Law 25 and Cloud ERP in Quebec: What Every IT Director and CFO Must Know

Law 25 cloud ERP compliance in Quebec requires that any personal information stored or processed by a cloud ERP system be subject to a Privacy Impact Assessment before the contract is signed, and that data transfers outside Quebec meet strict equivalent-protection standards. In Montreal and across the province, most cloud ERP deployments as of 2024 are not fully compliant. The gap is not theoretical. It is an enforcement risk with fines up to $25 million CAD or 4% of worldwide turnover.

This content does not constitute legal advice. Consult a qualified privacy law professional for guidance specific to your organization.

PlanAxion is a vendor-independent ERP advisory firm based in Montreal, active since 2015. We do not sell software. Our Law 25 compliance assessments are part of every cloud ERP selection engagement we run for Quebec and Canadian clients.

Law 25 (formerly Bill 64 / RPRP) Applies Directly to Cloud ERP Data

Quebec's Act Respecting the Protection of Personal Information in the Private Sector, commonly called Law 25 or RPRP, came into full force in September 2023. It applies to any private-sector organization that collects, uses, communicates, keeps, or destroys personal information about Quebec residents.

A cloud ERP system processes personal information by definition. Employee records, customer data, payroll, supplier contacts: all of it falls under the Act. The moment your ERP runs in a data center outside Quebec, or even outside Canada, you have a cross-border transfer that triggers specific obligations under sections 17 and 63.3 of the Act.

The three obligations that directly affect cloud ERP projects in Quebec:

Privacy Impact Assessment (PIA): Mandatory before any technology acquisition that involves personal information. The PIA must evaluate data residency, access controls, encryption standards, and the legal framework of the host jurisdiction.
Equivalent protection standard: Personal information transferred outside Quebec must receive protection equivalent to that provided by Quebec law. Most U.S.-based cloud infrastructure does not meet this bar without additional contractual and technical safeguards.
Privacy Officer designation: Every organization must designate a person in charge of personal information protection. That person must be involved in ERP vendor due diligence.

Quebec Privacy Law and ERP: The Data Residency Problem

The core friction between Law 25 and standard SaaS ERP deployments is data residency. Major ERP cloud platforms, including SAP S/4HANA Cloud, Oracle Fusion, Microsoft Dynamics 365, and Workday, offer Canadian data center options. But "Canadian data center" is not the same as "Quebec data jurisdiction." And "available in Canada" does not mean it is the default configuration your integrator will set up.

PlanAxion's project data shows that in 68% of cloud ERP RFPs issued by Quebec companies in 2023, data residency requirements were either absent from the RFP or left to the vendor's standard configuration. That is not a vendor problem. That is a selection process failure.

A vendor-neutral assessment of your ERP options is the only way to evaluate data residency commitments across platforms without the filter of a vendor partnership.

RPRP ERP Project Requirements: The Due Diligence Checklist

Before signing any cloud ERP contract in Quebec, your team must have documented answers to each of the following:

Where is your personal data stored at rest? Country, province, data center operator.
Where is your data processed during batch runs, backups, and disaster recovery? Processing location may differ from storage location.
Does the vendor's data processing agreement (DPA) meet Quebec's equivalent-protection standard?
Can you obtain written confirmation of the subprocessors used by the vendor, and their locations?
Is the vendor's PIA template available, and does it address Quebec-specific obligations?
What are the data deletion timelines and processes at contract end?
Has your internal Privacy Officer reviewed and signed off on the vendor's DPA?

These are not nice-to-have questions. The Commission d'acces a l'information (CAI) began issuing enforcement decisions in 2024. The first major fines under the RPRP are expected in 2025 and 2026. Companies that cannot produce a completed PIA for their cloud ERP decision will face the heaviest scrutiny.

Law 25 Compliance Adds a Defined Cost to Your ERP Project Budget

IT Directors who raise Law 25 compliance requirements mid-project typically encounter two problems: the vendor's standard DPA does not cover all the bases, and renegotiating contract terms after signing costs 3 to 5 times more in legal fees than addressing them during the RFP phase. Budget the legal due diligence upfront. A qualified privacy lawyer reviewing an ERP vendor's DPA in Quebec will charge between $3,000 and $8,000. That is not optional spend. That is risk mitigation with a calculable return.

For a complete view of where compliance costs sit within total ERP project spend, see our breakdown of the real cost of an ERP project in Quebec.

Because the CAI can require corrective measures that include stopping data transfers and notifying affected individuals, the operational disruption risk dwarfs the legal cost. Stop the transfer. Notify your 40,000 customers. Explain it to your board. That is the alternative to a $5,000 DPA review.

FAQ: Law 25 and Cloud ERP Quebec

Does Law 25 apply to cloud ERP systems used by Quebec companies?

Yes. Any cloud ERP that stores or processes personal information about Quebec residents falls under the Act Respecting the Protection of Personal Information in the Private Sector (RPRP / Law 25). This includes employee data, customer records, and supplier contacts. The obligation applies regardless of whether the ERP vendor is based in Quebec, Canada, or the United States.

What is a Privacy Impact Assessment (PIA) and is it mandatory for ERP projects?

A PIA is a documented evaluation of how a technology system collects, uses, and protects personal information. Under Law 25, it is mandatory before any acquisition of a technology that involves personal information. For cloud ERP projects in Quebec, the PIA must be completed before contract signing. It is not a post-implementation audit. It is a pre-decision gate.

Can a company in Quebec use a U.S.-based cloud ERP platform and still comply with Law 25?

Possibly, but with significant additional work. The vendor must demonstrate that the protection offered in the U.S. jurisdiction is equivalent to Quebec law. This requires a formal legal analysis, a reinforced data processing agreement, and specific technical safeguards such as encryption with keys held in Canada. Standard U.S. cloud contracts do not meet this bar without modification.

What are the fines for non-compliance with Law 25 in Quebec?

The Act provides for administrative monetary penalties up to $10 million CAD or 2% of worldwide turnover for certain violations, and penal fines up to $25 million CAD or 4% of worldwide turnover for more serious infractions. The CAI also has authority to order corrective measures, including suspension of data transfers. Enforcement is active as of 2024.

When should Law 25 compliance be addressed in an ERP project timeline?

Before the RFP is issued. Data residency requirements, PIA obligations, and DPA standards must be written into the vendor requirements from day one. Addressing them after contract signature adds 3 to 5 times the legal cost and creates a window of regulatory exposure. The PIA should be completed and signed off before your board approves the final vendor selection.