Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Quebec - Data Protection Overview
Back
Flag - under review

Under Review

This note is being updated based on some of the provisions of Bill 64 entering into effect

Quebec - Data Protection Overview

May 2022

1. Governing Texts

Data protection law in the province of Quebec is comprised of various federal and provincial statutes. These laws include data protection statutes of general application for both private and public organisations, as well as sector-specific statutes and related laws, such as anti-spam legislation.

Please note that on 21 September 2021, the National Assembly adopted Act to modernize legislative provisions as regards the protection of personal information ('Law 25' formerly known as 'Bill 64'). Law 25 provides for an entry into force over three years, but most of the provisions will enter into force in September 2023. Law 25 resulted in significant changes to various laws in order to modernise the regulatory framework for the protection of personal data in Quebec. Amendment 57 of the Adopted Amendments to Law 25 ('the Amendments')

This Guidance Note has been drafted to take into consideration the significant changes introduced by Law 25.

1.1. Key acts, regulations, directives, bills

At the provincial level, the Act Respecting the Protection of Personal Information in the Private Sector, CQLR P-39.1 ('the Quebec Private Sector Act') regulates the collection, use, and disclosure of personal information by private organisations (referred to as 'enterprises'). Private organisations at the federal level are regulated by the Personal Information Protection and Electronic Documents Act 2000 ('PIPEDA').

The Act Respecting Access to Documents Held by Public Bodies and the Protection of Personal Information, CQLR c. A-2.1 ('the Quebec Access Act') regulates the collection, use, and disclosure of personal information by public bodies and provides individuals with a right to access their personal information.

Canada's Anti-Spam Legislation, SC 2010 c 23 ('CASL') also regulates commercial marketing activities.

Other provincial statutes include provisions relevant to data protection, such as the Act to Establish a Legal Framework for Information Technology, c. C-1.1 ('the Quebec Information Technology Act'), which includes specific requirements for the collection, use, and disclosure of biometric data.

The focus of this Guidance Note will be on the Quebec Private Sector Act and the Quebec Access Act, with limited information on PIPEDA and the CASL.

1.2. Guidelines

The Quebec Commission on Access to Information ('CAI') publishes guidance material on its website to inform both the public and organisations about their rights and responsibilities under Quebec's privacy laws, including the following:

  • the Evolving Space – Bill 64 (only available in French here); and
  • Privacy Officer guidance (only available in French here).

Most information is published in French, but some is available in English as illustrated below:

The statutory framework in Quebec is supplemented at the federal level by guidance documents from the Office of the Privacy Commissioner of Canada ('OPC') and the Canadian Radio-television and Telecommunications Commission ('CRTC'), in relation to the CASL.

1.3. Case law

The following findings and decisions are among the recent and notable findings by the CAI (2014-2021):

  • PIPEDA Report of Findings #2021-001 ('Report 2021-001') (see also CAI #1023158-S (only available in French here) for an order made following PIPEDA Report #2021-001);
  • CAI #1020846-S – Investigation into Fédération des caisses Desjardins du Québec (only available in French here);
  • CAI #1019951-S – Investigation into Ivanhoé Cambridge Inc. and Innovations Galilei 2 (only available in French here);
  • CAI #1018507-S – Investigation into Les 3 Pilliers (only available in French here);
  • CAI #1005977-S – Investigation into Bell Mobilité (only available in French here); 
  • CAI #1009621-S and 1009629-S – Investigation into Confédération des syndicats nationaux, about use and disclosure of personal data published on social networks as part of a union campaign without the consent of the data subject (only avaliable in French here);
  • CAI #1007894-S – Investigation into Centre de service partagés du Québec et Secrétariat du Conseil du Trésor, about collection of Social Insurance Numbers ('SIN') to submit an online application (only avaliable in French here);
  • CAI #1006934-S – Investigation into Thomson Tremblay Inc. (only avaliable in French here), about the collection of SIN at the pre-employment stage (see also CAI #1005625-S – Investigation into Hunt Personnel about the collection of social security numbers (only avaliable in French here));
  • CAI #1011820-S – Investigation into Ville de Québec, on the use of drones (only avaliable in French here); and
  • CAI #080272 – Investigation into Garderie Coeur d'Enfant Inc., about the use of video surveillance (only avaliable in French here).

2. Scope of Application

2.1. Personal scope

Quebec Private Sector Act 

The Quebec Private Sector Act applies to the collection, use, or disclosure (referred to as 'communication') of personal information within the province by 'any person carrying on an enterprise', whether such information is kept by the enterprise itself or through a third-party. Unlike PIPEDA, the Quebec Private Sector Act applies irrespective of whether an activity is commercial in nature.

Furthermore, the Quebec Private Sector Act applies to such information whatever the nature of its medium and whatever the form in which it is accessible, whether written, graphic, taped, filmed, computerised, or other.

PIPEDA

PIPEDA applies to the collection, use, or disclosure of personal information by an organisation in the course of commercial activities or in respect of personal information about an employee of (or an applicant for employment with) the organisation and that the organisation uses or discloses in connection with the operation of a federal work, undertaking, or business (such as banks, telecommunications companies, shipping companies and railways). PIPEDA also applies when the personal information is disclosed over provincial or international borders.

Questions often arise on whether the Quebec Private Sector Act or PIPEDA may apply to a given activity. The answers depend on the circumstances of each case.

Quebec Access Act

The Quebec Access Act applies to documents kept by a public body in the exercise of its duties and to documents kept by a professional order to the extent provided by the Professional Code. The Quebec Access Act regulates the collection, use, and disclosure of personal information by public bodies and professional orders and provides individuals with a right to access their personal information.

Furthermore, the Quebec Access Act applies whether the document is recorded in writing or print, on sound tape or film, in computerised form, or otherwise.

CASL

The CASL regulates, among other things, the sending of commercial electronic messages such as promotional and marketing messages, to and from Canada. It prohibits the sending of commercial electronic messages unless express or implied consent is obtained, or an exception is applicable, and prescribed requirements are met.

2.2. Territorial scope

Quebec Private Sector Act

The Quebec Private Sector Act is silent with respect to its extraterritorial application. However, in the joint investigation of Clearview AI under Report 2021-001, the CAI has considered that, even if the system and the enterprise are outside of Quebec, by offering its services and by collecting and using personal information within the limits of the province, the enterprise operates a business in Quebec.

Consequently, it is subject to the legislation applicable in the jurisdiction in which it operates, i.e. the Quebec Private Sector Act (see CAI #1023158-S only available in French here). 

Quebec Access Act

The Quebec Access Act is silent about is territorial scope.

2.3. Material scope

Quebec Private Sector Act

The Quebec Private Sector Act applies to 'any person carrying on an enterprise', which means an organised economic activity, whether or not it is commercial in nature, consisting of producing, administering or alienating property, or providing a service.

It also applies to personal information held by a professional order to the extent provided for by the Professional Code and to personal information held by a political party, an independent deputy or an independent candidate to the extent provided for by the Election Act.

The Quebec Private Sector Act does not apply to:

  • personal information concerning the performance of duties within an enterprise by the person concerned, such as the person's name, title, and duties, as well as the address, email address, and telephone number of the person's place of work;
  • journalistic, historical, or genealogical material collected, held, used, or disclosed for the legitimate information of the public;
  • a public body within the meaning of the Quebec Access Act; and
  • information held on behalf of a public body by a person other than a public body.

Quebec Access Act

The Quebec Access Act applies to documents kept by a public body and to documents held by a professional order.

The Quebec Access Act does not apply to:

  • the acts and the register of civil status;
  • the registers and other documents kept in registry offices for publication purposes;
  • the register referred to in Chapter II of the Quebec Access Act for the Act Respecting the Legal Publicity of Enterprises, c. P-44.1;
  • private archives referred to in Section 27 of the Archives Act, A-21.1; or
  • documents contained in a file:
    • respecting the adoption of a person held by a public body; or
    • held by the Public Curator on a person whom they represent or whose property they administer, except in certain circumstances to allow the CAI to exercise specifics duties.

The Quebec Access Act does not apply in specific requirements for the user's record according to the An Act Respecting Health Services and Social Services (Revised Statutes of Quebec chapter S-4.2), or also in certain circumstances set out in specific laws.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The CAI is the regulatory authority overseeing the application of the Quebec Private Sector Act and the Quebec Access Act. The CAI sometimes works collaboratively with the OPC and other provincial and territorial privacy commissioners on investigations and policy matters.

PIPEDA is administered by the OPC, while the CASL is administered by the CRTC, the Competition Bureau Canada, and the OPC.

3.2. Main powers, duties and responsibilities

The CAI consists of two divisions: the oversight division and the adjudication division.

Oversight division

The main functions of the CAI's oversight division are to oversee the carrying out of the Quebec Private Sector Act and Quebec Access Act, and to ensure compliance with and promotion of the principles of access to documents and the protection of personal information.

To that end, the CAI can inquire into the application of the Quebec Private Sector Act and Quebec Access Act and the degree to which these laws are observed. These investigations can be made on its own initiative or following a complaint from any person.

At the end of the investigation, after giving to the enterprise or to the public body an opportunity to submit written observations, the CAI may:

  • Under the Quebec Private Sector Act:
    • recommend or order the application of such remedial measures as are appropriate to ensure the protection of the personal information. If, within a reasonable time after issuing an order in respect of a person who carries on an enterprise, the CAI considers that appropriate measures have not been taken in response, it may publish a notice to inform the public thereof. Any person having a direct interest may appeal from an order issued following an inquiry.
  • Under the Quebec Access Act:
    • recommend or order to take the measures the CAI considers appropriate. If, within a reasonable time after making a recommendation to a public body or after making an order, the CAI considers that appropriate measures have not been taken to implement the recommendation, it may notify the Government of Quebec or, if it deems it expedient, submit a special report to the National Assembly or set out the situation in its annual report. A person directly interested can appeal the order issued following an investigation to a judge of the Court of Quebec.

The CAI may also:

  • Under the Quebec Private Sector Act:
    • require the production of any information or document (Sections 81.2 and 83.1 of the Quebec Privacy Act (as amended by Act 25)); 
    • order any person involved in a confidentiality incident to take any measure to protect the rights of the individuals concerned, including an order that the compromised personal information be returned to the business or be destroyed (Section 81.3 of the Quebec Privacy Act (as amended by Act 25)); and 
    • enter into an undertaking with a business to remedy a contravention or mitigate its consequences (Section 90.1 of the Quebec Privacy Act (as amended by Act 25)); and
    • develop guidelines to assist in the administration of the Quebec Private Sector Act.
  • Under the Quebec Access Act:
    • approve agreements entered into between public bodies;
    • give its opinion on the draft regulations submitted to it under the Quebec Access Act, on draft agreements on the transfer of information and on draft orders authorising the establishment of confidential files;
    • see to it that the confidentiality of personal information contained in files held by public bodies respecting the adoption of a person is respected;
    • see to it that the confidentiality of personal information contained in files held by the Public Curator on persons whom they represent or whose property they administer is respected;
    • approve the governance rules regarding personal information submitted by the personal information manager;
    • require the production of any information or document;
    • order any person involved in a confidentiality incident to take any measure to protect the rights of the individuals concerned, including an order that the compromised personal information be returned or be destroyed;
    • prohibit a person from making an application without the approval of the president and on such terms as the president determines; and
    • develop guidelines to assist in the administration of the Quebec Access Act.

In the exercise of its oversight functions, the CAI may authorise members of its personnel or any other persons to act as inspectors.

Adjudication division

The CAI's adjudication division decides applications for review made under the Quebec Access Act and applications for examination of disagreements made under the Quebec Private Sector Act, to the exclusion of any other court.

Upon receiving an application, the CAI must give the parties an opportunity to submit their observations, including through a mediation process.

The CAI has all the powers necessary for the exercise of its jurisdiction; it may make every order it considers appropriate to protect the rights of the parties, and decide on every matter of fact or of law.

Under the Quebec Private Sector Act, the CAI may, in particular, order an organisation to disclose or rectify personal information or refrain from doing so. Under the Quebec Access Act, the CAI may, in particular, order a public body to release a document or part of a document, refrain from doing so, correct, complete, clarify, update or delete any personal information, or discontinue the use or the release of personal information.

The CAI must make its decision within three months after the matter is taken under advisement, unless the chair extends that time limit for valid reasons.

Every decision of the CAI on a question of fact within its jurisdiction is final.

A person directly interested may bring an appeal from the final decision of the CAI before a judge of the Court of Quebec on a question of law or jurisdiction, or, with leave of a judge of that Court, from an interlocutory decision that will not be remedied by the final decision.

4. Key Definitions

Data controller: 'Data controller' is not expressly defined under Quebec privacy laws. The entities considered to be in control of, and accountable for, compliance with privacy law requirements are referred to as 'persons carrying on an enterprise' pursuant to the Quebec Private Sector Act and 'public bodies' pursuant to the Quebec Access Act.

Data processor: 'Data processor' is not defined under Quebec privacy laws, although they refer to 'mandatary' or 'person performing a contract'.

Personal data: 'Personal information' is defined as information which relates to a natural person and allows that person to be identified directly or indirectly.

Sensitive data: Personal information is deemed sensitive if, 'due to its nature (including medical, biometric or otherwise intimate information) or the context of its use or release, it entails a high level of reasonable expectation of privacy'. Sensitive information requires express consent and must be safeguarded by a higher level of protection.

Health data: 'Health data' is not defined under Quebec privacy laws.

Biometric data: 'Biometric data' is not defined under Quebec privacy laws. However, the Quebec Information Technology Act regulates the collection, use, and disclosure of 'biometric characteristics or measurements'.

Pseudonymisation: 'Pseudonymisation' is not specifically defined under Quebec privacy laws. However, the Quebec Private Sector Act provides that personal information is 'anonymized' if it is at all times reasonable to expect in the circumstances that it irreversibly no longer allows the person to be identified directly or indirectly. Furthermore, personal information is de-identified if it no longer allows the person concerned to be directly identified.

Data subject: Data subject is not defined under Quebec privacy laws, which refer to 'person concerned'.

5. Legal Bases

5.1. Consent

Under Quebec's privacy laws, except where an exemption is applicable, consent is required. To be valid, consent must be clear, free, and informed and given for specific purposes. Consent must be requested for each such purpose, in clear and simple language and, if solicited in writing, separately from any other information provided to the person concerned. Consent is valid only for the time necessary to achieve the purposes for which it was requested. It can be withdrawn for the use or disclosure of the information collected.  

Consent must be given expressly when it concerns sensitive personal information. Although not expressly stated in the Quebec Private Sector Act, it is understood that implied consent is permissible for non-sensitive personal information.

The Quebec Information Technology Act also requires express consent for biometric data.

In order to obtain valid consent, organisations must be transparent about their practices and must disclose information specified by law, when the information is collected and, subsequently, upon request.

5.2. Contract with the data subject

Please see section on consent above regarding express and implied consent. Contracts may include or incorporate express consent, or give rise to a basis for implied consent, depending on the circumstances.

5.3. Legal obligations

Quebec's privacy laws permit organisations to collect, use, and disclose personal information without consent where required by law, for example:

  • when information is required for the purposes of the prosecution of an offence under an Act applicable in Quebec; or
  • for the prevention, detection or repression of crime or statutory offences, if the information is needed for the prosecution of an offence under an Act applicable in Quebec.

Furthermore, under the Quebec Private Sector Act, an organisation may also disclose personal information, without consent, in the following circumstances, subject to some conditions:

  • for the application of a collective agreement;
  • for the recovery of debts;
  • for carrying out a mandate or performing a contract of enterprise or for services entrusted; or
  • for a commercial transaction.

5.4. Interests of the data subject

The Quebec Private Sector Act permits organisations to collect personal information without consent if it has a serious and legitimate reason and either of the following conditions is fulfilled:

  • the information is collected in the interest of the person concerned and cannot be collected from them in due time; or
  • collection from a third person is necessary to ensure the accuracy of the information.

Furthermore, both the Quebec Private Sector Act and the Quebec Access Act permit organisations to use personal information without consent where such use is clearly for the person's benefit.

Both Acts also permit organisations to disclose personal information, without consent, to a person to whom the information must be disclosed:

  • by reason of the urgency of a situation that threatens the life, health, or safety of the person concerned; or
  • in order to prevent an act of violence, including a suicide, where there is reasonable cause to believe that there is a serious risk of death or serious bodily injury threatening a person or an identifiable group of persons and where the nature of the threat generates a sense of urgency - in this case only the personal information which is necessary to achieve the purposes for which the information is communicated may be disclosed; such information may be disclosed to any person exposed to the danger or that person's representative, and to any person who can come to that person's aid.

5.5. Public interest

Please see sections on legal obligations and interests of the data subject above, illustrating some instances where public interest may constitute a legal basis.

5.6. Legitimate interests of the data controller

Consent is not required in certain circumstances as listed in Sections 6, 12, 18, 18.3 and 18.4 of the Quebec Private Sector Act (as amended by Act 25) and Sections 59, 59.1, 60, 65.1 and 67.2.1 (study, research purposes, production of statistics) of the Quebec Access Act.

A number of these cases are mentioned above.

5.7. Legal bases in other instances

Not applicable.

6. Principles

The Quebec Private Sector Act requires organisations to comply with the following requirements:

  • accountability: organisations are responsible for protecting the personal information in their custody, and they must, among other things:
    • establish and implement governance policies and practice regarding personal information that ensure the protection of such information; and
    • publish a confidentiality policy, if applicable, on the organisation's website;
  • identifying purposes;
  • limiting collection: ('serious and legitimate reason' and 'only the information necessary for the purposes determined before collecting it');
  • consent and information of the person concerned;
  • limiting use, disclosure and retention;
  • accuracy;
  • safeguards / confidentiality;
  • individual access; and
  • respond to request for access to personal information, and for rectification, submitted by data subjects.

The Quebec Access Act requires public bodies to comply with the same requirements.

7. Controller and Processor Obligations

7.1. Data processing notification

Organisations are not required to notify or register with the regulatory authorities under privacy laws in Canada.

7.2. Data transfers

An organisation is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing.

Before disclosing personal information outside of Quebec, an organisation must conduct an assessment of privacy-related factors, taking into account:

  • the sensitivity of the information;
  • the purposes for which it is used;
  • the protection measures that would apply to it, including contractual measures; and
  • the legal framework applicable in the jurisdiction in which the information would be disclosed, including the legal framework's degree of adequacy with Quebec's privacy laws.

The information may only be transferred outside of Quebec if the assessment establishes that it would receive an adequate level of protection.

The disclosure of the information is subject to a written agreement that takes into account the results of the assessment and, if applicable, the terms agreed on to mitigate the risks identified in the assessment.

While consent is not required to transfer personal information outside of the province, an individual must be informed of the possibility that the information could be disclosed outside of Quebec.

The Quebec Access Act has the same requirements.

7.3. Data processing records

There is no general obligation for private-sector organisations to maintain data processing records.

However, an organisation must establish and implement privacy governance policies and practices. Such policies and practices must provide a framework for the keeping and destruction of the information, define the roles and responsibilities of the staff members throughout the life cycle of the information, and provide a process for dealing with complaints regarding the protection of the information. Detailed information on these policies must be published on the enterprise's website in clear and simple language or, if the enterprise does not have a website, made available by any other appropriate means.

Moreover, certain record keeping is specifically required in respect of confidentiality incidents as noted below.

7.4. Data protection impact assessment

Any person carrying on an enterprise must conduct an assessment of the privacy-related factors of any project of acquisition, development, and redesign of an information system or electronic service delivery involving the collection, use, communication, keeping, or destruction of personal information (Section 95 of Law 25).

Private-sector organisations must conduct an 'assessment of privacy-related factors' in the following circumstances:

  • with respect to the acquisition, development and redesign of any information system project or electronic service delivery project involving the collection, use, disclosure, keeping or destruction of personal information;
  • before disclosing personal information outside of Quebec; and
  • to disclose personal information without consent to a person or body wishing to use the information for study or research purposes or for the production of statistics.

Additionally, Law 25 notes that before communicating personal information outside Québec, a person carrying on an enterprise must conduct an assessment of privacy-related factors. The person must, in particular, take into account (Section 103 of Law 25):

  • the sensitivity of the information;
  • the purposes for which it is to be used;
  • the protection measures, including contractual ones, that would apply to it; and
  • the legal framework applicable in the State in which the information would be communicated, including the data protection principles applicable in the foreign State.

The organisation must ensure that the project allows computerised personal information collected from the person concerned to be communicated to him in a structured, commonly used technological format. For the purposes of such an assessment, the organisation must consult the person in charge of the protection of personal information within the enterprise from the outset of the project (Section 95 of Law 25), and must be proportionate to the sensitivity of the information, the purpose for which it is to be used, and the amount, distribution, and format of the information (Amendment 57 of the Amendments).

The person in charge of the protection of personal information may, at any stage of a project referred to in Section 95 of Law 25, suggest personal information protection measures applicable to the project, such as (Section 95 of Act 25):

  • the appointment of a person to be responsible for implementing the personal information protection measures;
  • measures to protect the personal information in any document relating to the project;
  • a description of the project participants' responsibilities with regard to the protection of personal information; or
  • training activities for project participants on the protection of personal information.

The Quebec Access Act has the same requirements.

7.5. Data protection officer appointment

Under the Quebec Private Sector Act, the person exercising the highest authority within the organisation has the responsibility to ensure that the law is implemented and complied with. That person exercises the function of 'person in charge of the protection of personal information' (conveniently referred to thereafter as 'Privacy Officer'). All or part of this function may be delegated in writing. In addition, a committee is responsible for supporting the body in the exercise of its responsibilities and the performance of its obligations under the Quebec Access Act.

The CAI maintains a register of all current register of DPOs containing, for each DPO, the DPO's name, address and email address, and the title and contact information of the person in charge of the protection of personal information (Section 145 of Act 25). The register shall be available for public consultation during the regular business hours of the CAI. The CAI shall furnish, free of charge, to any person who so requests any extract from the register concerning a DPO, which can be consulted on the CAI website.

Applications for registration shall be filed according to the procedure determined by the CAI, accompanied with the fees prescribed by regulation. An application shall contain, in particular, the following information (Section 144(1) of Law 25):

  • the name, address, and email address of the DPO and, in the case of a legal person, the address of its head office and the names and addresses of its directors;
  • the address, email address, and telephone number of each establishment of the DPO in Québec;
  • the title and contact information of the person in charge of the protection of personal information;
  • the method of operation provided for in Section 71 of the Quebec Private Sector Act;
  • the rules of conduct provided for in Section 78 of the Quebec Private Sector Act; and
  • the other measures are taken to ensure the confidentiality and security of personal information in accordance with the Quebec Private Sector Act.

Every personal information DPO must inform the CAI of any change in the information referred to in Section 72(1) no later than 30 days following the change. If applicable, the DPO must also promptly inform the Commission of the expected termination of the DPO's activities (Section 144(2) of Law 25). The application form (only available in French here) can be sent either by post or electronically.

Every DPO must establish and apply a method of operation that ensures that the information communicated by him is up to date and accurate and is communicated in accordance with the Amended Act (Section 143 of Law 25), as well as  rules of conduct allowing any person to whom personal information held by the DPO relates to having access to the information according to a procedure that ensures the protection of the information and to cause the information to be rectified (Section 148 of Law 25).

Furthermore, DPOs must every two years, inform the public, by means of a notice published in a newspaper having general circulation in each region of Québec in which he does business, of (Section 148 of Law 25):

  • of the fact that the DPO holds personal information on other persons, that the DPO gives communication of credit reports bearing on the character, reputation or solvency of the persons to whom the personal information relates to persons with whom he is bound by contract, and that he receives from the latter personal information relating to other persons;
  • the rights of access and rectification that the persons concerned may exercise under the Amended Act in respect of the personal information the DPO holds;
  • the information provided for in Section 72(3) to (6) of the Quebec Private Sector Act.

Finally, the contact details for this person or the person to whom the role is delegated must be published on the company's website or, in the absence of a website, made available by any other appropriate means.

7.6. Data breach notification

There is a general obligation for data breach notification (referred to as a 'confidentiality incident') in Quebec. The term 'confidentiality incident' refers to:

  • unauthorised access, use, or disclosure of personal information; and
  • loss of personal information or any other breach in the protection of that information.

When there is reason to believe that a confidentiality incident has occurred, the organisation must take reasonable steps to reduce the risk of injury and to prevent new incidents of the same nature.

In the event of an incident involving a risk of serious injury, the organisation must notify the CAI, as well as any person whose personal information is concerned by the incident (unless doing so would hamper an investigation conducted by a person or body responsible by law for the prevention, detection, or repression of crime or statutory offence). The organisation may also notify any person or body that could reduce the risk, by disclosing to the person or body only the personal information necessary for that purpose without the consent of the person concerned. In the latter case, the person in charge of the protection of personal information must record the disclosure of the information.

In assessing the risk of injury, the following factors must be considered:

  • the sensitivity of the information;
  • the anticipated consequences of its use; and
  • the likelihood that it will be used for injurious purposes.

Organisations must keep a register of confidentiality incidents, which must be sent to the CAI upon request.

When a confidentiality incident is brought to its attention, the CAI may order any person, after giving them the opportunity to submit observations, to take any measure to protect the rights of the persons concerned, for the time and on the conditions the CAI determines, including that the compromised personal information be returned to the business or be destroyed.

An organisation that contravenes the Quebec Private Sector Act's breach notification provisions may be:

  • found guilty of an offence and liable to a fine not exceeding CAD 25 million (approx. €18.2 million), or, if greater, the amount corresponding to 4% of worldwide turnover for the preceding fiscal year (doubled in case of a subsequent offence); or
  • be condemned to pay a monetary administrative penalty not exceeding CAD 10 million (approx. €7.3 million) or, if greater, the amount corresponding to 2% of worldwide turnover for the preceding fiscal year.

Under the Quebec Access Act, anyone who fails to report, where required to do so, a confidentiality incident to the CAI or to the persons concerned, commits an offence and is liable to a fine of CAD 1,000 (approx. €730) to CAD 10,000 (approx. €7,300) in the case of a natural person and of CAD 3,000 (approx. €2,190) to CAD 30,000 (approx. €21,920) in all other cases. Moreover, anyone who, for example, 1) impedes the progress of an inquiry or inspection of the CAI or the hearing of an application by the CAI by providing it with false or inaccurate information, by omitting to provide information it requires or otherwise, or 2) fails to comply with an order of the CAI commits an offence and is liable to a fine of CAD 5,000 (approx. €3,650) to CAD 100,000 (approx. €73,050) in the case of a natural person and of CAD 15,000 (approx. €10,960) to CAD 150,000 (approx. €109,570) in all other cases.

7.7. Data retention

Under Quebec's privacy laws, personal information must be retained only for as long as necessary to fulfil the purposes for which it was collected or used, after which the organisation must destroy or anonymise the information, subject to any preservation period provided for by law.

However, personal information used to make a decision in relation to a person must be kept for at least one year following the decision. Moreover, if the organisation refuses to grant a request for access or rectification, the information that is the subject of the request must be kept for such time as is necessary to allow the person concerned to exhaust the recourses provided by law.

7.8. Children's data

Under Quebec's privacy laws, personal information concerning a child (under 14 years of age) may not be collected from them without the consent of the person having parental authority or their tutor, unless collecting the information is clearly for the minor's benefit.

Consent to the processing of a child's personal information is given by the person having parental authority or their tutor. When a minor is 14 years of age or over, consent is given by the minor or by the person having parental authority or their tutor.

The Quebec Access Act has the same requirements.

7.9. Special categories of personal data

Quebec's privacy laws do not contain specific provisions regarding the processing of special categories of information. However, the application of these laws will vary in their application depending on whether information is sensitive and whether there are other statutes that may permit or restrict the processing of such information.

7.10. Controller and processor contracts

An organisation is responsible for the protection of the personal information in its possession of custody, including information that has been transferred to a third party for processing.

When personal information is transferred by the organisation to a third party to 'carry out a mandate or perform a contract of enterprise or for services entrusted to that person or body' (subsequently referred as a 'third party processor'), the organisation must:

  • entrust the mandate or contract in writing; and
  • specify the measures that must be taken to protect the confidentiality of the personal information, to ensure that the information is used only for carrying out the mandate or performing the contract and to ensure that the information is not kept after the expiry of the mandate or contract.

The third-party processor must notify the organisation's Privacy Officer without delay of any violation or attempted violation by any person of any obligation concerning the confidentiality of the information disclosed, and must also allow the organisation's Privacy Officer to conduct any verification relating to confidentiality requirements.

8. Data Subject Rights

8.1. Right to be informed

The Quebec Private Sector Act generally requires the knowledge and consent of the individual, except in certain circumstances where consent is not required. Organisations must be open and transparent about their practices and inform individuals about the information collected, used, and disclosed and the purposes for the processing of such information.

8.2. Right to access

Individuals have a general right to obtain access to their personal information held by organisations. Access requests must be processed in accordance with the applicable statute, within prescribed timeframes.

The organisation must give the reasons for any refusal to grant a request and indicate the provision of law on which the refusal is based, the remedies available to the applicant under the Quebec Private Sector Act, and the time limit for exercising them. If the applicant so requests, the organisation's Privacy Officer must also help them understand the refusal.

8.3. Right to rectification

An individual may, if personal information concerning them is inaccurate, incomplete, or equivocal, or if collecting, disclosing, or keeping it are not authorised by law, require that the information be rectified.

The organisation must give the reasons for any refusal to grant a request and indicate the provision of law on which the refusal is based, the remedies available to the applicant under the Quebec Private Sector Act and the time limit for exercising them. If the applicant so requests, the organisation's Privacy Officer must also help them understand the refusal.

8.4. Right to erasure

Under the Quebec Private Sector Act, an individual may require an organisation to:

  • cease disseminating personal information about them;
  • de-index any hyperlink that provides access to that information, if the dissemination contravenes the law or a court order; and
  • re-index any hyperlink that provides access to that information.

Such a request may be made when the following conditions are met:

  • the dissemination of this information causes the person serious injury in relation to the person's right to respect of their reputation or privacy;
  • the injury is clearly greater than the public interest in knowing the information or the right to free expression (the balance of convenience criterion); and
  • the remedy requested does not exceed what is necessary to prevent the perpetuation of the injury.

In assessing the balance of convenience criterion, the following, in particular, must be taken into account:

  • the fact that the person concerned is a public figure;
  • the fact that the information concerns the person when they are a minor;
  • the fact that the information is up to date and accurate;
  • the sensitivity of the information;
  • the context in which the information is disseminated;
  • the time elapsed between the dissemination of the information and the request made; and
  • where the information concerns a criminal or penal procedure, the obtaining of a pardon or the application of a restriction on the accessibility of records of the courts of justice.

8.5. Right to object/opt-out

Individuals have the right to submit complaints to organisations, to withdraw consent (subject to some limitations), and to file complaints with the CAI. Although not expressly stated in the Quebec Private Sector Act, it is understood that implied consent is permissible for non-sensitive personal information.

8.6. Right to data portability

Under the Quebec Private Sector Act, an individual may request a copy of computerised personal information in the form of a written and intelligible transcript. Unless doing so raises serious practical difficulties, computerised personal information collected from the applicant (and not information created or derived from their personal information) must, at their request, be disclosed to them in a structured, commonly used technological format. The information must also be disclosed, at the applicant's request, to any person or body authorised by law to collect such information.

8.7. Right not to be subject to automated decision-making

Under the Quebec Private Sector Act, an organisation using personal information to render a decision based exclusively on an automated processing of such information must, at the time of or before the decision, inform the individual concerned accordingly, no later than the moment where the individual is informed of the decision.

Upon request, the individual must also be informed of:

  • the personal information used to render the decision;
  • the reasons and the principal factors and parameters that led to the decision; and
  • the right of the person concerned to have the personal information used to render the decision corrected.

The individual must be given the opportunity to submit observations to a staff member who is in a position to review the decision.

The Quebec Access Act has the same requirements.

8.8. Other rights

In addition to the other rights mentioned therein, it should be noted that Act 25 requires that organisations disclose, in advance, their use of technology that can identify, locate, or profile users, and then provide users with the means to activate the identification, location, or profiling features. 'Profiling' is defined as the collection and use of personal information to assess certain characteristics of a natural person, such as work performance, economic situation, health, personal preferences, interests, or behaviour.

Also of note, the spouse or a close relative of a deceased person may request personal information concerning the deceased if the following conditions are met:

  • knowledge of the information could help the applicant in the grieving process; and
  • if the deceased person did not record in writing their refusal to grant such a right of access.

9. Penalties

The CAI has the power to impose monetary administrative penalties and to issue fines for penal offences.

Under the Quebec Private Sector Act, monetary administrative penalties may be imposed on organisations for the following reasons:

  • failure to adequately inform the individuals;
  • unlawful collection, use, disclosure, keeping, or destruction of personal information;
  • failure to report a confidentiality incident;
  • failure to take the security measures necessary to ensure the protection of the personal information; and
  • failure to inform individuals concerned by a decision based exclusively on an automated process or failure to provide individuals an opportunity to submit observations

The maximum amount of the monetary administrative penalty is CAD 50,000 (approx. €36,530) (for individuals) and CAD 10 million (approx. €7.3 million) (for businesses) or, if greater, 2% of worldwide turnover for the preceding year.

Act 25 provides that businesses can acknowledge their failure to comply with applicable legal requirements and enter into an undertaking with the CAI to remedy the contravention or mitigate its consequences. Where such an undertaking is accepted by the CAI and is respected, the business cannot be subject to a monetary administrative penalty with respect to the acts or omissions covered by the undertaking.

Under the Quebec Private Sector Act, within five years of the commission of the offence, the CAI may institute penal proceedings for the following offences, among others:

  • unlawful collection, use, disclosure keeping or destruction of personal information;
  • failure to report a confidentiality incident;
  • failure to take the security measures necessary to ensure the protection of the personal information; 
  • identification or attempt to identify a natural person using de-identified information without authorisation;
  • impeding the progress of an inquiry or inspection of the CAI or the hearing of an application by the CAI by providing it with false or inaccurate information, by omitting to provide information it requires or otherwise; and
  • failure to comply with an order of the CAI.

The maximum amount of the fine for a penal offence is of CAD 5,000 (approx. €3,650) to CAD 100,000 (approx. €73,050) in the case of a natural person and, in all other cases, of CAD 15,000 (approx. €10,960) to CAD 25 million (approx. €18.2 million), or, if greater, the amount corresponding to 4% of worldwide turnover for the preceding fiscal year. In the event of a subsequent offence, the fines are doubled.

The Quebec Private Sector Act also provides that where individuals have suffered an injury resulting from the unlawful infringement of aright conferred by the Quebec Private Sector Act or by Sections 35 to 40 of the Quebec Civil Code and the infringement is intentional or results from a gross fault, the court shall also award punitive damages of at least CAD 1,000 (approx. €730).

9.1. Enforcement decisions

The penal provisions of the Quebec Private Sector Act have never been enforced to date. This being said, the significant increase in the penalties provided (recently introduced by Act 25) send the signal that the penal provisions may play an important role in the enforcement of Quebec's privacy law regime.

The monetary administrative penalties introduced by Act 25 are new, thus no enforcement decisions have been rendered yet.