Law 25: a new enforcement scheme for protection of personal information in the private sector in Québec

Jan 16, 2024 8 MIN READ
Authors
Kristian Brabander

Partner, Disputes, Montréal

Josy-Ann Therrien

Associate, Disputes, Montréal

On September 22, 2023, the majority of the amendments to the Québec privacy legislation introduced in the Act to modernize legislative provisions as regards the protection of personal information (Law 25, previously Bill 64) came into force. These include several new enforcement powers given to the Québec Commission d’accès à l’information (the Commission).

This Update outlines the Commission’s new powers of investigation, as well as the potential fines and penalties for violations of the Act respecting the protection of personal information in the private sector (the Private Sector Act or the Act). Finally, we also address the new statutory punitive damages provision.

Powers of investigation

While investigative powers already existed under the previous version of the Private Sector Act, Law 25 now expands the scope and powers of the Commission to obtain information and to issue certain orders.

For example, the Commission now has the power to

  • require any party, whether subject to the Private Sector Act or not, to produce any information or document to verify compliance with the Act and its regulations (s. 81.3)
  • order a party to take any action to protect the rights of those concerned when a confidentiality incident is brought to its attention (s. 81.4)
  • compel any information it requires from a party carrying on an enterprise on the implementation of the Private Sector Act (s. 83.1)

Administrative monetary penalties

Law 25 provides for administrative monetary penalties (AMPs) of up to C$10 million or the amount corresponding to 2% of the enterprise’s worldwide turnover for the preceding fiscal year — whichever is greater.

AMPs may be imposed on anyone who

  • fails to inform the persons concerned (upon request) of the source, purpose and means of collection of information, access and rectification rights, and the right to withdraw consent to the communication or use of the information collected
  • collects, uses, communicates, keeps or destroys personal information in violation of the law
  • fails to report a confidentiality incident to Commission or to the persons concerned, where required to do so
  • fails to take the security measures that are necessary to ensure the protection of personal information collected, used, communicated, kept or destroyed, and that are reasonable given the sensitivity of the information, the purposes for which it is to be used, the quantity and distribution of the information and the medium on which it is stored
  • fails to inform the person concerned by a decision that is based exclusively on an automated process or to give the person an opportunity to submit observations
  • is a personal information agent (an organization that establishes files on other persons and sends credit reports) and contravenes any of sections 70, 70.1, 71, 72, 78, 79 and 79.1 of the Private Sector Act)

On May 11, 2023, the Commission published a general framework for the application of AMPs [PDF] (available in English on Osler’s AccessPrivacy offering [PDF]), which sets out the purpose of AMPs and several criteria guiding the decision to impose an AMP, such as the nature, seriousness, repetitiveness and duration of the breach; the sensitivity of personal information; the number of individuals exposed; the measures taken to remedy the breach; and the degree of cooperation with the Commission.

Before imposing an AMP, the Commission is supposed to have notified the party in default of the notice of non-compliance. Upon receipt of the notice, the party in default may contact the Commission to submit additional observations and should take immediate action to remedy the alleged non-compliance. If the non-compliance is not remedied, an AMP may be imposed by way of a notice from the Commission setting out the amount claimed, the reasons supporting the imposition of an AMP and the date from which the amount will bear interest. The notice must also contain information on the procedure for recovery of the amount claimed and set out the right to request a revision of the decision, including the deadline to do so, as well as the right to contest the reconsideration decision before the Court of Québec.

Note that Law 25 also provides for a mechanism to avoid the imposition of AMPs. A corporation targeted by an AMP can offer an undertaking to the Commission to take measures to remedy the non-compliance or mitigate its consequences. The undertaking must identify the acts or omissions constituting non-compliance and the provisions involved. The Commission will then examine the undertaking submitted and may add any conditions it considers necessary, including a requirement to pay a sum of money. If the undertaking submitted by the corporation is accepted by the Commission and is complied with, no AMPs may be imposed on the corporation with regard to the acts or omissions mentioned in the undertaking.

Penal proceedings

Law 25 also provides for a new penal enforcement scheme. Since September 22, 2023, the Commission now has the power to initiate penal proceedings within five (5) years of the commission of an offence and to impose fines of up to C$25 million or the amount corresponding to 4% of worldwide turnover for the preceding fiscal year, whichever is greater. Law 25 also provides for a minimum fine of $15,000 for corporations, and for the doubling of fines in the case of a subsequent offence.

Anyone who does the following commits an offence:

  • collects, uses, communicates, keeps or destroys personal information in contravention of the law
  • fails to report, where required to do so, a confidentiality incident to the Commissioner or to the persons concerned
  • fails to take the security measures that are necessary to ensure the protection of the personal information collected, used, communicated, kept or destroyed, and that are reasonable given the sensitivity of the information, the purposes for which it is to be used, the quantity and distribution of the information and the medium on which it is stored
  • identifies or attempts to identify a natural person by using de-identified information, without the authorization of the person holding the information or using anonymized information
  • is a personal information agent (an organization that establishes files on other persons and sends credit reports) and contravenes any of the rules applicable to such organizations (found in sections 70, 70.1, 71, 72, 78, 79 and 79.1 of the Private Sector Act)
  • impedes the conduct of an inquiry or inspection by the Commission or the hearing of a application by the Commission by providing it with false or inaccurate information, by omitting to provide information it requires, or otherwise
  • refuses or neglects to comply, within the specified time, with a request made by the Commission
  • fails to comply with an order of the Commission

Notably, the list of offences that can give rise to penal proceedings is not the same as the list of non-compliances for which AMPs may be imposed (although there is some overlap).

The general framework published by the Commission on May 11, 2023, establishes that the circumstances in which penal proceedings are generally favored over AMPs include, but are not limited to, where

  • the actual or apprehended consequences of the offence are serious or very serious
  • the party in default has not taken adequate measures to remedy the offence despite the imposition of AMPs
  • the party in default has acted intentionally, negligently or recklessly
  • an investigation or inspection by the Commission was obstructed, notably by the providing of false or inaccurate information or by the failure to provide information required by the Commission
  • several breaches or violations of the Private Sector Act have been committed by the same party in default or are recurrent over time

Law 25 provides for some guidance to the judge in determining the amount of the fine, including the nature of the offence, the sensitivity of the information, the state of mind of the offender (intentional, negligent, reckless, etc.), the predictability of the offence, the attempt to cover up the violation, the steps taken to avoid the violation, the intended or actual increase in revenue associated with the violation and the number of persons concerned.

Law 25 maintains the penal responsibility of officers and directors who direct, authorize or acquiesce in the act or omission constituting the offence. Such officers and directors are considered a party to the offence and are liable to the punishment provided.

Statutory right to punitive damages

In Québec, punitive damages can only be awarded where there is an express statutory basis for them. Only a few laws allow individuals to claim punitive damages. The most widely used provision in civil privacy claims is article 49 of the Québec Charter of human rights and freedoms, which allows for punitive damages where there is an unlawful and intentional infringement of the rights and freedoms recognized therein — including the right to respect for private life (article 5).

Law 25 introduces a new, independent private right to claim punitive damages where the infringement of a right conferred by the Private Sector Act or by articles 35 to 40 of the Civil Code of Québec causes harm and where the infringement is intentional or results from a gross fault.

Unlike any other statute providing for an award of punitive damages in the province of Québec, section 93.1 of the Private Sector Act sets a minimum, providing that the “court shall award punitive damages of not less than $1,000”, without regard to the usual criteria for analyzing the amount of punitive damages (e.g., state of mind, profits generated, ability to pay, etc.). Although this new section 93.1 may be invoked in civil proceedings, a claim for punitive damages under this section will still requires the demonstration of actual harm (i.e., injury) and causation, in addition to intentionality or gross fault (i.e., gross negligence).

Comments

The new enforcement scheme of Law 25 that came into force on September 22, 2023, will certainly impact the activities of any enterprise doing business in Québec and should be considered when updating privacy guidelines.

The Commission’s new investigative powers should not be underestimated, especially when taken together with the AMPs and penal proceeding provisions (and perhaps also the new statutory punitive damages provision).

More information about the Private Sector Act and Law 25’s requirements and other privacy developments and legislation across Canada can be found by subscribing to Osler’s AccessPrivacy offering.