Quebec government launches its digital identity project: Impacts for public bodies

Authors:

Canada | Publication | March 27, 2025

In a recent update, we introduced Bill 82, an Act respecting the national digital identity and amending other provisions (Bill 82), which aims to integrate the national digital identity into Quebec's public services. Bill 82 brings significant changes for public bodies, particularly regarding digital identity integration into their delivery of services.

In this legal update, we explore the impacts of Bill 82 on public bodies.

National digital identity services

The Minister of Cybersecurity and Digital Technology (Minister) is responsible for providing public bodies with services related to the national digital identity.¹ This responsibility is part of his mission to coordinate the digital transformation of the Quebec civil service since the ministry was created in January 2022 (see our article on this topic).

The purpose of these services is to support public bodies in their digital transformation, thus facilitating their ability to provide modern and efficient services. Using these services is mandatory, and organizations will have to adopt them according to the conditions determined by the Minister. However, the government may exempt an organization from this obligation.² No information is currently available on the criteria the government could consider.

Cybersecurity activities

Bill 82 further clarifies the general rule that the Minister oversees the cybersecurity activities of public bodies. In particular, it is specified that authorized public bodies without an administrative unit specialized in information security must use the services of the Minister unless they use the services of another body pursuant to an agreement authorized by the Minister.³

Furthermore, any public body that identifies a risk of serious injury related to a breach of confidentiality, availability or integrity of a confidential resource or information under its responsibility must promptly notify the Minister.⁴ A regulation of the Minister may determine the criteria, cases and circumstances in which a breach presents a risk of serious injury.⁵ The impact of this new provision should not be underestimated, as it would have a much broader scope than the notification obligations introduced by the Act to modernize legislative provisions as regards the protection of personal information⁶ (Law 25). Law 25 only covered privacy incidents involving personal information, whereas the obligation created by Bill 82 covers all confidential information.

In addition, the deputy minister is responsible for carrying out analyses concerning the security offered by an information asset (including government digital data) or an information resource service, used or to be used in a public body’s systems and infrastructure, and providing the latter with an opinion concerning the estimated security level.⁷

Official source of digital data

The Minister also plays a key role as the official source of government digital data and will be required to collect, use or communicate this data. “Government digital data” includes the name and date and place of birth of a natural person, as well as the name of the person’s parents, and the name and contact information of a legal person or partnership. Certain public bodies will also be required to collect this data from the Minister, use it or communicate it to him.⁸ Bill 82 also provides that the Minister may delegate certain functions to public bodies.⁹

In this context, the Minister and the public bodies with access to this data must comply with strict confidentiality and security rules, as defined by An Act respecting the governance and management of the information resources of public bodies and government enterprises¹⁰:

Privacy impact assessment (PIA): Before collecting or using personal information, a PIA must be carried out and then submitted to the Commission d'accès à l'information (CAI).¹¹ For more information on PIAs, consult our article on the topic.
Management of personal information: Public bodies and the Minister must implement governance rules governing the personal information they hold.¹² These rules must include provisions for the retention and destruction of this information and must be published on their websites.¹³
Annual report: At the end of each financial year, a report detailing the personal information collected, used or shared during the year must be submitted to the CAI and published on the websites of public bodies and the Minister.¹⁴

Public bodies that receive personal information from a public body subject to these requirements or from the Minister must submit to an external audit to ensure compliance with the highest standards of information security and data protection.¹⁵ The Minister may, however, provide for cases where this requirement is not necessary.¹⁶

Objectives and targets of the public bodies

For the purposes of the national digital identity, the government may determine the objectives and targets applicable to public bodies.¹⁷ Such objectives and targets may concern:

Access by citizens to simplified, integrated and quality services;
The rate of use by citizens for digital services; and
Carrying out information resource projects related to digital identity.¹⁸

The government may also specify the terms and conditions of agreements enabling the interoperability of the national digital identity with the systems and infrastructure of other entities.¹⁹ As such, the government can require that these agreements be entered into jointly by the public body in question and the Minister.²⁰ A subsequent publication will deal with Bill 82’s impact on public bodies’ telecommunications infrastructures and services.

Public bodies cannot impose the use of the national digital identity on citizens to enable them to access public services.²¹ Digital identity will not replace existing physical identity documents. However, public bodies will have to promote its integration in order to achieve the results expected by the government.

Conclusion

The Minister plays a central role in defining and coordinating the infrastructure and services related to the national digital identity, government digital data and cybersecurity. With Bill 82, we see that the Quebec government is launching the next major stage of its digital transformation project, which will have repercussions on all Quebec public bodies. It will be essential for them to closely monitor Bill 82’s progress to understand how to adapt to it and take full advantage of this initiative in their digital transformation processes. However, the scope and pace of implementation of these measures have yet to be determined.

Footnotes

¹ s. 6 Bill 82.

² s. 6 Bill 82.

³ s. 10 Bill 82.

⁴

s. 11 Bill 82.

⁵ s. 11 Bill 82.

⁶ LQ 2021, c 25.

⁷

s. 12 Bill 82.

⁸ s. 6 Bill 82.

⁹

s. 6 Bill 82.

¹⁰ CQLR, c G-1.03 [AGMIR].

¹¹

s. 12.16(1), para. 1 AGMIR.

¹²

s. 12.16(1), para. 2 AGMIR.

¹³ s. 12.16(2) AGMIR.

¹⁴

ss. 12.17 and 12.18 AGMIR.

¹⁵

s. 12.19(1) AGMIR.

¹⁶

s. 12.19(2) AGMIR.

¹⁷ s. 6 Bill 82.

¹⁸

s. 6 Bill 82.

¹⁹ s. 6 Bill 82.

²⁰ s. 6 Bill 82.

²¹ s. 6 Bill 82.

Contact

Véronique Barry

Partner

veronique.barry@nortonrosefulbright.com

Québec

T: +1 418 640 5170

Recent publications

Publication

2025 federal election: Third-party regulated activities

Canada’s 45th general election will take place on April 28. Businesses and non-profits that are considering engaging in the political process during this time must know the law and understand how to navigate the rules and restrictions imposed by the Canada Elections Act (CEA).

Canada | March 28, 2025

Government relations and public policy

Publication

US steel and aluminum tariffs and Canadian retaliatory tariffs now in effect

On March 12, 2025, the US imposed tariffs of 25% on Canadian steel and aluminum, including many derivative products. The same day, Canada announced its intention to enforce $29.8 billion in retaliatory tariffs.

Canada | March 27, 2025

International trade

Publication