Quebec - Data Protection Overview
Data protection law in the province of Quebec is comprised of various federal and provincial statutes. These laws include data protection statutes of general application for both private and public organisations, as well as sector-specific statutes and related laws, such as anti-spam legislation.
Please note that on 12 June 2020, the Quebec government introduced Bill 64, An Act to modernize legislative provisions as regards the protection of personal information ('Bill 64'). Bill 64 has been adopted in principle on 20 October 2020 by the National Assembly and is currently being reviewed by the Committee of Institutions. Once adopted, Bill 64 will result in significant changes to various laws in order to modernise the regulatory framework for the protection of personal data in Quebec.
This Guidance Note has been drafted to take into consideration the significant changes that will be introduced by Bill 64. It is subject to change to reflect amendments to the current draft of Bill 64.
1. GOVERNING TEXTS
At the provincial level, the Act Respecting the Protection of Personal Information in the Private Sector, CQLR P-39.1 ('the Quebec Private Sector Act') regulates the collection, use, and disclosure of personal information by private organisations (referred to as 'enterprises'). Private organisations at the federal level are regulated by the Personal Information Protection and Electronic Documents Act 2000 ('PIPEDA').
The Act Respecting Access to Documents Held by Public Bodies and the Protection of Personal Information, CQLR c. A-2.1 ('the Quebec Access Act') regulates the collection, use, and disclosure of personal information by public bodies and provides individuals with a right to access their personal information.
Canada's Anti-Spam Legislation, SC 2010 c 23 ('CASL') also regulates commercial marketing activities.
Other provincial statutes include provisions relevant to data-protection, such as the Act to Establish a Legal Framework for Information Technology, c. C-1.1 ('the Quebec Information Technology Act'), which includes specific requirements for the collection, use, and disclosure of biometric data.
The focus of this summary will be on the Quebec Private Sector Act and the Quebec Access Act, with limited information on PIPEDA and the CASL. Click here for further information on PIPEDA and the CASL.
The Quebec Commission on Access to Information ('CAI') publishes guidance material on its website to inform both the public and organisations about their rights and responsibilities under Quebec's privacy laws. Most information is published in French, but some is available in English as illustrated below:
- Biometrics: Principles and Legal Duties of Organizations;
- Pandemic, privacy and protection of personal information;
- Loss or theft of personal information: How should you react? Checklist for citizens; and
- Rules for use of surveillance cameras with recording in public places by public bodies.
The statutory framework in Quebec is supplemented at the federal level by guidance documents from the Office of the Privacy Commissioner ('OPC') and the Canadian Radio-television and Telecommunications Commission ('CRTC'), in relation to the CASL.
1.3. Case law
The following findings and decisions are among the recent and notable findings by the CAI (2014-2021):
- PIPEDA Report of Findings #2021-001;
- CAI #1020846-S – Investigation into Fédération des caisses Desjardins du Québec (only available in French here);
- CAI #1019951-S – Investigation into Ivanhoé Cambridge Inc. and Innovations Galilei 2 (only available in French here);
- CAI #1018507-S – Investigation into Les 3 Pilliers (only available in French here);
- CAI #1005977-S – Investigation into Bell Mobilité (only available in French here);
- CAI #1009621-S and 1009629-S – Investigation into Confédération des syndicats nationaux (only avaliable in French here), about use and disclosure of personal data published on social networks as part of a union campaign without the consent of the data subject;
- CAI #1007894-S – Investigation into Centre de service partagés du Québec et Secrétariat du Conseil du Trésor (only avaliable in French here), about collection of SIN to submit an online application);
- CAI #1006934-S – Investigation into Thomson Tremblay Inc. (only avaliable in French here), about collection of SIN at the pre-employment stage – see also CAI #1005625-S – Investigation into Hunt Personnel (only avaliable in French here), about collection of social Security number;
- CAI #1011820-S – Investigation into Ville de Québec (only avaliable in French here), about use of drones; and
- CAI #080272-S – Investigation into Garderie Coeur d'Enfant Inc. (only avaliable in French here), about use of videosurveillance.
2. SCOPE OF APPLICATION
Quebec Private Sector Act and PIPEDA
The Quebec Private Sector Act applies to the collection, use, or disclosure (referred to as 'communication') of personal information within the province by 'any person carrying on an enterprise'. Unlike PIPEDA, the Quebec Private Sector Act applies irrespective of whether an activity is commercial in nature.
Furthermore, the Quebec Private Sector Act applies to such information whatever the nature of its medium and whatever the form in which it is accessible, whether written, graphic, taped, filmed, computerised, or other.
PIPEDA applies to the collection, use, or disclosure of personal information by an organisation in the course of commercial activities or in respect of personal information about an employee of (or an applicant for employment with) the organisation and that the organisation uses or discloses in connection with the operation of a federal work, undertaking, or business (such as banks, telecommunications companies, shipping companies and railways). PIPEDA also applies when the personal information is disclosed over provincial or international borders.
Questions often arise on whether the Quebec Private Sector Act, or both, may apply to a given activity. The answers depend on the circumstances of each case.
Quebec Access Act
The Quebec Access Act applies to documents kept by a public body in the exercise of its duties and to documents kept by a professional order to the extent provided by the Professional Code. The Quebec Access Act regulates the collection, use, and disclosure of personal information by public bodies and professional orders and provides individuals with a right to access their personal information.
Furthermore, the Quebec Access Act applies whether the document is recorded in writing or print, on sound tape or film, in computerised form, or otherwise.
The CASL regulates, among other things, the sending of commercial electronic messages such as promotional and marketing messages, to and from Canada. It prohibits the sending of commercial electronic messages unless express or implied consent is obtained, or an exception is applicable, and prescribed requirements are met.
Quebec Private Sector Act
The Quebec Private Sector Act is silent with respect to its extraterritorial application. However, in the joint investigation of Clearview AI (referred above), the CAI has considered that, even if the system and the enterprise are outside of Quebec, by offering its services and by collecting and using personal information within the limits of the province, the enterprise operates a business in Quebec. Consequently, it is subject to the legislation applicable in the jurisdiction in which it operates, i.e. the Quebec Private Sector Act.
Quebec Access Act
The Quebec Access Act is silent about is territorial scope.
Quebec Private Sector Act
The Quebec Private Sector Act applies to 'any person carrying on an enterprise', which means an organised economic activity, whether or not it is commercial in nature, consisting of producing, administering or alienating property, or providing a service.
It also applies to personal information held by a professional order to the extent provided for by the Professional Code.
The Quebec Private Sector Act does not apply to:
- journalistic, historical or genealogical material collected, held, used, or disclosed for the legitimate information of the public;
- a public body within the meaning of the Quebec Access Act;
- information held on behalf of a public body by a person other than a public body; and
- personal information concerning the performance of duties within an enterprise by the person concerned, such as the person's name, title and duties, as well as the address, email address, and telephone number of the person's place at work.
Quebec Access Act
The Quebec Access Act applies to documents kept by a public body and to documents held by a professional order.
The Quebec Access Act does not apply to:
- the acts and the register of civil status;
- the registers and other documents kept in registry offices for publication purposes;
- the register referred to in Chapter II of the Quebec Access Act respecting the legal publicity of enterprises, c. P-44.1;
- private archives referred to in Section 27 of the Archives Act, A-21.1; or
- documents contained in a file:
- 1) respecting the adoption of a person held by a public body; or
- 2) held by the Public Curator on a person whom he represents or whose property he administers, except in certain circumstances to allow the CAI to exercise specifics duties.
The Quebec Access Act does not apply in specific requirements for the user's record according to the An Act Respecting Health Services and Social Services (Revised Statutes of Quebec chapter. S-4.2), or also in certain circumstances set out in specific laws.
3.1. Main regulator for data protection
The CAI is the regulatory authority overseeing the application of the Quebec Private Sector Act and the Quebec Access Act. The CAI sometimes works collaboratively with the OPC and other provincial and territorial privacy commissioners on investigations and policy matters.
PIPEDA is administered by the OPC, while the CASL is administered by the CRTC, the Competition Bureau Canada, and the OPC.
3.2. Main powers, duties and responsibilities
The CAI consists of two divisions: the oversight division and the adjudication division.
The main functions of the CAI's oversight division are to 1) oversee the carrying out of the Quebec Private Sector Act and Quebec Access Act and 2) ensure compliance with and promotion of the principles of access to documents and the protection of personal information.
To that end, the CAI can inquire into the application of the Quebec Private Sector Act and Quebec Access Act and the degree to which these laws are observed. These investigations can be made on its own initiative or following a complaint from an interested person.
At the end of the investigation, after giving to the enterprise or to the public body an opportunity to submit written observations, the CAI may:
- under the Quebec Private Sector Act:
- recommend or order the application of such remedial measures as are appropriate to ensure the protection of the personal information. If, within a reasonable time after issuing an order in respect of a person who carries on an enterprise, the CAI considers that appropriate measures have not been taken in response, it may publish a notice to inform the public thereof. Any person having a direct interest may appeal from an order issued following an inquiry.
- under the Quebec Access Act:
- recommend or order to take the measures the CAI considers appropriate. If, within a reasonable time after making a recommendation to a public body or after making an order, the CAI considers that appropriate measures have not been taken to implement the recommendation, it may notify the Government or, if it deems it expedient, submit a special report to the National Assembly or set out the situation in its annual report. A person directly interested can appeal the order issued following an investigation to a judge of the Court of Québec.
The CAI may also:
- approve agreements entered into between public bodies;
- give its opinion on the draft regulations submitted to it under the Quebec Access Act, on draft agreements on the transfer of information and on draft orders authorising the establishment of confidential files;
- see to it that the confidentiality of personal information contained in files held by public bodies respecting the adoption of a person is respected;
- see to it that the confidentiality of personal information contained in files held by the Public Curator on persons whom he represents or whose property he administers is respected; and
- approve the governance rules regarding personal information submitted by the personal information manager.
In the exercise of its oversight functions, the CAI may authorise members of its personnel or any other persons to act as inspectors.
The CAI's adjudication division decides applications for review made under the Quebec Access Act and applications for examination of disagreements made under the Quebec Private Sector Act, to the exclusion of any other court.
Upon receiving an application, the CAI must give the parties an opportunity to submit their observations.
The CAI has all the powers necessary for the exercise of its jurisdiction; it may make every order it considers appropriate to protect the rights of the parties, and decide on every matter of fact or of law.
Under the Quebec Private Sector Act, the CAI may, in particular, order an organisation to disclose or rectify personal information or refrain from doing so. Under the Quebec Access Act, the CAI may, in particular, order a public body to release a document or part of a document, refrain from doing so, correct, complete, clarify, update or delete any personal information, or discontinue the use or the release of personal information.
The CAI must make its decision within three months after the matter is taken under advisement, unless the chair extends that time limit for valid reasons.
Every decision of the CAI on a question of fact within its jurisdiction is final.
A person directly interested may bring an appeal from the final decision of the CAI before a judge of the Court of Québec on a question of law or jurisdiction, or, with leave of a judge of that Court, from an interlocutory decision that will not be remedied by the final decision.
4. KEY DEFINITIONS
Data controller: 'Data controller' is not expressly defined under Quebec privacy laws. The entities considered to be in control of, and accountable for, compliance with privacy law requirements are referred to as 'persons carrying on an enterprise' pursuant to the Quebec Private Sector Act and 'public bodies' pursuant to the Quebec Access Act.
Sensitive data: Personal information is deemed sensitive if, 'due to its nature of the context of its use or release, it entails a high level of reasonable expectation of privacy'. Sensitive information requires express consent and must be safeguarded by a higher level of protection.
Biometric data: 'Biometric data' is not defined under Quebec privacy laws. However, the Quebec Information Technology Act regulates the collection, use, and disclosure of 'biometric characteristics or measurements'.
Pseudonymisation: 'Pseudonymisation' is not specifically defined under Quebec privacy laws. However, the Quebec Private Sector Act provides that personal information is 'anonymized' if it irreversibly no longer allows the person to be identified directly or indirectly. Furthermore, personal information is de-identified if it no longer allows the person concerned to be directly identified.
Data subject: Data subject is not defined under Quebec privacy laws, which refer to 'individuals'.
5. LEGAL BASES
Under Quebec's privacy laws, except where an exemption is applicable, consent is required for each such purpose, in clear and simple language and separately from any other information provided to the person concerned. Furthermore, consent must be clear, free, and informed and given for specific purposes. Consent is valid only for the time necessary to achieve the purposes for which it was requested. It can be withdrawn for the use or disclosure of the information collected.
Consent must be given expressly when it concerns sensitive personal information. Although not expressly stated in the Quebec Private Sector Act, it is understood that implied consent is permissible for non-sensitive personal information.
The Quebec Information Technology Act also requires express consent for biometric data.
In order to obtain valid consent, organisations must be transparent about their practices and must disclose information specified by law, when the information is collected and, subsequently, upon request.
Please see section 5.1 above regarding express and implied consent. Contracts may include or incorporate express consent, or give rise to a basis for implied consent, depending on the circumstances.
Quebec's privacy laws permit organisations to collect, use, and disclose personal information without consent where required by law and to disclose information, for example:
- when information is required for the purposes of the prosecution of an offence under an Act applicable in Quebec; or
- for the prevention, detection or repression of crime or statutory offences, if the information is needed for the prosecution of an offence under an Act applicable in Quebec.
Furthermore, under the Quebec Private Sector Act, an organisation may also disclose personal information, without consent, in the following circumstances, subject to some conditions:
- for the application of a collective agreement;
- for the recovery of debts;
- for carrying out a mandate or performing a contract of enterprise or for services entrusted; or
- for a commercial transaction.
The Quebec Private Sector Act permits organisations to collect personal information without consent if it has a serious and legitimate reason and either of the following conditions is fulfilled:
- the information is collected in the interest of the person concerned and cannot be collected from him in due time; or
- collection from a third person is necessary to ensure the accuracy of the information.
Furthermore, both the Quebec Private Sector Act and the Quebec Access Act permit organisations to disclose personal information, without consent, to a person to whom the information must be disclosed:
- by reason of the urgency of a situation that threatens the life, health, or safety of the person concerned; or
- in order to prevent an act of violence, including a suicide, where there is reasonable cause to believe that there is a serious risk of death or serious bodily injury threatening a person or an identifiable group of persons and where the nature of the threat generates a sense of urgency. In this case only the personal information which is necessary to achieve the purposes for which the information is communicated may be disclosed. Such information may be disclosed to any person exposed to the danger or that person's representative, and to any person who can come to that person's aid.
Please see sections 5.3 and 5.4 above, illustrating some instances where public interest may constitute a legal basis.
Consent is not required in certain circumstances as listed in sections 6, 18, 18.1, 18.3 and 18.4 of the Quebec Private Sector Act and sections 59, 59.1, 60 and 67.2.1 (study, research purposes, production of statistics) of the Quebec Access Act.
A number of these cases are mentioned above.
The Quebec Private Sector Act requires organisations to comply with the following requirements:
- accountability: organisations are responsible for protecting the personal information in their custody. Among other things, they must :
- establish and implement governance policies and practice regarding personal information that ensure the protection of such information; and
- publish a confidentiality policy, if applicable, on the organisation's website.
- identifying purposes;
- limiting collection ('serious and legitimate reason' and 'only the information necessary for the purposes determined before collecting it');
- consent and information of the person concerned;
- limiting use, disclosure and retention;
- safeguards / confidentiality;
- individual access; and
- respond to request for access to personal information, and for rectification, submitted by data subjects.
The Quebec Access Act requires public bodies to comply with the same requirements.
7. CONTROLLER AND PROCESSOR OBLIGATIONS
Organisations are not required to notify or register with the regulatory authorities under privacy laws in Canada.
An organisation is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing.
Before disclosing personal information outside of Quebec, an organisation must conduct an assessment of privacy-related factors, taking into account:
- The sensitivity of the information;
- The purposes for which it is used;
- The protection measures that would apply to it; and
- The legal framework applicable in the State in which the information would be disclosed, including the legal framework's degree of equivalency with Quebec's privacy laws.
The information may only be transferred outside of Quebec if the assessment establishes that it would receive an equivalent level of protection.
The disclosure of the information is subject to a written agreement that takes into account the results of the assessment and, if applicable, the terms agreed on to mitigate the risks identified in the assessment.
While consent is not required to transfer personal information outside of the province, an individual must be informed of the possibility that the information could be disclosed outside of Quebec.
The Quebec Access Act has the same requirements.
There is no general obligation for private-sector organisations to maintain data processing records.
However, an organisation must establish and implement privacy governance policies and practices. Such policies and practices must provide a framework for the keeping and destruction of the information, define the roles and responsibilities of the staff members throughout the life cycle of the information, and provide a process for dealing with complaints regarding the protection of the information. These policies must be published on the enterprise's website or, if the enterprise does not have a website, made available by any other appropriate means.
Moreover, certain record keeping is specifically required in respect of confidentiality incidents as noted below.
Private-sector organisations must conduct an 'assessment of privacy-related factors' in the following circumstances:
- with respect to any information system project or electronic service delivery project involving the collection, use, disclosure, keeping or destruction of personal information;
- before disclosing personal information outside of Quebec; and
- to disclose personal information without consent to a person or body wishing to use the information for study or research purposes or for the production of statistics.
The Quebec Access Act requires the same requirements.
Under the Quebec Private Sector Act, the person exercising the highest authority within the organisation has the responsibility to ensure that the law is implemented and complied with. That person exercises the function of 'person in charge of the protection of personal information' (conveniently referred to thereafter as 'Privacy Officer'). All or part of this function may be delegated in writing to a staff member.
Contact details for this person or the person to whom the role is delegated must be published on the company's website or, in the absence of a website, made available by any other appropriate means.
Under the Quebec Access Act, the person exercising the highest authority within a public body has the responsibility to ensure that the law is implemented and complied with. That person exercises the functions of 'person in charge of access to documents' and 'person in charge of the protection of personal information'. All or part of this function may be delegated in writing to a member of the public body or of its board of directors, or to a manager. The public body must notify the CAI in writing of the title, contact information and starting date of the person exercising these functions, as soon as possible.
Furthermore, a committee is responsible for supporting the body in the exercise of its responsibilities and the performance of its obligations under the Quebec Access Act.
There is a general obligation for data breach notification (referred to as a 'confidentiality incident') in Québec. The term 'confidentiality incident' refers to:
- unauthorised access, use, or disclosure of personal information; and
- loss of personal information or any other breach in the protection of that information.
When there is reason to believe that a confidentiality incident has occurred, the organisation must take reasonable steps to reduce the risk of injury and to prevent new incidents of the same nature.
In the event of an incident involving a risk of serious injury, the organisation must notify the CAI, as well as any person whose personal information is concerned by the incident (unless doing so would hamper an investigation conducted by a person or body responsible by law for the prevention, detection, or repression of crime or statutory offence). The organisation may also notify any person or body that could reduce the risk, by disclosing to the person or body only the personal information necessary for that purpose without the consent of the person concerned. In the latter case, the person in charge of the protection of personal information must record the disclosure of the information.
In assessing the risk of injury, the following factors must be considered:
- the sensitivity of the information;
- the anticipated consequences of its use; and
- the likelihood that it will be used for injurious purposes.
Organisations must keep a register of confidentiality incidents, which must be sent to the CAI upon request.
When a confidentiality incident is brought to its attention, the CAI may order any person, after giving him the opportunity to submit observations, to take any measure to protect the rights of the persons concerned, for the time and on the conditions the CAI determines.
An organisation that contravenes the Quebec Private Sector Act's breach notification provisions may be:
- found guilty of an offence and liable to a fine not exceeding CAD 25,000,000 (approx. €16,667,130), or, if greater, the amount corresponding to 4% of worldwide turnover for the preceding fiscal year (doubled in case of a subsequent offence); or
- be condemned to pay a monetary administrative penalty not exceeding CAD 10,000,000 (approx. €6,666,850) or, if greater, the amount corresponding to 2% of worldwide turnover for the preceding fiscal year.
Under the Quebec Access Act, anyone who fails to report, where required to do so, a confidentiality incident to the CAI or to the persons concerned, commits an offence and is liable to a fine of CAD 1,000 (approx. €670) to CAD 10,000 (approx. €6,670) in the case of a natural person and of CAD 3,000 (approx. €2,000) to CAD 30,000 (approx. €20,000) in all other cases. And anyone who, for example, 1) impedes the progress of an inquiry or inspection of the CAI or the hearing of an application by the CAI by providing it with false or inaccurate information, by omitting to provide information it requires or otherwise or 2) fails to comply with an order of the CAI commits an offence and is liable to a fine of CAD 5,000 (approx. €3,330) to CAD 50,000 (approx. €33,330) in the case of a natural person and of CAD 15,000 (approx. €10,000) to CAD 150,000 (approx. €100,000) in all other cases.
Under Quebec's privacy laws, personal information must be retained only for as long as necessary to fulfil the purposes for which it was collected or used, after which the organisation must destroy or anonymise the information, subject to any preservation period provided for by law.
However, personal information used to make a decision in relation to a person must be kept for at least one year following the decision. Moreover, if the organisation refuses to grant a request for access or rectification, the information that is the subject of the request must be kept for such time as is necessary to allow the person concerned to exhaust the recourses provided by law.
Under Quebec's privacy laws, personal information concerning a child (under 14 years of age) may not be collected from him without the consent of the person having parental authority, unless collecting the information is clearly for the minor's benefit.
Consent to the processing of a child's personal information is given by the person having parental authority. When a minor is 14 years of age or over, consent is given by the minor or by the person having parental authority.
The Quebec Access Act has the same requirements.
Quebec's privacy laws do not contain specific provisions regarding the processing of special categories of information. However, the application of these laws will vary in their application depending on whether information is sensitive and whether there are other statutes that may permit or restrict the processing of such information.
An organisation is responsible for the protection of the personal information in its possession of custody, including information that has been transferred to a third party for processing.
When personal information is transferred by the organisation to a third party to 'carry out a mandate or perform a contract of enterprise or for services entrusted to that person or body' (subsequently referred as a 'third party processor'), the organisation must:
- entrust the mandate or contract in writing; and
- specify the measures that must be taken to protect the confidentiality of the personal information, to ensure that the information is used only for carrying out the mandate or performing the contract and to ensure that the information is not kept after the expiry of the mandate or contract.
The third-party processor must notify the organisation's Privacy Officer without delay of any violation or attempted violation by any person of any obligation concerning the confidentiality of the information disclosed, and must also allow the organisation's Privacy Officer to conduct any verification relating to confidentiality requirements.
8. DATA SUBJECT RIGHTS
The Quebec Private Sector Act generally requires the knowledge and consent of the individual, except in certain circumstances where consent is not required. Organisations must be open and transparent about their practices and inform individuals about the information collected, used, and disclosed and the purposes for the processing of such information.
Individuals have a general right to obtain access to their personal information held by organisations. Access requests must be processed in accordance with the applicable statute, within prescribed timeframes.
The organisation must give the reasons for any refusal to grant a request and indicate the provision of law on which the refusal is based, the remedies available to the applicant under this Act, and the time limit for exercising them. If the applicant so requests, the organisation's Privacy Officer must also help him understand the refusal.
An individual may, if personal information concerning him is inaccurate, incomplete or equivocal, or if collecting, disclosing or keeping it are not authorised by law, require that the information be rectified.
The organisation must give the reasons for any refusal to grant a request and indicate the provision of law on which the refusal is based, the remedies available to the applicant under this Act and the time limit for exercising them. If the applicant so requests, the organisation's Privacy Officer must also help him understand the refusal.
Under the Quebec Private Sector Act, an individual may require an organisation to:
- cease disseminating personal information about him or her;
- de-index any hyperlink that provides access to that information, if the dissemination contravenes the law or a court order; and
- re-index any hyperlink that provides access to that information.
Such a request may be made when the following conditions are met:
- the dissemination of this information causes the person serious injury in relation to the person's right to respect of his or her reputation or privacy;
- the injury is clearly greater than the public interest in knowing the information or the right to free expression (the balance of convenience criterion); and
- the remedy requested does not exceed what is necessary to prevent the perpetuation of the injury.
In assessing the balance of convenience criterion, the following, in particular, must be taken into account:
- the fact that the person concerned is a public figure;
- the fact that the person concerned is a minor;
- the fact that the information is up to date and accurate;
- the sensitivity of the information;
- the context in which the information is disseminated;
- the time elapsed between the dissemination of the information and the request made under this section; and
- where the information concerns a criminal or penal procedure, the obtaining of a pardon or the application of a restriction on the accessibility of records of the courts of justice.
Individuals have the right to submit complaints to organisations, to withdraw consent (subject to some limitations), and to file complaints with the CAI. Although not expressly stated in the Quebec Private Sector Act, it is understood that implied consent is permissible for non-sensitive personal information.
Under the Quebec Private Sector Act, an individual may request a copy of computerized personal information in the form of a written and intelligible transcript. Unless doing so raises serious practical difficulties, computerised personal information collected from the applicant must, at his request, be disclosed to him in a structured, commonly used technological format. The information must also be disclosed, at the applicant's request, to any person or body authorised by law to collect such information.
Under the Quebec Private Sector Act, an organisation using personal information to render a decision based exclusively on an automated processing of such information must, at the time of or before the decision, inform the individual concerned accordingly.
Upon request, the individual must also be informed of:
- the personal information used to render the decision;
- the reasons and the principal factors and parameters that led to the decision; and
- the right of the person concerned to have the personal information used to render the decision corrected.
The individual must be given the opportunity to submit observations to a staff member who is in a position to review the decision.
The Quebec Access Act has the same requirements.
In addition to the others rights mentioned therein, it should be noted that the spouse or a close relative of a deceased person may request personal information concerning the deceased if the following conditions are met:
- knowledge of the information could help the applicant in the grieving process; and
- if the deceased person did not record in writing his refusal to grant such a right of access.
The CAI has the power to impose monetary administrative penalties and to issue fines for penal offences.
Under the Quebec Private Sector Act, monetary administrative penalties may be imposed on organisations for the following reasons:
- failure to adequately inform the individuals;
- unlawful collection, use, disclosure or destruction of personal information;
- failure to report a confidentiality incident; and
- failure to inform individuals concerned by a decision based exclusively on an automated process or failure to provide individuals an opportunity to submit observations
The maximum amount of the monetary administrative penalty is CAD 50,000 (approx. €33,330) (for individuals) and CAD 10,000,000 (approx. €66,670) (for businesses) or, if greater, 2% of worldwide turnover for the preceding year.
Under the Quebec Private Sector Act, the CAI may institute penal proceedings for the following offences, among others:
- unlawful collection, use or disclosure to third persons;
- failure to report a confidentiality incident;
- identification or attempt to identify a natural person using de-identified information without authorisation;
- impeding the progress of an inquiry or inspection of the CAI or the hearing of an application by the CAI by providing it with false or inaccurate information, by omitting to provide information it requires or otherwise; and
- failure to comply with an order of the CAI.
The maximum amount of the fine for a penal offence is of CAD 5,000 (approx. €3,330) to CAD 50,000 (approx. €33,330) in the case of a natural person and, in all other cases, of CAD 15,000 (approx. €15,000) to CAD 25,000,000 (approx. €16,667,130), or, if greater, the amount corresponding to 4% of worldwide turnover for the preceding fiscal year. In the event of a subsequent offence, the fines are doubled.
The Quebec Private Sector Act also provides for a private right of action, allowing individuals to be compensated for the injury resulting from the unlawful infringement of their rights, unless the injury results from superior force. Where the infringement is intentional or results from a gross fault, the court shall also award punitive damages of at least CAD 1,000 (approx. €670).
The penal provisions of the Quebec Private Sector Act have never been enforced to date. This being said, the significant increase in the penalties provided (recently introduced by Bill 64) send the signal that the penal provisions may play an important role in the enforcement of Quebec's privacy law regime.
The monetary administrative penalties introduced by Bill 64 are new, thus no enforcement decisions have been rendered yet.