Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Quebec - Data Protection Overview
Back

Quebec - Data Protection Overview

March 2024

1. Governing Texts

Privacy law in the Province of Quebec is comprised of various federal and provincial statutes. These laws include privacy laws of general application for both private and public organizations, as well as sector-specific statutes and related laws, such as anti-spam legislation.

Please note that on September 21, 2021, the National Assembly passed an Act to modernize legislative provisions as regards the protection of personal information ('Act 25' formerly known as 'Bill 64'). Act 25 provides for an entry into force date of over three years, but most of the provisions entered into force in September 2023. Act 25 has resulted in significant amendments to various laws in order to modernize the regulatory framework for the protection of personal data in Quebec.

1.1. Key acts, regulations, directives, bills

At the provincial level, the Act Respecting the Protection of Personal Information in the Private Sector, CQLR P-39.1 ('the Quebec Private Sector Act') regulates the collection, use, and disclosure of personal information by private organizations (referred to as 'enterprises'). At the federal level, private organizations are regulated by the Personal Information Protection and Electronic Documents Act 2000 ('PIPEDA').

The Act Respecting Access to Documents Held by Public Bodies and the Protection of Personal Information, CQLR c. A-2.1 ('the Quebec Access Act') regulates the collection, use, and disclosure of personal information by public bodies and provides individuals with a right of access to their personal information.

Canada's Anti-Spam Legislation, SC 2010 c 23 ('CASL') also regulates commercial marketing activities.

Other provincial laws include privacy provisions, such as the Act to Establish a Legal Framework for Information Technology, c. C-1.1 ('the Quebec Information Technology Act'), which includes specific requirements for the collection, use, and disclosure of biometric data.

The focus of this Guidance Note will be on the Quebec Private Sector Act and the Quebec Access Act, with limited information on PIPEDA and the CASL.

1.2. Guidelines

The Quebec Commission on Access to Information ('CAI') publishes guidance materials on its website to inform both the public and organizations of their rights and obligations under Quebec's privacy laws, including the following:

  • the Evolving Space – Modernization of Laws (only available in French here);

  • the Guidelines on the Criteria for Valid Consent (only available in French here);

  • Guide: Carrying out a Privacy Impact Assessment (only available in French here); and

  • Explanatory Guide for Businesses: Drafting a Privacy Policy (only available in French here).

Most of the information is published in French, but some is available in English as illustrated below:

Additionally, the Quebec Tribunal administrative du logement published guidelines on leases and protection of personal information.

The Quebec regulatory framework is supplemented at the federal level by guidance documents relating to the CASL issued by the Office of the Privacy Commissioner of Canada ('OPC') and the Canadian Radio-television and Telecommunications Commission ('CRTC').

1.3. Case law

The following findings and decisions are among the recent and notable findings by the CAI (2014-2023):

  • CAI #111310-S – Investigation into Rogers, about the collection of social security numbers and driver licenses (only available in French here);

  • CAI #1016217-S – Investigation into Compagnie Selenis Canada, about the use of a biometric time clock (only available in French here);

  • CAI #1005645-S – Investigation into Transplant Québec, on certain practices of the organization (only available in French here):

  • CAI #1023158-S – Investigation into Clearview AI Inc., on the practices of the organization with respect to the collection and use of images of people from photos posted on the Internet (only available in French here);

  • PIPEDA Report of Findings #2021-001 ('Report 2021-001') (see also CAI #1023158-S (only available in French here) for an order made following PIPEDA Report #2021-001);

  • CAI #1020846-S – Investigation into Fédération des caisses Desjardins du Québec (only available in French here);

  • CAI #1019951-S – Investigation into Ivanhoé Cambridge Inc. and Innovations Galilei 2 (only available in French here);

  • CAI #1018507-S – Investigation into Les 3 Pilliers (only available in French here);

  • CAI #1005977-S – Investigation into Bell Mobilité (only available in French here);

  • CAI #1009621-S and 1009629-S – Investigation into Confédération des syndicats nationaux, about use and disclosure of personal data published on social networks as part of a union campaign without the consent of the data subject (only available in French here);

  • CAI #1007894-S – Investigation into Centre de service partagés du Québec et Secrétariat du Conseil du Trésor, about collection of Social Insurance Numbers ('SIN') to submit an online application (only available in French here);

  • CAI #1006934-S – Investigation into Thomson Tremblay Inc. (only available in French here), about the collection of SIN at the pre-employment stage (see also CAI #1005625-S – Investigation into Hunt Personnel about the collection of social security numbers (only available in French here));

  • CAI #1011820-S – Investigation into Ville de Québec, about the use of drones (only available in French here); and

  • CAI #080272 – Investigation into Garderie Coeur d'Enfant Inc., about the use of video surveillance (only available in French here).

2. Scope of Application

2.1. Personal scope

Quebec Private Sector Act

The Quebec Private Sector Act applies to the collection, use, or disclosure (referred to as 'communication') of personal information within the province by 'any person carrying on an enterprise', whether such information is held by the enterprise itself or by a third-party. Unlike PIPEDA, the Quebec Private Sector Act applies regardless of whether an activity is commercial in nature.

Furthermore, the Quebec Private Sector Act applies to such information regardless of its medium and regardless of the form in which it is accessible, whether written, graphic, recorded, filmed, computerized, or otherwise.

PIPEDA

PIPEDA applies to the collection, use, or disclosure of personal information by an organization in the course of its commercial activities, or in respect of personal information about an employee of the organization (or an applicant for employment with the organization) and that the organization uses or discloses in connection with the operation of a federal work, undertaking, or business (such as banks, telecommunications companies, shipping companies, and railways). PIPEDA also applies when the personal information is disclosed across provincial or international borders.

Questions often arise as to whether the Quebec Private Sector Act or PIPEDA applies to a particular activity. The answers depend on the circumstances of each case.

Quebec Access Act

The Quebec Access Act applies to documents held by a public body in the exercise of its functions and to documents held by a professional order to the extent provided for in the Professional Code. The Quebec Access Act regulates the collection, use, and disclosure of personal information by public bodies and professional orders and provides individuals with a right of access to their personal information.

Furthermore, the Quebec Access Act applies whether the document is recorded in writing or in print, on sound tape or film, in computerized form, or otherwise.

CASL

The CASL regulates, among other things, the sending of commercial electronic messages, such as promotional and marketing messages, to and from Canada. It prohibits the sending of commercial electronic messages unless express or implied consent is obtained, or an exemption applies, and prescribed requirements are met.

2.2. Territorial scope

Quebec Private Sector Act

The Quebec Private Sector Act is silent with respect to its extraterritorial application. However, in the joint investigation of Clearview AI under Report #2021-001, the CAI has considered that, even if the system and the enterprise are located outside of Quebec, by offering its services and by collecting and using personal information within the limits of the province, the enterprise operates a business in Quebec.

Consequently, it is subject to the legislation in force in the jurisdiction in which it operates, in this case, the Quebec Private Sector Act (see CAI #1023158-S, only available in French here).

Quebec Access Act

The Quebec Access Act is silent on its territorial scope.

2.3. Material scope

Quebec Private Sector Act

The Quebec Private Sector Act applies to 'any person carrying on an enterprise', which means an organized economic activity, whether or not it is commercial in nature, consisting of the production, management, or sale of property or the provision of a service.

It also applies to personal information held by a professional order to the extent provided for in the Professional Code, and to personal information held by a political party, an independent Member of Parliament, or an independent candidate, to the extent provided for in the Election Act.

The Quebec Private Sector Act does not apply to:

  • personal information relating to the performance of the individual's duties within an enterprise by the person concerned, such as the individual's name, title, and duties, as well as the address, email address, and telephone number of the individual's place of work;

  • journalistic, historical, or genealogical material collected, held, used, or disclosed for the legitimate information of the public;

  • a public body within the meaning of the Quebec Access Act; and

  • information held by a person other than a public body on behalf of a public body.

Quebec Access Act

The Quebec Access Act applies to documents held by a public body and to documents held by a professional order.

The Quebec Access Act does not apply to:

  • the civil status acts and registers;

  • the registers and other documents kept by registry offices for publication purposes;

  • the register referred to in Chapter II of the Quebec Access Act for the Act Respecting the Legal Publicity of Enterprises, c. P-44.1;

  • private archives referred to in Section 27 of the Archives Act, A-21.1; or

  • documents contained in a file:

    • relating to the adoption of a person held by a public body; or

    • held by the Public Curator on a person whom they represent or whose property they manage, except in certain circumstances to allow the CAI to carry out specific duties.

The Quebec Access Act does not apply to specific requirements for the user's records pursuant to the An Act Respecting Health Services and Social Services (Revised Statutes of Quebec chapter S-4.2), or also in certain circumstances set out in specific laws.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The CAI is the regulatory authority that oversees the application of the Quebec Private Sector Act and the Quebec Access Act. The CAI sometimes works collaboratively with the OPC and other provincial and territorial privacy commissioners on investigations and policy matters.

PIPEDA is administered by the OPC, while the CASL is administered by the CRTC, the Competition Bureau of Canada, and the OPC.

3.2. Main powers, duties and responsibilities

The CAI consists of two divisions: the Oversight Division and the Adjudication Division.

Oversight Division

The main functions of the CAI's Oversight Division are to monitor the implementation of the Quebec Private Sector Act and the Quebec Access Act, and to ensure that the principles of access to documents and the protection of personal information are respected and promoted.

To this end, the CAI may investigate the application of the Quebec Private Sector Act and the Quebec Access Act and the degree of compliance with these acts. These investigations may be carried out on its own initiative or on the basis of a complaint from any person.

At the end of the investigation, and after giving to the enterprise or to the public body an opportunity to submit written observations, the CAI may:

  • Under the Quebec Private Sector Act:

    • recommend or order the application of such remedial measures as are appropriate to ensure the protection of the personal information. If, within a reasonable time after issuing an order with respect to a person who operates an enterprise, the CAI is of the opinion that appropriate measures have not been taken, it may publish a notice to inform the public thereof. Any person with a direct interest may appeal against an order issued following an investigation;

  • Under the Quebec Access Act:

    • recommend or order the adoption of measures that the CAI considers appropriate. If, within a reasonable time after making a recommendation to a public body or after issuing an order, the CAI considers that appropriate measures have not been taken to implement the recommendation, it may notify the Government of Quebec or, if it deems it appropriate, submit a special report to the National Assembly or set out the situation in its annual report. A person directly interested can appeal the order issued following an investigation to a judge of the Court of Quebec;

The CAI may also:

  • Under the Quebec Private Sector Act:

    • require the production of any information or documents (Sections 80.3 and 81.3);

    • order any person involved in a confidentiality incident to take any action to protect the rights of the individuals involved, including an order that the compromised personal information be returned to the business or be destroyed (Section 81.4);

    • enter into an undertaking with a business to remedy a breach or mitigate its consequences (Section 90.1); and

    • develop guidelines to assist in the administration of the Quebec Private Sector Act.

  • Under the Quebec Access Act:

    • approve agreements entered into between public bodies;

    • give its opinion on the draft regulations submitted to it under the Quebec Access Act, on draft agreements on the transfer of information, and on draft orders authorizing the creation of confidential files;

    • ensure that the confidentiality of personal information contained in the files of public bodies relating to the adoption of a person is respected;

    • ensure that the confidentiality of personal information contained in the files of the Public Curator concerning the persons they represent or whose property they manage is respected;

    • approve the governance rules regarding personal information submitted by the personal information manager;

    • require the production of any information or document;

    • order any person involved in a privacy incident to take any action to protect the rights of the individuals involved, including ordering the return or destruction of the compromised personal information;

    • prohibit a person from making an application without the approval of the president and upon such terms and conditions as the president determines; and

    • develop guidelines to assist in the administration of the Quebec Access Act.

In exercising its oversight functions, the CAI may authorize members of its staff or any other persons to act as inspectors.

Adjudication division

The CAI's Adjudication Division hears applications for review made under the Quebec Access Act and applications for review of disputes made under the Quebec Private Sector Act, to the exclusion of any other court. Upon receipt of an application, the CAI must give the parties an opportunity to present their observations, including through a mediation process.

The CAI has all the powers necessary to exercise over its jurisdiction; it may issue any order it deems appropriate to protect the rights of the parties and may rule on any question of fact or of law. In particular, under the Quebec Private Sector Act, the CAI may order an organization to disclose or rectify personal information or to refrain from doing so. Furthermore, under the Quebec Access Act, the CAI may order a public body to disclose or refrain from disclosing a document or part of a document, to correct, complete, clarify, update, or delete personal information, or to cease the use or disclosure of personal information.

The CAI shall make its decision within three months of the date on which the matter was brought before it, unless the Chairperson extends that period for valid reasons. Any decision of the CAI on a question of fact within its jurisdiction is final.

A person directly interested may bring an appeal from the final decision of the CAI to a judge of the Court of Quebec on a question of law or jurisdiction, or, with leave of a judge of that court, from an interlocutory decision that will not be remedied by the final decision.

4. Key Definitions

Data controller: 'Data controller' is not explicitly defined in the Quebec privacy laws. The entities considered to be in control of, and responsible for complying with the privacy law requirements are referred to as 'persons carrying on an enterprise' pursuant to the Quebec Private Sector Act and 'public bodies' pursuant to the Quebec Access Act.

Data processor: 'Data processor' is not defined in the Quebec privacy laws, although they refer to 'mandatary' or 'person performing a contract'.

Personal data: 'Personal information' is defined as information relating to a natural person and that directly or indirectly allows that person to be identified.

Sensitive data: Personal information is deemed sensitive if, 'due to its nature, in particular medical, biometric, or otherwise intimate information or the context of its use or communication, it entails a high level of reasonable expectation of privacy'. Sensitive information requires explicit consent and is subject to a higher level of protection.

Health data: 'Health data' is not defined in the Quebec privacy laws.

Biometric data: 'Biometric data' is not defined in the Quebec privacy laws. However, the Quebec Information Technology Act regulates the collection, use, and disclosure of 'biometric characteristics or measurements'.

Pseudonymization: 'Pseudonymization' is not specifically defined in the Quebec privacy laws. However, the Quebec Private Sector Act provides that personal information is 'anonymized' when it is, at all times, reasonably foreseeable, under the circumstances that it irreversibly no longer allows the individual from being identified directly or indirectly. In addition, personal information is 'de-identified' when it no longer allows the individual to be directly identified.

Data subject: 'Data subject' is not defined in the Quebec privacy laws, which refer to 'person concerned' instead.

5. Legal Bases

5.1. Consent

Under Quebec's privacy laws, unless an exception applies, consent is required. To be valid, consent must be clear, free, and informed, and given for specific purposes. Consent must be requested for each such purpose, in clear and simple language and, if requested in writing, separately from any other information provided to the individual. Consent is valid only for the time necessary to achieve the purposes for which it is requested. It may be withdrawn with respect to the use or disclosure of the information collected.

Consent must be expressly given for sensitive personal information. Although not explicitly stated in the Quebec Private Sector Act, it is understood that implied consent is permitted for non-sensitive personal information. The Quebec Information Technology Act also requires explicit consent for biometric data.

To obtain valid consent, organizations must be transparent about their practices and must disclose the information required by the law at the time the information is collected and subsequently upon request.

5.2. Contract with the data subject

Please see the section above on consent for information on express and implied consent. Contracts may contain or incorporate express consent or provide a basis for implied consent, depending on the circumstances.

5.3. Legal obligations

Quebec's privacy laws allow organizations to collect, use, and disclose personal information without consent where required by law, for example:

  • when the information is required for the purpose of prosecuting of an offense under an act applicable in Quebec; or

  • for the prevention, detection, or suppression of crime or statutory offenses, if the information is required for the purposes of the prosecution of an offence under an act applicable in Quebec.

Furthermore, under the Quebec Private Sector Act, an organization may also disclose personal information, without consent, in the following circumstances, subject to certain conditions:

  • for the application of a collective agreement;

  • for the collection of debts;

  • for carrying out a mandate or performing a contract of enterprise or for services entrusted; or

  • for a commercial transaction.

5.4. Interests of the data subject

The Quebec Private Sector Act allows organizations to collect personal information without consent if it has a serious and legitimate reason, and either of the following conditions is met:

  • the information is collected in the interest of the individual concerned and cannot be obtained from them in a timely manner; or

  • collection from a third party is necessary to ensure the accuracy of the information.

Furthermore, both the Quebec Private Sector Act and the Quebec Access Act allow organizations to use personal information without consent when such use is clearly for the benefit of the individual.

Both acts also permit organizations to disclose personal information, without consent, to a person to whom the information must be disclosed:

  • due to the urgency of a situation that threatens the life, health, or safety of the individual; or

  • in order to prevent an act of violence, including a suicide, where there are reasonable grounds to believe that there is a serious risk of death or serious bodily injury threatening an individual or an identifiable group of individuals, and where the nature of the threat generates a sense of urgency - in this case only the personal information that is necessary to achieve the purposes for which the information is provided may be disclosed; such information may be disclosed to any person exposed to the risk or that person's representative, and to any person who can come to that person's aid.

5.5. Public interest

Please see the sections above on legal obligations and data subject interests, which illustrate some instances where the public interest may provide a legal basis.

5.6. Legitimate interests of the data controller

Consent is not required in certain circumstances listed in Sections 6, 12, 18, 18.3, and 18.4 of the Quebec Private Sector Act and Sections 59, 59.1, 60, 65.1, and 67.2.1 (study, research, compilation of statistics) of the Quebec Access Act.

Some of these cases are mentioned above.

5.7. Legal bases in other instances

Not applicable.

6. Principles

The Quebec Private Sector Act requires organizations to comply with the following requirements:

  • accountability: organizations are responsible for protecting the personal information in their custody, and they must, among other things:

    • establish and implement governance policies and practices regarding personal information that ensure the protection of such information; and

    • publish a privacy policy, if applicable, on the organization's website;

  • identify purposes;

  • limitation of collection: 'serious and legitimate reason' and 'only the information necessary for the purposes determined before collecting it';

  • consent and notice to the individual;

  • limits on use, disclosure, and retention;

  • accuracy;

  • safeguards/confidentiality;

  • individual access; and

  • responding to requests for access to personal information and rectification of personal information made by individuals.

The Quebec Access Act requires public bodies to comply with the same requirements.

7. Controller and Processor Obligations

7.1. Data processing notification

Every personal information agent ('Agent') carrying on an enterprise in Quebec must be registered with the CAI (Section 70 of the Quebec Private Sector Act). An Agent is a person who, on a commercial basis, personally or through a representative, establishes files on other persons and prepares and communicates to third parties credit reports bearing on the character, reputation, or solvency of the persons to whom the information contained in such files relates (Section 70 of the Quebec Private Sector Act).

The CAI maintains a register of all Agents ('the Register'), which includes, for each Agent, its name, address and email address, and the title and contact information of the Privacy Officer (Section 74 of the Quebec Private Sector Act). The Register shall be available for public consultation during the regular business hours of the CAI. The CAI shall provide, free of charge, to any person who so requests, any extract from the Register concerning an Agent, which may also be consulted on the website of the CAI (only available in French here).

Applications for registration shall be made in accordance with the procedure established by the CAI and shall be accompanied by the fees prescribed by regulation. An application must contain, in particular, the following information (Section 72 of the Quebec Private Sector Act):

  • the name, address, and email address of the Agent and, in the case of a legal person, the address of its head office and the names and addresses of its directors;

  • the address, email address, and telephone number of each establishment of the Agent in Québec;

  • the title and contact information of the Privacy Officer;

  • the method of operation provided for in Section 71 of the Quebec Private Sector Act;

  • the code of conduct provided for in Section 78 of the Quebec Private Sector Act; and

  • the other measures taken to ensure the confidentiality and security of personal information in accordance with the Quebec Private Sector Act.

Each Agent must notify the CAI of any change in the information provided upon registering no later than 30 days after the change. Where applicable, the Agent must also promptly inform the CAI of the expected termination of its activities (Section 72(2) of the Quebec Private Sector Act). The application form (only available in French here) may be submitted by mail or electronically.

Each Agent must establish and apply a method of operation that ensures that the information communicated by them is up-to-date and accurate and is communicated in accordance with the law (Section 71 of the Quebec Private Sector Act), as well as rules of conduct that allow any person to whom personal information held by the Agent relates, to have access to the information according to a procedure that ensures the protection of the information, and to cause the information to be rectified (Section 78 of the Quebec Private Sector Act).

Furthermore, Agents must inform the public, on its website or, if the Agent does not have a website, by other appropriate means (Section 79 of the Quebec Private Sector Act):

  • of the fact that the Agent holds personal information relating to other persons, that the Agent communicates credit reports concerning the character, reputation, or solvency of the persons to whom the personal information relates to, persons with whom they are bound by contract, and of the fact that they receive from the latter personal information relating to other persons;

  • the rights of access and rectification which the persons concerned may exercise under the amended act with respect to the personal information the Agent holds; and

  • the information provided for in Section 72(3) to (6) of the Quebec Private Sector Act.

7.2. Data transfers

An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing.

Before disclosing personal information outside of Quebec, an organization must conduct a privacy impact assessment, taking into account:

  • the sensitivity of the information;

  • the purposes for which it will be used;

  • the safeguards that would apply to it, including contractual measures; and

  • the legal framework applicable in the jurisdiction where the information would be disclosed, including the degree of adequacy of the legal framework with Quebec's privacy laws.

The information may be disclosed outside of Quebec only if the assessment determines that it would receive an adequate level of protection. The transfer of the information is subject to a written agreement that takes into account the results of the assessment and, if applicable, the terms agreed upon to mitigate the risks identified in the assessment. While consent is not required to transfer personal information outside of the province, an individual must be informed of the possibility that the information may be disclosed outside of Quebec.

The Quebec Access Act has the same requirements.

7.3. Data processing records

There is no general requirement for private-sector organizations to maintain data processing records.

However, an organization must establish and implement privacy governance policies and practices. Such policies and practices must provide a framework for the retention and disposal of the information, define the roles and responsibilities of employees throughout the life cycle of the information, and provide a process for handling complaints regarding the protection of the information. Detailed information about these policies must be published on the enterprise's website in clear and simple language or, if the enterprise does not have a website, must be made available by any other appropriate means.

Moreover, certain record-keeping is specifically required with respect to confidentiality incidents as noted below.

7.4. Data protection impact assessment

Private-sector organizations must conduct a privacy impact assessment in the following circumstances:

  • in connection with the acquisition, development, and overhaul of any information system or electronic service delivery system that involves the collection, use, disclosure, storage, or destruction of personal information (Section 3.3 of the Quebec Private Sector Act);

  • before disclosing personal information outside of Quebec (Section 17 of the Quebec Private Sector Act) (see section above on Data Transfers); and

  • before disclosing personal information, without consent, to a person or body that intends to use the information for study or research purposes or for the compilation of statistics (Section 21 of the Quebec Private Sector Act).

The Quebec Access Act has the same requirements.

7.5. Data protection officer appointment

Under the Quebec Private Sector Act, the person exercising the highest authority within the organization has the responsibility to ensure that the law is implemented and complied with. This person exercises the function of the 'person in charge of the protection of personal information' ('Privacy Officer'). All or part of this function may be delegated in writing. In addition, a committee is responsible for assisting the body in the exercise of its responsibilities and the fulfillment of its obligations under the Quebec Access Act.

Finally, the contact details of the Privacy Officer or the person to whom this function is delegated must be published on the company's website or, in the absence of a website, made available by any other appropriate means.

7.6. Data breach notification

In Quebec, there is a general obligation to report a data breach (referred to as a 'confidentiality incident'). The term 'confidentiality incident' refers to:

  • the unauthorized access, use, or disclosure of personal information; and

  • the loss of personal information or any other breach of the security of that information.

When there is reason to believe that a confidentiality incident has occurred, the organization must take reasonable steps to reduce the risk of harm and to prevent new incidents of the same nature. In the event of an incident involving a risk of serious harm, the organization must notify the CAI and any person whose personal information is affected by the incident, unless doing so would impede an investigation conducted by a person or body responsible by law for the prevention, detection, or suppression of crime or statutory offense. The organization may also notify any person or body that could mitigate the risk, by disclosing to that person or body, without the individual's consent, only the personal information necessary to do so. In the latter case, the Privacy Officer must record the disclosure of the information.

In assessing the risk of harm, the following factors must be considered:

  • the sensitivity of the information;

  • the anticipated consequences of its use; and

  • the likelihood that it will be used for harmful purposes.

Organizations must keep a register of confidentiality incidents, which must be sent to the CAI upon request. When a confidentiality incident is brought to its attention, the CAI may order any person, after giving them the opportunity to submit their observations, to take any measure to protect the rights of the individuals, for the time and under the conditions determined by the CAI, including the return of the compromised personal information to the organization or its destruction.

An organization that contravenes the Quebec Private Sector Act's breach notification provisions may be:

  • found guilty of an offense and fined not more than CAD 25 million (approx. $18.5 million), or the greater of 4% of its worldwide turnover for the preceding fiscal year (doubled for a subsequent offense); or

  • be condemned to pay an administrative fine not exceeding CAD 10 million (approx. $7.4 million) or the greater of 2% of its worldwide turnover for the preceding fiscal year.

Under the Quebec Access Act, anyone who fails to report a breach of confidentiality to the CAI or to the persons concerned when required to do so commits an offense and is liable to a fine of CAD 1,000 (approx. $740) to CAD 10,000 (approx. $7,400) in the case of a natural person, and of CAD 3,000 (approx. $2,220) to CAD 30,000 (approx. $22,220) in all other cases. Moreover, anyone who, for example, impedes the progress of an inquiry or inspection of the CAI or the hearing of an application by the CAI by providing it with false or inaccurate information, by failing to provide information requested by the CAI or otherwise, or fails to comply with an order of the CAI, commits an offense and is liable to a fine of CAD 5,000 (approx. $3,700) to CAD 100,000 (approx. $74,070) in the case of a natural person and of CAD 15,000 (approx. $11,110) to CAD 150,000 (approx. $111,110) in all other cases.

7.7. Data retention

Under Quebec's privacy laws, personal information may be retained only for as long as necessary to fulfil the purposes for which it was collected or used, after which the organization must destroy or anonymize the information to use it for serious and legitimate purposes , subject to any retention period required by law.

However, personal information used to make a decision about an individual must be kept for at least one year after the decision is made. Moreover, if the organization refuses to grant a request for access or rectification, the information that is the subject of the request must be kept for as long as is necessary to allow the individual to exhaust the remedies provided by law.

7.8. Children's data

Under Quebec's privacy laws, personal information concerning a child (under 14 years of age) may not be collected from the child without the consent of the person having parental authority or the child's guardian, unless the collection of the information is clearly for the minor's benefit. If a minor is 14 years of age or older, consent is given by the minor or by the person with parental authority or their guardian.

The Quebec Access Act has the same requirements.

7.9. Special categories of personal data

Quebec's privacy laws do not contain specific provisions regarding the processing of special categories of information. However, the application of these laws will vary depending on whether the information is sensitive and whether there are other laws that may permit or restrict the processing of such information.

7.10. Controller and processor contracts

An organization is responsible for protecting the personal information it holds, including information that has been transferred to a third party for processing.

If the organization discloses personal information to a third party for the purpose of 'carrying out a mandate or performing a contract of enterprise or for services entrusted to that person or body' ('third party processor'), the organization must:

  • entrust the mandate or contract in writing; and

  • specify the measures to be taken to protect the confidentiality of the personal information, to ensure that the information is used only for the purposes of carrying out the mandate or performing the contract, and to ensure that the information is not retained once the mandate or contract has expired.

The third-party processor shall immediately notify the organization's Privacy Officer of any breach or attempted breach by any person of any obligation to maintain the confidentiality of the information disclosed and shall also allow the organization's Privacy Officer to conduct any review of the confidentiality requirements.

8. Data Subject Rights

8.1. Right to be informed

The Quebec Private Sector Act generally requires the knowledge and consent of the individual, except in certain circumstances where consent is not required. Organizations must be open and transparent about their practices and inform individuals about the information collected, used, and disclosed, and the purposes for which such information is processed.

8.2. Right to access

Individuals have a general right to obtain access to their personal information held by organizations. Access requests must be dealt with in accordance with the applicable law and within prescribed time limits.

The organization must state the reasons for any refusal to comply with a request and indicate the provision of law on which the refusal is based, the remedies available to the applicant under the Quebec Private Sector Act, and the time limit for exercising them. If the applicant so requests, the organization's Privacy Officer must also help them understand the refusal.

8.3. Right to rectification

An individual may, if personal information concerning them is inaccurate, incomplete, or equivocal, or if collecting, disclosing, or keeping it is not authorized by law, require that the information be rectified.

The organization must give the reasons for any refusal to grant a request and indicate the provision of law on which the refusal is based, the remedies available to the applicant under the Quebec Private Sector Act, and the time limit for exercising them. If the applicant so requests, the organization's Privacy Officer must also help them understand the refusal.

8.4. Right to erasure

Under the Quebec Private Sector Act, an individual may require an organization to:

  • cease disseminating personal information about them;

  • de-index any hyperlink that provides access to that information, if the dissemination violates the law or a court order; and

  • re-index any hyperlink that provides access to that information.

Such a request may be made when the following conditions are met:

  • the dissemination of such information would cause the person serious harm in relation to the person's right to respect of their reputation or privacy;

  • the harm is clearly greater than the public’s interest in knowing the information or the right to freedom of expression (the balance of convenience criterion); and

  • the relief sought does not exceed what is necessary to prevent the continuation of the injury.

In assessing the balance of convenience criterion, the following, in particular, must be taken into account:

  • the fact that the person concerned is a public figure;

  • the fact that the information concerns the person when they are a minor;

  • the fact that the information is up-to-date and accurate;

  • the sensitivity of the information;

  • the context in which the information is disseminated;

  • the time elapsed between the dissemination of the information and the request made; and

  • where the information concerns a criminal or penal procedure, the obtaining of a pardon or the application of a restriction on the accessibility of records of the courts of justice.

8.5. Right to object/opt-out

Individuals have the right to submit complaints to organizations, to withdraw consent (subject to some limitations), and to file complaints with the CAI. Although not explicitly stated in the Quebec Private Sector Act, it is understood that implied consent is permitted for non-sensitive personal information.

8.6. Right to data portability

Under the Quebec Private Sector Act, an individual may request a copy of computerized personal information in the form of a written and intelligible transcript.

Unless there are serious practical difficulties in doing so, computerized personal information collected from the applicant (and not information created or derived from their personal information) must, at their request, be disclosed to them in a structured, commonly used technological format. The information must also be disclosed, at the applicant's request, to any person or body authorized by law to collect such information.

8.7. Right not to be subject to automated decision-making

Under the Quebec Private Sector Act, an organization that uses personal information to make a decision based solely on the automated processing of such information must at the latest at the time the decision is communicated to the individual, inform the individual accordingly. Upon request, the individual must also be informed of:

  • the personal information used to reach the decision;

  • the reasons and the main factors and parameters that led to the decision; and

  • the right of the person concerned to have the personal information used to make the decision corrected.

The individual must be given the opportunity to submit observations to a staff member who is in a position to review the decision.

The Quebec Access Act has the same requirements.

8.8. Other rights

In addition to the other rights mentioned therein, it should be noted that both the Quebec Private Sector Act and the Quebec Access Act requires organizations to disclose, in advance, their use of technology that can identify, locate, or profile users, and then provide users with the means to activate the identification, location, or profiling features. 'Profiling' is defined as the collection and use of personal information to assess certain characteristics of a natural person, such as work performance, economic situation, health, personal preferences, interests, or behavior.

Also of note, the spouse or a close relative of a deceased person may request personal information concerning the deceased if the following conditions are met:

  • knowledge of the information could help the applicant in the grieving process; and

  • if the deceased person did not record in writing their refusal to grant such a right of access.

9. Penalties

The CAI has the power to impose monetary administrative penalties and to issue fines for penal offenses. Under the Quebec Private Sector Act, monetary administrative penalties may be imposed on organizations for the following reasons:

  • failure to adequately notify the individuals;

  • unlawful collection, use, disclosure, retention, or destruction of personal information;

  • failure to report a confidentiality incident;

  • failure to take the necessary security measures to ensure the protection of the personal information; and

  • failure to notify individuals concerned by a decision based exclusively on an automated process or failure to provide individuals an opportunity to submit observations.

The maximum amount of the monetary administrative penalty is CAD 50,000 (approx. $37,030) (for individuals) and CAD 10 million (approx. $7.4 million) (for businesses) or 2% of the previous year's worldwide turnover, whichever is greater.

Businesses may acknowledge their non-compliance with applicable laws and enter into an undertaking with the CAI to remedy the non-compliance or mitigate its consequences. If such an undertaking is accepted and complied with by the CAI, the business may not be subject to a monetary administrative penalty with respect to the acts or omissions covered by the undertaking.

Under the Quebec Private Sector Act, the CAI may institute penal proceedings, within five years of the commission of the offense, for the following offenses, among others:

  • unlawful collection, use, disclosure, retention, or destruction of personal information;

  • failure to report a confidentiality incident;

  • failure to take the necessary security measures to ensure the protection of the personal information;

  • identifying or attempting to identify a natural person using de-identified information without authorization;

  • impeding the progress of an inquiry or inspection by the CAI or the hearing of an application by the CAI by providing it with false or inaccurate information, by failing to provide information requested by the CAI, or otherwise; and

  • failure to comply with an order of the CAI.

The maximum amount of the fine for a penal offense is of CAD 5,000 (approx. $3700) to CAD 100,000 (approx. $74,050) in the case of a natural person and, in all other cases, of CAD 15,000 (approx. $11,100) to CAD 25 million (approx. $18.5 million), or the greater of 4% of its worldwide turnover in the preceding fiscal year. In the event of a repeat violation, the fines will be doubled.

The Quebec Private Sector Act also provides that where an individual has suffered an injury as a result of an unlawful infringement of the rights conferred by the Quebec Private Sector Act or by Sections 35 to 40 of the Quebec Civil Code, and where the violation is intentional or results from gross fault, the court shall also award punitive damages of at least CAD 1,000 (approx. $740).

9.1 Enforcement decisions

The penal provisions of the Quebec Private Sector Act have never been enforced to date. However, the significant increase in the penalties provided (recently introduced by Act 25) sends a signal that the penal provisions may play an important role in the enforcement of Quebec's privacy law regime.

The administrative monetary penalties introduced by Act 25 are new, and no enforcement decisions have yet been issued.