Compliance crosswalk · Quebec Law 25
Quebec Law 25 / Bill 64 (Quebec) - email + domain controls, mapped to Wiredepth
Framework version: Act respecting the protection of personal information in the private sector; phased in September 2022 → 2024
Who this is for. Any enterprise operating in Quebec that collects, uses, or communicates personal information of a Quebec resident, in the course of its commercial activities. Public bodies and political parties are also covered by parallel rules. Quebec residents outside the province retain Law 25 protection when their personal information is collected by Quebec-operating entities.
What makes Law 25 different from PIPEDA. Law 25 is materially more demanding. Mandatory designation of a person in charge of privacy (the Chief Privacy Officer in practice), mandatory privacy impact assessments before new projects involving personal information, mandatory breach notification with the Commission d'accès à l'information (CAI), mandatory data-portability rights, mandatory disclosures around automated decision making, and administrative monetary penalties up to 4% of global turnover or CAD 25M (whichever is greater).
Phased timeline. CPO designation + breach-reporting since September 2022. PIA requirements + biometric registration + transparency obligations since September 2023. Data-portability + most other rights since September 2024. Enforcement is live.
Clause-by-clause mapping
Each row maps a specific Quebec Law 25requirement to the Wiredepth surface that addresses it. The clause ids are the framework's own naming - verify them against the official text. We use precise language: "addresses" (the tool directly satisfies the control), "supports" (the tool contributes evidence the auditor will need), and "evidence for" (the artifact is part of the attestation package).
| Clause | Requirement | Wiredepth response |
|---|---|---|
Section 3 / 8 - Person in charge of personal information Reporting | Every enterprise must designate a person in charge of the protection of personal information whose contact information is published on the enterprise website. | Wiredepth itself is a sub-processor option for enterprises in this designation. Compliance PDFs + the audit-log chain provide the periodic reporting artefact the CPO presents to the board. |
Section 3.3 - Privacy impact assessment (PIA) Monitoring | A PIA must be completed before any project involving the acquisition, development, or overhaul of an information system or electronic-service-delivery system that processes personal information. | Workpapers (email-auth, TLS, vendor, DNS, incident) provide the technical-controls input for the PIA. Vendor consolidation audit covers the third-party section that CAI guidance highlights as commonly under-documented. |
Section 3.5 - Confidentiality incidents Reporting | When a confidentiality incident occurs that presents a risk of serious injury, the enterprise must (a) notify the CAI promptly, (b) notify affected individuals, and (c) record every incident in a register kept available for the CAI on request. | Incident-readiness workpaper documents the notification timeline + decision tree in the format CAI guidance expects. Audit-log Merkle chain provides the tamper-evident incident register. |
Section 10 - Security measures Transport | Any person carrying on an enterprise must take security measures to ensure the protection of personal information, having regard to the sensitivity, purpose, quantity, and means of communication. | TLS + MTA-STS + DMARC + DKIM + SPF analysers cover the technical security-measure surface for the email channel. Continuous monitoring is the demonstrable run-rate control. |
Section 12.1 - Privacy by default Authentication | A technology product or service offered to the public must, by default, provide the highest level of confidentiality to the user without intervention. | DMARC at p=reject is the email-channel equivalent of privacy by default for sender-authentication. Wiredepth Pro+ alerts the moment posture regresses from the default the organisation committed to. |
Section 14 - Communication outside Quebec Inventory | Before communicating personal information outside Quebec, the enterprise must conduct an assessment of the privacy-related factors. Includes communication to third-party email senders located outside Quebec. | Vendor consolidation audit identifies the jurisdiction of authorised email senders (most US-headquartered: SendGrid, Mailgun, Postmark, etc.). The per-vendor assessment input for the Section-14 cross-border analysis. |
Section 21 - Right to portability Reporting | Individuals have the right to obtain the personal information they've provided in a structured + commonly-used technological format, and to have it communicated to any person or body authorised by law to collect such information. | Wiredepth's own /api/v1/audit/export endpoint demonstrates the portability pattern (JSONL + JSON envelope). Use the same shape for customer-facing portability flows that involve email-channel personal information. |
What auditors actually look at
A CAI investigator (or internal compliance office) reviewing the email + domain surface would typically request:
- The published name + contact information of the person in charge of personal information protection
- PIA records for any email-system project undertaken since September 2023
- The confidentiality-incident register (every incident, not just reportable ones)
- Section-14 cross-border assessment records for each authorised email-sending vendor located outside Quebec
- Demonstrated privacy-by-default configuration on customer-facing email surfaces
Generate a Quebec Law 25-tagged evidence pack (Wiredepth Prove)
Prove subscribers can generate a ZIP of all five workpapers + a Quebec Law 25 README in one click. Single domain, single click, ready to file in your audit binder. See pricing at /pricing#prove ($499/mo standalone, bundled in Enterprise).
Other compliance crosswalks
Disclaimer. This crosswalk is provided for informational purposes. It is not legal advice, audit guidance, or a substitute for engagement with a qualified assessor (QSA for PCI, accountant or QSA for SOC 2, lawyer for HIPAA / NIS2 / SEC). Framework clause ids and language may have been updated since publication; verify against the official text. Wiredepth does not guarantee compliance based on the use of any tool or page on this site.