Seek legal advice to fully understand and comply with the law

How Does Law 25 Compare with PIPEDA?

The following is an in-depth comparison of the similarities and differences between PIPEDA and Quebec's Law 25.

FeatureQuebec's Law 25PIPEDA
Scope and JurisdictionApplies to organizations in Quebec and those doing business with Quebec residents, focusing on protecting residents' privacy regardless of business location.Applies to private-sector organizations across Canada involved in commercial activities, focusing on national-level privacy protection.
Consent RequirementsRequires explicit, informed consent, separate from other terms of service, similar to GDPR standards.Allows for either express or implied consent, depending on the sensitivity of the personal information being collected.
Data PortabilityIntroduces the right to data portability, allowing individuals to transfer their personal data between organizations starting September 22, 2024.Does not explicitly provide for data portability rights.
Privacy by DefaultMandates the highest privacy settings enabled by default, ensuring maximum data protection from the outset.Does not specifically mandate privacy by default settings.
Privacy Impact Assessments (PIAs)Requires organizations to conduct PIAs before transferring personal data outside Quebec, similar to GDPR requirements.Encourages PIAs but does not mandate them.
Penalties for Non-ComplianceImposes fines ranging from $15,000 to $25,000,000 CAD, or up to 4% of the company's worldwide annual turnover.Imposes fines up to $100,000 CAD for non-compliance.
Data Protection Officer (DPO)Requires certain organizations to appoint a privacy officer responsible for compliance.Does not require the appointment of a DPO, but recommends it for large organizations.
Right to ErasureIntroduces the right to erasure, allowing individuals to request deletion of their personal information.Does not include a specific right to erasure, but individuals can request corrections to their personal information.
Private Right of ActionEmpowers individuals to take legal action against businesses for privacy violations, allowing for collective actions.Does not provide a broad private right of action.
Cross-Border Data TransfersRequires PIAs to assess the equivalence of foreign data protection laws before transferring data outside Quebec.Requires organizations to use contractual or other means to protect personal information when transferring it to a third party.

What About A National Standard?

While Quebec's Law 25 is currently specific to the province of Quebec, there is growing momentum for similar privacy protections to be adopted across Canada.

See:  Analysis: Does Bill C-27 Reflect Lessons Learned from Past Public Outcry? Data Sharing for Public Good

The federal Bill C-27, which includes provisions for a new Consumer Privacy Protection Act, signals an ongoing effort to enhance data privacy nationwide. If adopted, these regulations could harmonize with Quebec's stringent standards, setting a unified framework for data protection across the country.

Looking Ahead

For organizations operating in the fintech space, it is important to remain aware of the law and how it is evolving in order to ensure full compliance for the protection of the data of their users. This will raise consumer trust in the economy and yield a safer and more transparent digital environment.

NCFA Jan 2018 resize - Primer on Quebec's New Data Portability LawThe National Crowdfunding & Fintech Association (NCFA Canada) is a financial innovation ecosystem that provides education, market intelligence, industry stewardship, networking and funding opportunities and services to thousands of community members and works closely with industry, government, partners and affiliates to create a vibrant and innovative fintech and funding industry in Canada. Decentralized and distributed, NCFA is engaged with global stakeholders and helps incubate projects and investment in fintech, alternative finance, crowdfunding, peer-to-peer finance, payments, digital assets and tokens, artificial intelligence, blockchain, cryptocurrency, regtech, and insurtech sectors. Join Canada's Fintech & Funding Community today FREE! Or become a contributing member and get perks. For more information, please visit:

Latest news - Primer on Quebec's New Data Portability LawFF Logo 400 v3 - Primer on Quebec's New Data Portability Lawcommunity social impact - Primer on Quebec's New Data Portability Law

Support NCFA by Following us on Twitter!

NCFA Sign up for our newsletter - Primer on Quebec's New Data Portability Law


Leave a Reply

Your email address will not be published. Required fields are marked *

1 × four =