Non-compliance with legal obligations regarding managing personal information: the penalties become clearer

Since the Act to modernize legislative provisions as regards the protection of personal information (Act 25) was adopted in 2021, several changes to the Act respecting the protection of personal information in the private sector (the Private Sector Act) have come into effect. These changes are described at greater length in earlier publications (such as here and here).

Ahead of this reform’s last milestone’s implementation on September 22, 2024, and to serve as a reminder, mechanisms designed to ensure that businesses comply with the new Private Sector Act requirements have been in effect since last September. These include the monetary administrative penalties (MAP) system administered by the Commission d’accès à l’information du Québec (CAI) and penalties of up to $10 million or 2% of the business’s worldwide turnover. 

MAPs are imposed by the CAI when businesses breach their obligations under the Private Sector Act, for example if they fail to report a confidentiality incident that must be reported to the CAI or to the persons concerned.

The Cadre général d’application des sanctions administratives pécuniaires (general framework for the application of monetary administrative penalties, or Framework), recently published by the CAI, presents elements that guide the treatment of breaches and imposition of MAPs on businesses that fail to comply with the Private Sector Act. The Section de surveillance de la CAI (the CAI’s oversight division, or Division) is vested with a broad discretionary power to assess the expediency of imposing a MAP based on each case’s specific circumstances.

Procedure for imposing MAPs

Before a MAP is imposed, a notice of non-compliance must be sent to the business urging it to take, without delay, the measures required to remedy the failure. If the business fails to comply with the notice, a MAP will then be imposed by  a notice of claim setting out, among other things, the amount of the MAP, the reasons for it, the time from which it bears interest and the time limit for applying for a review of the MAP.

A business may at any time enter into an undertaking with the CAI to take the measures necessary to remedy the failure or mitigate its consequences. Under the Framework, if the undertaking is accepted by the CAI and complied with by the business, no MAP may be imposed for acts or omissions mentioned in the undertaking.

Categories of applicable MAPs

As the Private Sector does not include base amounts for imposing MAPs, it grants the Division a broad discretionary power. To establish an appropriate and proportional MAP, the Division takes a two-pronged approach.

1. Base amount

When exercising its discretionary power, the Division must take the following criteria into consideration:

• the nature, repetitiveness and duration of the failure;
• the sensitivity of the personal information concerned by the failure;
• the number of persons concerned by the failure and the risk of injury to which they are exposed.

Using these criteria, the CAI created four categories of failures, from “[TRANSLATION] minor failures […] the anticipated consequences of which are nil or minor” to “[TRANSLATION] very serious failures that adversely affect the protection of personal information and the anticipated consequences of which are serious, real and/or irreparable.” In the case of businesses, the base MAP amount for each of these categories will vary from $1,000 to $15,000.

2. Mitigating and aggravating factors

To establish an appropriate and proportional MAP, the base amount may be increased or reduced to reflect mitigating or aggravating factors, including the following:

• the abovementioned criteria determining the base amount;
• the measures taken by the person in default to remedy the failure or mitigate its consequences;
• the degree of cooperation provided to the CAI to remedy the failure or mitigate its consequences;
• the compensation offered by the person in default, as restitution, to every person concerned by the failure; and
• the ability to pay of the person in default, given such considerations as the person’s assets, turnover and revenues.

Conclusion

The Division has the discretionary power to impose MAPs ranging from the applicable base amount up to the maximum amount ($10 million, or, if greater, 2% of worldwide turnover for the preceding fiscal year).

In that regard, we note that the Framework does not encourage the routine application of the maximum MAP amount, although it remains an option; indeed, a vast array of possible sanctions allows the MAP to be adapted to the specific situation at hand, which suggests that a MAP of $10 million or more should only be imposed under exceptional circumstances. Such sanctions nevertheless remain a possibility, hence the importance for businesses to ensure they comply with the requirements introduced by Act 25.

The authors would like to thank Marilou Bouthiette, articling student, for her contribution to preparing this legal update.