This content is provided for informational purposes and does not constitute legal advice. For any decision with legal or regulatory implications, consult a lawyer or the Commission d'accès à l'information (CAI).

βš–οΈ
Legal information β€” not legal advice This content is educational and general. It does not constitute legal advice and does not assess your particular situation. Consult a lawyer or the CAI for any decision.
CHAPTER 3

The Key Concepts of Law 25

Mastering the vocabulary is essential. Misunderstanding these definitions is the number one source of compliance mistakes.

3.1 Β· Core definition

Personal information β€” a very broad definition

Personal information is any information that concerns a natural person and allows that person to be identified, directly or indirectly.

Examples: name, address, email, phone number, IP address, customer number, photo, geolocation data, purchase history linked to an account.

Practical rule: It's not the "sensitive" nature of the information that matters, but its ability to link a piece of data to an identifiable person. An ordinary file number becomes personal information if it can be cross-referenced to identify someone.
3.2 Β· Special category

Sensitive personal information β€” enhanced protection

Information is sensitive when, by its nature or the context of its use, it gives rise to a high degree of reasonable expectation of privacy.

Examples: health data, biometric data (fingerprints, facial recognition), sexual orientation, ethnic origin, political opinions, detailed financial data.

Practical consequence: sensitive information generally requires express consent (not merely implied) and enhanced protection.

3.3 Β· Fundamental rule

Valid consent β€” 5 mandatory criteria

Consent must be:

Criterion 1
Manifest
Clear, unambiguous. Not implied consent through inaction.
Criterion 2
Free
Without coercion or abusive conditioning. The person can refuse without suffering harm.
Criterion 3
Informed
The person understands what they're consenting to: purposes, means, rights.
Criterion 4
For specific purposes
Not a "catch-all" consent for every possible use.
Criterion 5
Requested separately
Distinct from any other information β€” not buried in terms of service.
Consent buried in terms of service is no longer valid. A checkbox buried in a wall of terms and conditions does not constitute valid consent under Law 25.

Minors under 14: consent is given by the holder of parental authority.

3.4 Β· Artificial intelligence

Automated decisions β€” transparency obligations

When a decision is made exclusively on the basis of automated processing (an algorithm that denies credit, screens job applications, etc.), the organization must:

  • Inform the individual that the decision is automated
  • Provide them, on request, with the information used and the main factors
  • Allow them to submit their observations to a staff member able to review the decision
Generative AI: any AI system that processes personal information or makes automated decisions falls under Law 25.
3.5 Β· Critical distinction

Anonymization vs. De-identification

ConceptDefinitionScope under Law 25
De-identificationRemoval of direct identifiers. Re-identification remains possible but unlikely.βœ— The data remains personal information subject to the law.
AnonymizationIrreversible modification following best practices. Re-identification is not reasonably possible.βœ“ Falls outside the law's scope β€” freely usable.
Removing just the name is not enough. If the data remains re-identifiable (by cross-referencing other fields), it is de-identification β€” the law continues to apply.

βœ“ Concepts checklist

  • ☐ Have we mapped which data we hold is "sensitive"?
  • ☐ Do our forms request clear, separate consent for specific purposes?
  • ☐ Do we use automated decision-making tools? If so, are they properly governed?
  • ☐ Is our "anonymized" data truly irreversible according to best practices?