Bill 25 applies to your union. Here is what it means concretely for your member lists, your communications, and the digital tools your organization uses.

Bill 25, in force since September 2023, applies to any organization that collects, uses, or communicates personal information in Quebec. Your union falls fully under this definition. Your members' names and contact details, participation data from votes and assemblies, information related to individual representation: all of this constitutes personal information under the law.
Your organization must appoint a person responsible for the protection of personal information. By default, this is the person with the highest authority, until a formal delegation is documented. In many unions, no one knows exactly who holds this role today.
If personal information is compromised, your organization must document the incident. Depending on the severity, you must also notify the Commission d’accès à l’information and the individuals concerned. Without a structured communication channel, documenting what circulated and to whom becomes nearly impossible.
Information collected must serve specific purposes and cannot be kept indefinitely. In practice, that means having an answer to this question: do the members whose name is still on your distribution list still have the status that justifies being there?
A member can request to consult the personal information you hold about them. If that information is spread across five different channels, reconstructing what exists and where it is takes considerable time.
Fortisia hosts your member data on servers in Canada and manages access by role, with a reviewable history of every change.
Book a demoOn the ground, what we hear most often: “We have nothing to hide.” Bill 25 is not about bad intentions. It is about control.
When your union communications run through a Facebook group, your members’ data is processed by Meta on servers in the United States, subject to the American CLOUD Act. Privacy settings can change without notice. If a member leaves your union and is removed from the group, their past interactions remain on Meta’s servers.
Messenger, WhatsApp, and personal email have the same structural problem: they were designed for individual use, not for the governance of an organization representing hundreds or thousands of workers.
In practice, three concrete gaps result from this.
No traceability. Who received what, when? Hard to document when your communications are spread across five different channels. In the event of a dispute, you have nothing to show.
Access that does not manage itself. A retired member, a worker in dispute, a delegate whose mandate has ended: are they still in your groups? In most unions, no one follows up systematically. Access accumulates.
Hosting outside Canada by default. Facebook, Google, WhatsApp: servers are in the United States. Your transparency and control obligations under Bill 25 become much harder to satisfy in this context.
How long do you keep your member lists? Your assembly minutes? Exchanges related to your negotiations? In many organizations, the honest answer is: until someone deletes the file. That is not a retention policy. That is improvisation.
Does your regional delegate need to see the contact details of all your members? Does your mobilization coordinator need access to your confidential negotiation documents? Access control by role and group is not a technical detail. Bill 25 makes it a duty of care.
When you use Mailchimp for mass emails or SurveyMonkey for surveys, you remain responsible for the protection of shared data. These platforms have their own privacy policies, their own servers, their own retention practices. That deserves verification, not a checked box.
A privacy incident in your union is not primarily a fine. It is damage to the trust relationship with the members you represent.
The most common situations do not trigger legal sanctions. They trigger something harder to repair: a former member still accessing your internal communications because no one updated their access. A member list sent from a personal address during an executive transition. A negotiation document shared in the wrong group. These gaps are avoidable. When they happen, your executive spends time managing the fallout instead of working on the files that matter.
A few concrete steps can significantly reduce your exposure without rebuilding everything at once.
Designate a responsible person officially, with documented delegation. Review access to your communication tools: who is in which groups, when were your lists last updated. Establish a minimal retention policy, even a basic one. Centralize your official communications in an environment where your organization controls who sees what, where data is hosted in Canada, and where governance belongs to you.
Fortisia automatically removes access when a member’s status changes, and keeps a record of changes for your traceability requirements.
Book a demoA union that takes Bill 25 seriously does not do so only to avoid a sanction. It does so because its members entrust it with their personal information as part of their working lives. That trust is earned with every decision.
No more member data scattered across Facebook groups, Messenger threads, and unstructured email chains.
Fortisia centralizes your union’s communications in a structured environment, hosted in Canada, with access defined by role, group, and local section.
Your members get direct access to:
Result: your data stays in Canada, your access is documented, your governance holds up.
Yes. Bill 25 applies to any organization that collects, uses, or communicates personal information in Quebec, regardless of its legal nature. If you manage a member list, participation data, or representation documents, you are subject to the same requirements as a private company.
Your members’ names, addresses, phone numbers, email addresses, employment status, and union participation information are all personal information under the law. Representation documents that identify a member individually also fall into this category.
The Commission d’accès à l’information can impose administrative monetary penalties. But beyond fines, the absence of a designated officer means no one is monitoring incidents, documenting practices, or responding to your members’ access requests. The operational risk is often more immediate than the legal one.
Technically possible, but very difficult to maintain. The law requires control over data shared with third parties, access traceability, and the ability to respond to your members’ requests. Facebook does not allow these requirements to be met rigorously: your data moves to American servers, access is difficult to audit, and privacy settings change without notice. Fortisia hosts your data in Canada, with documented and auditable role-based access control.
The law does not set a specific frequency, but an annual review is good practice. Natural triggers include changes to digital tools, adding a new service provider, an executive election, or a privacy incident, even a minor one.