Skip to main content
MAXICOM Canada · Since 2008 Sell IT
ENFR
Home · Standards · Quebec Law 25 (formerly Bill 64) — Loi 25
Standard · Quebec Law 25

Quebec Law 25 (formerly Bill 64) — Loi 25

Quebec's Act to modernize legislative provisions as regards the protection of personal information (Loi 25, formerly Bill 64, fully in force September 2023) is the strictest private-sector privacy law in North America. For organisations operating in Quebec, Loi 25 imposes specific obligations on personal-information destruction at retirement, mandatory breach reporting to the Commission d'accès à l'information (CAI), Privacy Impact Assessments for new ITAD vendors, and significant penalties (up to CAD 25M or 4% of global revenue).

Request a Quote Contact

Loi 25 — what makes it strictest in North America

Loi 25 imposes obligations beyond PIPEDA in several areas: mandatory Privacy Officer designation, Privacy Impact Assessments before deploying new technologies that process personal information, mandatory breach reporting to CAI within prescribed timeframes, formalised right of erasure (data portability + right to be forgotten), explicit consent requirements stronger than PIPEDA, and penalties up to CAD 25M or 4% of global revenue. For ITAD specifically, the Privacy Impact Assessment requirement applies to selecting a new ITAD vendor — an existing vendor relationship is grandfathered but a new engagement triggers PIA.

Privacy Impact Assessment for ITAD vendor selection

Article 3.3 of Loi 25 requires a Privacy Impact Assessment for projects that involve the acquisition or modification of an information system that processes personal information. Selecting a new ITAD vendor is in scope. Maxicom provides a pre-prepared PIA documentation pack to support customer PIA processes — vendor due-diligence summary, data-flow map, security controls inventory, sub-processor list, breach-history disclosure, certificate-format samples.

Breach reporting to CAI

Loi 25 mandates breach reporting to the Commission d'accès à l'information for breaches involving personal information that present a risk of serious injury. ITAD-relevant breaches in scope. Maxicom incident-response playbook coordinates with the customer's CAI reporting workflow within the prescribed timeframe.

Bill 96 / Charter of the French Language — operational implications

Quebec's Charter of the French Language (Loi 14, formerly Bill 96) requires French-language documentation for commercial activities in Quebec. Maxicom's Quebec engagements provide French-language manifests, French-language certificates of destruction, French-language quarterly reports. The technical content (NIST SP 800-88 Rev. 1, IEEE 2883-2022) is referenced in original English with French explanation; the legal-effect content is in French.

Quebec FRFI engagement profile

Major Quebec FRFIs (National Bank, Desjardins, Industrielle Alliance) operate to Loi 25 + OSFI B-13 simultaneously. Maxicom certificate format satisfies both. Quebec-French native commercial-translator review of customer-facing materials is recommended for engagements at this tier.

Regulator stack — by region Every Maxicom certificate is admissible against the full stack simultaneously UNIVERSAL NIST SP 800-88 Rev. 1 · IEEE 2883-2022 · DoD 5220.22-M · NAID-grade Protocol 🇮🇳 INDIA INR · IST PRIVACY DPDPA 2023 BFSI RBI IT-Risk SECTOR-SPECIFIC SEBI · IRDAI · CERT-In · CPCB 🇨🇦 CANADA CAD · EST PRIVACY PIPEDA · Quebec Law 25 BFSI OSFI Guideline B-13 SECTOR-SPECIFIC PIPA (AB/BC) · PHIPA · ITSG-33 🇸🇬 SINGAPORE SGD · SGT PRIVACY PDPA Section 24 BFSI MAS TRM SECTOR-SPECIFIC IMDA · NEA Resource Sustainability Act 🇦🇪 UAE AED · GST PRIVACY UAE PDPL Article 21 BFSI Central Bank UAE SECTOR-SPECIFIC TDRA · DIFC DPL · ADGM · NESA
Reviewed by the Maxicom compliance desk. Last updated April 2026.
Operates to NIST 800-88 · PIPEDA · OSFI B-13 · NAID-grade · IEEE 2883-2022
References

Authoritative references

Primary sources for the standards and frameworks referenced on this page. Maxicom maps every engagement to these recognised authorities.

Frequently asked questions

Frequently asked questions

Do you provide French-language certificates for Quebec engagements?

Yes. Quebec-French commercial-translator-reviewed certificate templates available; legal-effect content in French, technical-standard references in original English with French explanation.

What about the Privacy Impact Assessment for vendor selection?

Maxicom provides a pre-prepared PIA documentation pack — vendor due-diligence, data-flow map, security controls, sub-processor list, breach history. Supports the customer's PIA process.

How does Loi 25 interact with OSFI B-13 for Quebec FRFIs?

They compose. Loi 25 covers personal-information protection; B-13 covers technology and cyber risk management. Maxicom certificates satisfy both simultaneously.

What is the typical breach-report-to-CAI timeline?

Loi 25 specifies "with diligence" — operationally, customers typically aim for 72-hour notification. Maxicom incident-response playbook supports the 72-hour window.

Is Bill 96 / Loi 14 just about translation, or does it affect operations?

Both. Customer-facing operations (manifests, certificates, quarterly reports) must be in French. The internal technical operations are in working language but the customer-facing documentation is bound by Loi 14.

Explore further

Related practices, regulators & markets

Service

Green IT Disposal

Green IT
Buyback

Dell Server Buyback

Dell server buyback
Buyback

Laptop Buyback

Laptop buyback
Buyback

Government IT Equipment Buyback

Government IT buyback
Buyback

IT Hardware Buyback

IT hardware buyback
Industry

Data Centres

Data centres
Solution

Branch Closure / IT Retirement

Branch closure
Location

IT disposal in Vancouver

Vancouver
Service

ITAM & Remarketing

ITAM & remarketing

When you are ready

Send the asset list. We will send the number.

A photograph of the rack works. A spreadsheet works better. CAD settlement, against PO.

Sell IT — Start an RFQ — 90 seconds → Request a service WhatsApp +1 437-996-2283
purchase@maxicom.ca · per engagement SLA