Quebec's Law 25 and Canadian data residency

Quebec's Law 25 (formally, An Act to Modernize Legislative Provisions as regards the Protection of Personal Information) has been rolling out in phases since September 2022, with the final provisions (data portability) taking effect in September 2024. All requirements are now fully in force. If your organisation collects personal information about Quebec residents, the law almost certainly applies to you, regardless of where you're incorporated or hosted.

This post covers what Law 25 actually requires, how Canadian data residency affects your compliance posture, and where the responsibility still sits with you.

This is not legal advice. If your organisation has significant Quebec operations or handles sensitive personal information, consult a Quebec privacy lawyer.

What Law 25 is

Law 25 is Quebec's modernisation of its private-sector privacy legislation (the Act respecting the protection of personal information in the private sector, in force since 1994). The reform was driven by the reality that the original law was written before smartphones, cloud computing, and large-scale data collection by private businesses.

The updated law brings Quebec's framework closer to GDPR in scope and teeth. It introduces:

• A requirement to designate a privacy officer (the person in charge of the protection of personal information)
• Mandatory privacy policies written in plain language and published on your website
• Consent requirements that are clearer and more explicit, particularly for sensitive data
• Privacy by default: systems must be configured to collect and use the minimum information needed
• Privacy impact assessments (PIAs) before deploying new information systems and before transferring personal information outside Quebec
• A privacy incident register and mandatory notification to the Commission d'accès à l'information (CAI) and affected individuals for serious incidents
• Individual rights: access, rectification, portability, and the right to de-indexation (similar to the right to be forgotten)

Who it applies to

Law 25 applies broadly to any enterprise that collects, uses, or communicates personal information about natural persons in the course of carrying on an enterprise in Quebec. That reach extends beyond Quebec-based businesses. If you serve Quebec residents, you are likely covered regardless of whether your company is incorporated in Ontario, British Columbia, or outside Canada entirely.

There's no meaningful minimum-size exemption for most provisions. Small businesses are not automatically excluded.

The requirements that matter most for your hosting decision

Of all the requirements in Law 25, the one most directly affected by where you host is the cross-border transfer PIA.

Before communicating personal information to anyone outside Quebec (including to a third-party service provider outside Quebec), you must conduct a privacy impact assessment to evaluate whether the information would receive adequate protection in the destination jurisdiction. If the assessment reveals that the destination does not provide an adequate level of protection, you cannot make the transfer unless you take measures to mitigate the risk.

This applies even to cloud services. If your application is running on infrastructure hosted in a US data centre, or using US cloud services, that is a cross-border communication of personal information. You would need to conduct and document a PIA for that transfer, evaluate adequacy, and in many cases implement contractual protections.

This is not a small task. PIAs require documented analysis of the destination jurisdiction's laws, the nature of the data being transferred, the security measures in place, and the residual risks. For US infrastructure in particular, you would need to address things like the US CLOUD Act, which gives US courts the authority to compel American companies to produce data regardless of where it is stored.

How Canadian data residency helps

If your application data stays in Canada, under a Canadian hosting provider not subject to US jurisdiction, you largely sidestep the cross-border transfer problem for that data.

When your application servers, databases, and file storage are in Canada, there is no cross-border transfer of personal information to assess for your core application data. The hardest part of the PIA requirement, the adequacy analysis for a foreign jurisdiction with different privacy laws, does not apply.

MapleDeploy provides dedicated Canadian infrastructure in Toronto. Each customer gets their own isolated VM, their own Coolify instance, and data that stays in Canada. That is the infrastructure piece of Law 25 compliance for your application data.

We take our own Law 25 obligations seriously. MapleDeploy maintains a privacy incident registry, notifies the CAI as required for serious privacy incidents (see our breach notification policy), conducts PIAs before adding new sub-processors, and applies privacy by default in how we design our systems. You can review our privacy policy for details.

What Canadian data residency does not cover

It is important to be direct about this: Canadian data residency solves the infrastructure piece, not the whole compliance picture. Law 25 is broader than where your servers are.

Your organisation still needs to:

Designate a privacy officer. Someone must be formally accountable for personal information protection within your organisation. This is a named role, not a general responsibility.

Publish a privacy policy. It must explain what information you collect, why, how you use and protect it, how individuals can exercise their rights, and how to contact your privacy officer.

Manage consent. Collecting personal information requires valid consent. For sensitive categories of data, that consent must be explicit. Your application's consent flows, cookie notices, and data collection practices are your responsibility to design correctly.

Conduct PIAs for your own third-party tools. Even with Canadian-hosted infrastructure, your application likely uses third-party services: payment processors, analytics tools, email providers, customer support software, and so on. Any of those that receive personal information from Quebec residents need their own adequacy assessment if they are outside Quebec. MapleDeploy handling the hosting does not relieve you of this obligation.

Govern data internally. You need policies and procedures for how your team accesses, handles, and stores personal information. Training, access controls, and internal accountability are not infrastructure questions.

Respond to individual rights requests. Access requests, correction requests, portability requests, and de-indexation requests require processes and designated ownership.

Handle privacy incidents. If a privacy incident occurs that presents a risk of serious injury to an individual, you must notify the CAI and the affected individuals. You need a documented process for detecting, assessing, and reporting incidents.

Penalties

Law 25 penalties are significant. The maximum administrative penalty is $25 million CAD or 4% of worldwide turnover for the preceding year, whichever is greater. Penal fines for intentional violations reach $25 million or 4% of worldwide turnover as well. The CAI can also order organisations to publish notices of violations at their own expense.

For smaller businesses, the more immediate risk is reputational and regulatory: a CAI investigation, a public order, or a mandatory notification to your users can be damaging well before penalties reach their ceiling.

Where to start

If your organisation serves Quebec residents and you have not started your Law 25 work, a reasonable starting point looks like this:

1. Map what personal information you collect, where it goes, and who touches it
2. Designate a privacy officer and document the role
3. Conduct PIAs for any cross-border data flows, starting with the most sensitive data
4. Review and update your privacy policy
5. Audit your consent flows and collection practices
6. Put a privacy incident response procedure in place

Choosing Canadian infrastructure for your application removes one of the more complex items from that list: the cross-border transfer PIA for your core application data. That is a real reduction in compliance work and ongoing documentation burden.

For the rest, consult legal counsel familiar with Quebec privacy law. The CAI also publishes guidance documents that are worth reading directly.

If you are evaluating hosting options with Law 25 in mind, our Canadian hosting overview covers the infrastructure and jurisdiction details in full.