May 2023

1. Governing Texts

Privacy law in the Province of Quebec is comprised of various federal and provincial statutes. These laws include privacy laws of general application for both private and public organisations, as well as sector-specific statutes and related laws, such as anti-spam legislation.

Please note that on 21 September 2021, the National Assembly passed an Act to modernise legislative provisions as regards the protection of personal information ('Act 25' formerly known as 'Bill 64'). Act 25 provides for an entry into force date of over three years, but most of the provisions will enter into force in September 2023. Act 25 has resulted in significant amendments to various laws in order to modernise the regulatory framework for the protection of personal data in Quebec.

This Guidance Note has been prepared to take into consideration the significant changes introduced by Act 25.

1.1. Key acts, regulations, directives, bills

At the provincial level, the Act Respecting the Protection of Personal Information in the Private Sector, CQLR P-39.1 ('the Quebec Private Sector Act') regulates the collection, use, and disclosure of personal information by private organisations (referred to as 'enterprises'). At the federal level, private organisations are regulated by the Personal Information Protection and Electronic Documents Act 2000 ('PIPEDA').

The Act Respecting Access to Documents Held by Public Bodies and the Protection of Personal Information, CQLR c. A-2.1 ('the Quebec Access Act') regulates the collection, use, and disclosure of personal information by public bodies and provides individuals with a right of access to their personal information.

Canada's Anti-Spam Legislation, SC 2010 c 23 ('CASL') also regulates commercial marketing activities.

Other provincial laws include privacy provisions, such as the Act to Establish a Legal Framework for Information Technology, c. C-1.1 ('the Quebec Information Technology Act'), which includes specific requirements for the collection, use, and disclosure of biometric data.

The focus of this Guidance Note will be on the Quebec Private Sector Act and the Quebec Access Act, with limited information on PIPEDA and the CASL.

1.2. Guidelines

The Quebec Commission on Access to Information ('CAI') publishes guidance materials on its website to inform both the public and organisations of their rights and obligations under Quebec's privacy laws, including the following:

• the Evolving Space – Bill 64 (only available in French here); and
• Privacy Officer guidance (only available in French here).

Most of the information is published in French, but some is available in English as illustrated below:

• Biometrics: Principles and Legal Duties of Organizations;
• Pandemic, privacy and protection of personal information;
• The lease and protection of personal information: Principles and guidelines to observe;
• Access to information and the confidentiality of personal information on Internet;
• Guide to the destruction of documents that contain personal information;
• Management of personal information in universities and cegeps;
• Loss or theft of personal information: How should you react? Checklist for citizens; and
• Rules for use of surveillance cameras with recording in public places by public bodies.

The Quebec regulatory framework is supplemented at the federal level by guidance documents relating to the CASL issued by the Office of the Privacy Commissioner of Canada ('OPC') and the Canadian Radio-television and Telecommunications Commission ('CRTC').

1.3. Case law

The following findings and decisions are among the recent and notable findings by the CAI (2014-2022):

• CAI #1016217-S – Investigation into Compagnie Selenis Canada, about the use of a biometric time clock (only available in French here);
• CAI #1005645-S – Investigation into Transplant Québec, on certain practices of the organization (only available in French here):
• CAI #1023158-S – Investigation into Clearview AI Inc., on  the practices of the organization with respect to the collection and use of images of people from photos posted on the Internet (only available in French here);
• PIPEDA Report of Findings #2021-001 ('Report 2021-001') (see also CAI #1023158-S (only available in French here) for an order made following PIPEDA Report #2021-001);
• CAI #1020846-S – Investigation into Fédération des caisses Desjardins du Québec (only available in French here);
• CAI #1019951-S – Investigation into Ivanhoé Cambridge Inc. and Innovations Galilei 2 (only available in French here);
• CAI #1018507-S – Investigation into Les 3 Pilliers (only available in French here);
• CAI #1005977-S – Investigation into Bell Mobilité (only available in French here);
• CAI #1009621-S and 1009629-S – Investigation into Confédération des syndicats nationaux, about use and disclosure of personal data published on social networks as part of a union campaign without the consent of the data subject (only available in French here);
• CAI #1007894-S – Investigation into Centre de service partagés du Québec et Secrétariat du Conseil du Trésor, about collection of Social Insurance Numbers ('SIN') to submit an online application (only available in French here);
• CAI #1006934-S – Investigation into Thomson Tremblay Inc. (only available in French here), about the collection of SIN at the pre-employment stage (see also CAI #1005625-S – Investigation into Hunt Personnel about the collection of social security numbers (only available in French here));
• CAI #1011820-S – Investigation into Ville de Québec, about the use of drones (only available in French here); and
• CAI #080272 – Investigation into Garderie Coeur d'Enfant Inc., about the use of video surveillance (only available in French here).

2. Scope of Application

2.1. Personal scope

Quebec Private Sector Act

The Quebec Private Sector Act applies to the collection, use, or disclosure (referred to as 'communication') of personal information within the province by 'any person carrying on an enterprise', whether such information is held by the enterprise itself or by a third-party. Unlike PIPEDA, the Quebec Private Sector Act applies regardless of whether an activity is commercial in nature.

Furthermore, the Quebec Private Sector Act applies to such information regardless of its medium and regardless of the form in which it is accessible, whether written, graphic, recorded, filmed, computerised, or otherwise.

PIPEDA

PIPEDA applies to the collection, use, or disclosure of personal information by an organisation in the course of its commercial activities, or in respect of personal information about an employee of the organisation (or an applicant for employment with the organisation) and that the organisation uses or discloses in connection with the operation of a federal work, undertaking, or business (such as banks, telecommunications companies, shipping companies, and railways). PIPEDA also applies when the personal information is disclosed across provincial or international borders.

Questions often arise as to whether the Quebec Private Sector Act or PIPEDA applies to a particular activity. The answers depend on the circumstances of each case.

Quebec Access Act

The Quebec Access Act applies to documents held by a public body in the exercise of its functions and to documents held by a professional order to the extent provided for in the Professional Code. The Quebec Access Act regulates the collection, use, and disclosure of personal information by public bodies and professional orders, and provides individuals with a right of access to their personal information.

Furthermore, the Quebec Access Act applies whether the document is recorded in writing or in print, on sound tape or film, in computerised form, or otherwise.

CASL

The CASL regulates, among other things, the sending of commercial electronic messages such as promotional and marketing messages, to and from Canada. It prohibits the sending of commercial electronic messages unless express or implied consent is obtained, or an exemption applies, and prescribed requirements are met.

2.2. Territorial scope

Quebec Private Sector Act

The Quebec Private Sector Act is silent with respect to its extraterritorial application. However, in the joint investigation of Clearview AI under Report 2021-001, the CAI has considered that, even if the system and the enterprise are located outside of Quebec, by offering its services and by collecting and using personal information within the limits of the province, the enterprise operates a business in Quebec.

Consequently, it is subject to the legislation in force in the jurisdiction in which it operates, i.e. the Quebec Private Sector Act (see CAI #1023158-S only available in French here).

Quebec Access Act

The Quebec Access Act is silent on its territorial scope.

2.3. Material scope

Quebec Private Sector Act

The Quebec Private Sector Act applies to 'any person carrying on an enterprise', which means an organised economic activity, whether or not it is commercial in nature, consisting of the production, management, or sale of property or the provision of a service.

It also applies to personal information held by a professional order to the extent provided for in the Professional Code, and to personal information held by a political party, an independent Member of Parliament, or an independent candidate, to the extent provided for in the Election Act.

The Quebec Private Sector Act does not apply to:

• personal information relating to the performance of the individual’s duties within an enterprise by the person concerned, such as the individual’s name, title, and duties, as well as the address, email address, and telephone number of the individual’s place of work;
• journalistic, historical, or genealogical material collected, held, used, or disclosed for the legitimate information of the public;
• a public body within the meaning of the Quebec Access Act; and
• information held by a person other than a public body on behalf of a public body.

Quebec Access Act

The Quebec Access Act applies to documents held by a public body and to documents held by a professional order.

The Quebec Access Act does not apply to:

• the civil status acts and registers;
• the registers and other documents kept by registry offices for publication purposes;
• the register referred to in Chapter II of the Quebec Access Act for the Act Respecting the Legal Publicity of Enterprises, c. P-44.1;
• private archives referred to in Section 27 of the Archives Act, A-21.1; or
• documents contained in a file:
  • relating to the adoption of a person held by a public body; or
  • held by the Public Curator on a person whom they represent or whose property they manage, except in certain circumstances to allow the CAI to carry out specific duties.

The Quebec Access Act does not apply to specific requirements for the user's records pursuant to the An Act Respecting Health Services and Social Services (Revised Statutes of Quebec chapter S-4.2), or also in certain circumstances set out in specific laws.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The CAI is the regulatory authority that oversees the application of the Quebec Private Sector Act and the Quebec Access Act. The CAI sometimes works collaboratively with the OPC and other provincial and territorial privacy commissioners on investigations and policy matters.

PIPEDA is administered by the OPC, while the CASL is administered by the CRTC, the Competition Bureau of Canada, and the OPC.

3.2. Main powers, duties and responsibilities

The CAI consists of two divisions: the Oversight Division and the Adjudication Division.

The CAI consists of two divisions: the Oversight Division and the Adjudication Division.

Oversight Division

The main functions of the CAI's Oversight Division are to monitor the implementation of the Quebec Private Sector Act and the Quebec Access Act, and to ensure that the principles of access to documents and the protection of personal information are respected and promoted.

To this end, the CAI may investigate the application of the Quebec Private Sector Act and the Quebec Access Act and the degree of compliance with these acts. These investigations may be carried out on its own initiative or on the basis of a complaint from any person.

At the end of the investigation, and after giving to the enterprise or to the public body an opportunity to submit written observations, the CAI may:

• Under the Quebec Private Sector Act:
  • recommend or order the application of such remedial measures as are appropriate to ensure the protection of the personal information. If, within a reasonable time after issuing an order with respect to a person who operates an enterprise, the CAI is of the opinion that appropriate measures have not been taken, it may publish a notice to inform the public thereof. Any person with a direct interest may appeal against an order issued following an investigation.
• Under the Quebec Access Act:
  • recommend or order the adoption of measures that the CAI considers appropriate. If, within a reasonable time after making a recommendation to a public body or after issuing an order, the CAI considers that appropriate measures have not been taken to implement the recommendation, it may notify the Government of Quebec or, if it deems it appropriate, submit a special report to the National Assembly or set out the situation in its annual report. A person directly interested can appeal the order issued following an investigation to a judge of the Court of Quebec.

The CAI may also:

• Under the Quebec Private Sector Act:
  • require the production of any information or documents (Sections 81.2 and 83.1 of the Quebec Privacy Act (as amended by Act 25));
  • order any person involved in a confidentiality incident to take any action to protect the rights of the individuals involved, including an order that the compromised personal information be returned to the business or be destroyed (Section 81.3 of the Quebec Privacy Act (as amended by Act 25)); and
  • enter into an undertaking with a business to remedy a breach or mitigate its consequences (Section 90.1 of the Quebec Privacy Act (as amended by Act 25)); and
  • develop guidelines to assist in the administration of the Quebec Private Sector Act.
• Under the Quebec Access Act:
  • approve agreements entered into between public bodies;
  • give its opinion on the draft regulations submitted to it under the Quebec Access Act, on draft agreements on the transfer of information and on draft orders authorising the creation of confidential files;
  • ensure that the confidentiality of personal information contained in the files of public bodies relating to the adoption of a person is respected;
  • ensure that the confidentiality of personal information contained in the files of the Public Curator concerning the persons they represent or whose property they manage is respected;
  • approve the governance rules regarding personal information submitted by the personal information manager;
  • require the production of any information or document;
  • order any person involved in a privacy incident to take any action to protect the rights of the individuals involved, including ordering the return or destruction of the compromised personal information;
  • prohibit a person from making an application without the approval of the president and upon such terms and conditions as the president determines; and
  • develop guidelines to assist in the administration of the Quebec Access Act.

In exercising its oversight functions, the CAI may authorise members of its staff or any other persons to act as inspectors.

Adjudication division

The CAI's Adjudication Division hears applications for review made under the Quebec Access Act and applications for review of disputes made under the Quebec Private Sector Act, to the exclusion of any other court.

Upon receipt of an application, the CAI must give the parties an opportunity to present their observations, including through a mediation process.

The CAI has all the powers necessary to exercise over its jurisdiction; it may issue any order it deems appropriate to protect the rights of the parties, and may rule on any question of fact or of law.

In particular, under the Quebec Private Sector Act, the CAI may order an organisation to disclose or rectify personal information or to refrain from doing so. Furthermore, under the Quebec Access Act, the CAI may order a public body to disclose or refrain from disclosing a document or part of a document, to correct, complete, clarify, update or delete personal information, or to cease the use or disclosure of personal information.

The CAI shall make its decision within three months of the date on which the matter was brought before it, unless the Chairperson extends that period for valid reasons.

Any decision of the CAI on a question of fact within its jurisdiction is final.

A person directly interested may bring an appeal from the final decision of the CAI to a judge of the Court of Quebec on a question of law or jurisdiction, or, with leave of a judge of that court, from an interlocutory decision that will not be remedied by the final decision.

4. Key Definitions

Data controller: 'Data controller' is not explicitly defined in the Quebec privacy laws. The entities considered to be in control of, and responsible for complying with the privacy law requirements are referred to as 'persons carrying on an enterprise' pursuant to the Quebec Private Sector Act and 'public bodies' pursuant to the Quebec Access Act.

Data processor: 'Data processor' is not defined in the Quebec privacy laws, although they refer to 'mandatary' or 'person performing a contract'.

Personal data: 'Personal information' is defined as information relating to a natural person and allows that person to be identified, directly or indirectly.

Sensitive data: Personal information is deemed sensitive if, 'due to its nature (including medical, biometric, or otherwise intimate information) or the context of its use or release, it entails a high level of reasonable expectation of privacy'. Sensitive information requires explicit consent and is subject to a higher level of protection.

Health data: 'Health data' is not defined in the Quebec privacy laws.

Biometric data: 'Biometric data' is not defined in the Quebec privacy laws. However, the Quebec Information Technology Act regulates the collection, use, and disclosure of 'biometric characteristics or measurements'.

Pseudonymisation: 'Pseudonymisation' is not specifically defined in the Quebec privacy laws. However, the Quebec Private Sector Act provides that personal information is 'anonymised' when it can be reasonably expected at any time, under the circumstances, to irreversibly prevent the individual from being directly or indirectly identified. In addition, personal information is 'de-identified' when it no longer allows the individual to be directly identified.

Data subject: 'Data subject' is not defined in the Quebec privacy laws, which refer to 'person concerned' instead.

5. Legal Bases

5.1. Consent

Under Quebec's privacy laws, unless an exception applies, consent is required. To be valid, consent must be clear, free, and informed, and given for specific purposes. Consent must be requested for each such purpose, in clear and simple language and, if requested in writing, separately from any other information provided to the individual. Consent is valid only for the time necessary to achieve the purposes for which it is sought. It may be withdrawn with respect to the use or disclosure of the information collected.

Consent must be expressly given for sensitive personal information. Although not explicitly stated in the Quebec Private Sector Act, it is understood that implied consent is permitted for non-sensitive personal information.

The Quebec Information Technology Act also requires explicit consent for biometric data.

To obtain valid consent, organisations must be transparent about their practices and must disclose the information required by the law at the time the information is collected and subsequently upon request.

5.2. Contract with the data subject

Please see the section above on consent for express and implied consent. Contracts may contain or incorporate express consent or provide a basis for implied consent, depending on the circumstances.

5.3. Legal obligations

Quebec's privacy laws allow organisations to collect, use, and disclose personal information without consent where required by law, for example:

• when the information is required for the purpose of prosecuting of an offence under an act applicable in Quebec; or
• for the prevention, detection, or suppression of crime or statutory offences, if the information is required for the purposes of the prosecution of an offence under an act applicable in Quebec.

Furthermore, under the Quebec Private Sector Act, an organisation may also disclose personal information, without consent, in the following circumstances, subject to certain conditions:

• for the application of a collective agreement;
• for the collection of debts;
• for carrying out a mandate or performing a contract of enterprise or for services entrusted; or
• for a commercial transaction.

5.4. Interests of the data subject

The Quebec Private Sector Act allows organisations to collect personal information without consent if it has a serious and legitimate reason, and either of the following conditions is met:

• the information is collected in the interest of the individual concerned and cannot be obtained from them in a timely manner; or
• collection from a third party is necessary to ensure the accuracy of the information.

Furthermore, both the Quebec Private Sector Act and the Quebec Access Act allow organisations to use personal information without consent when such use is clearly for the benefit of the individual.

Both acts also permit organisations to disclose personal information, without consent, to a person to whom the information must be disclosed:

• due to the urgency of a situation that threatens the life, health, or safety of the individual; or
• in order to prevent an act of violence, including a suicide, where there are reasonable grounds to believe that there is a serious risk of death or serious bodily injury threatening an individual or an identifiable group of individuals, and where the nature of the threat generates a sense of urgency - in this case only the personal information that is necessary to achieve the purposes for which the information is provided may be disclosed; such information may be disclosed to any person exposed to the risk or that person's representative, and to any person who can come to that person's aid.

5.5. Public interest

Please see the sections above on legal obligations and data subject interests, which illustrate some instances where the public interest may provide a legal basis.

5.6. Legitimate interests of the data controller

Consent is not required in certain circumstances listed in Sections 6, 12, 18, 18.3, and 18.4 of the Quebec Private Sector Act (as amended by Act 25) and Sections 59, 59.1, 60, 65.1, and 67.2.1 (study, research, compilation of statistics) of the Quebec Access Act.

Some of these cases are mentioned above.

5.7. Legal bases in other instances

Not applicable.

6. Principles

The Quebec Private Sector Act requires organisations to comply with the following requirements:

• accountability: organisations are responsible for protecting the personal information in their custody, and they must, among other things:
  • establish and implement governance policies and practices regarding personal information that ensure the protection of such information; and
  • publish a privacy policy, if applicable, on the organisation’s website;
• identify purposes;
• limitation of collection: ('serious and legitimate reason' and 'only the information necessary for the purposes determined before collecting it');
• consent and notice to the individual;
• limits on use, disclosure, and retention;
• accuracy;
• safeguards/confidentiality;
• individual access; and
• responding to requests for access to personal information and rectification of personal information made by individuals.

The Quebec Access Act requires public bodies to comply with the same requirements.

7. Controller and Processor Obligations

7.1. Data processing notification

Every personal information agent ('Agent') carrying on an enterprise in Quebec must be registered with the CAI (Section 70 of the Quebec Private Sector Act). An Agent is a person who, on a commercial basis, personally or through a representative, establishes files on other persons and prepares and communicates to third parties credit reports bearing on the character, reputation, or solvency of the persons to whom the information contained in such files relates (Section 70.1 of the Quebec Private Sector Act).

The CAI maintains a register of all Agents ('the Register'), which includes, for each Agent, its name, address and email address, and the title and contact information of the Privacy Officer (Section 145 of Act 25). The Register shall be available for public consultation during the regular business hours of the CAI. The CAI shall provide, free of charge, to any person who so requests, any extract from the Register concerning an Agent, which may also be consulted on the website of the CAI.

Applications for registration shall be made in accordance with the procedure established by the CAI and shall be accompanied by the fees prescribed by regulation. An application must contain, in particular, the following information (Section 144(1) of Act 25):

• the name, address, and email address of the Agent and, in the case of a legal person, the address of its head office and the names and addresses of its directors;
• the address, email address, and telephone number of each establishment of the Agent in Québec;
• the title and contact information of the Privacy Officer;
• the method of operation provided for in Section 71 of the Quebec Private Sector Act;
• the code of conduct provided for in Section 78 of the Quebec Private Sector Act; and
• the other measures taken to ensure the confidentiality and security of personal information in accordance with the Quebec Private Sector Act.

Each Agent must notify the CAI of any change in the information provided upon registering no later than 30 days after the change. Where applicable, the Agent must also promptly inform the CAI of the expected termination of its activities (Section 144(2) of Act 25). The application form (only available in French here) may be submitted by mail or electronically.

Each Agent must establish and apply a method of operation that ensures that the information communicated by them is up-to-date and accurate and is communicated in accordance with the law (Section 143 of Act 25), as well as rules of conduct that allow any person to whom personal information held by the Agent relates, to have access to the information according to a procedure that ensures the protection of the information, and to cause the information to be rectified (Section 148 of Act 25).

Furthermore, every two years, Agents must inform the public, by means of a notice published in a newspaper having general circulation in each region of Québec in which it operates (Section 148 of Act 25):

• of the fact that the Agent holds personal information relating to other persons, that the Agent communicates credit reports concerning the character, reputation, or solvency of the persons to whom the personal information relates to, persons with whom they are bound by contract, and of the fact that they receive from the latter personal information relating to other persons;
• the rights of access and rectification which the persons concerned may exercise under the amended act with respect to the personal information the Agent holds; and
• the information provided for in Section 72(3) to (6) of the Quebec Private Sector Act.

7.2. Data transfers

An organisation is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing.

Before disclosing personal information outside of Quebec, an organisation must conduct an assessment of privacy-related factors, taking into account:

• the sensitivity of the information;
• the purposes for which it will be used;
• the safeguards that would apply to it, including contractual measures; and
• the legal framework applicable in the jurisdiction where the information would be disclosed, including the degree of adequacy of the legal framework with Quebec's privacy laws.

The information may be disclosed outside of Quebec only if the assessment determines that it would receive an adequate level of protection.

The transfer of the information is subject to a written agreement that takes into account the results of the assessment and, if applicable, the terms agreed upon to mitigate the risks identified in the assessment.

While consent is not required to transfer personal information outside of the province, an individual must be informed of the possibility that the information may be disclosed outside of Quebec.

The Quebec Access Act has the same requirements.

7.3. Data processing records

There is no general requirement for private-sector organisations to maintain data processing records.

However, an organisation must establish and implement privacy governance policies and practices. Such policies and practices must provide a framework for the retention and disposal of the information, define the roles and responsibilities of employees throughout the life cycle of the information, and provide a process for handling complaints regarding the protection of the information. Detailed information about these policies must be published on the enterprise's website in clear and simple language or, if the enterprise does not have a website, must be made available by any other appropriate means.

Moreover, certain record keeping is specifically required with respect to confidentiality incidents as noted below.

7.4. Data protection impact assessment

Any person carrying on an enterprise must conduct an assessment of the privacy-related factors of any project for the acquisition, development, and redesign of an information system or electronic service delivery involving the collection, use, disclosure, storage, or destruction of personal information (Section 95 of Act 25).

Private-sector organisations must conduct an 'assessment of privacy-related factors' in the following circumstances:

• in connection with the acquisition, development, and redesign of any information systems project or electronic service delivery project that involves the collection, use, disclosure, storage, or destruction of personal information;
• before disclosing personal information outside of Quebec; and
• before disclosing personal information, without consent, to a person or body that intends to use the information for study or research purposes or for the compilation of statistics.

Additionally, Act 25 states that before disclosing personal information outside of Québec, a person carrying on an enterprise must conduct an assessment of the privacy-related factors. In particular, the person must take into account (Section 103 of Act 25):

• the sensitivity of the information;
• the purposes for which it is to be used;
• the safeguards, including contractual ones, that would apply to it; and
• the legal framework applicable in the state to which the information would be disclosed, including the data protection principles applicable in the foreign state.

The organisation must ensure that the project allows the computerised personal information collected from the individual to be communicated to them in a structured, commonly used, technological format. For the purpose of such an assessment, the organisation must consult the person responsible for the protection of personal information within the enterprise from the outset of the project (Section 95 of Act 25), and it must be proportionate to the sensitivity of the information, the purpose for which it is to be used, and the volume, distribution, and format of the information.

The person responsible for the protection of personal information may, at any stage of a project referred to in Section 95 of Act 25, propose measures for the protection of personal information applicable to the project, such as (Section 95 of Act 25):

• the appointment of a person to be responsible for the implementation of the personal information protection measures;
• measures to protect the personal information in all documents related to the project;
• a description of the responsibilities of project participants with respect to the protection of personal information; or
• training activities for project participants on the protection of personal information.

The Quebec Access Act has the same requirements.

7.5. Data protection officer appointment

Under the Quebec Private Sector Act, the person exercising the highest authority within the organisation has the responsibility to ensure that the law is implemented and complied with. This person exercises the function of the 'person in charge of the protection of personal information' (conveniently referred to thereafter as 'Privacy Officer'). All or part of this function may be delegated in writing. In addition, a committee is responsible for assisting the body in the exercise of its responsibilities and the fulfillment of its obligations under the Quebec Access Act.

Finally, the contact details of the Privacy Officer or the person to whom this function is delegated must be published on the company's website or, in the absence of a website, made available by any other appropriate means.

7.6. Data breach notification

In Quebec, there is a general obligation to report a data breach (referred to as a 'confidentiality incident').The term 'confidentiality incident' refers to:

• the unauthorised access, use, or disclosure of personal information; and
• the loss of personal information or any other breach of the security of that information.

When there is reason to believe that a confidentiality incident has occurred, the organisation must take reasonable steps to reduce the risk of harm and to prevent new incidents of the same nature.

In the event of an incident involving a risk of serious harm, the organisation must notify the CAI and any person whose personal information is affected by the incident (unless doing so would impede an investigation conducted by a person or body responsible by law for the prevention, detection, or suppression of crime or statutory offence). The organisation may also notify any person or body that could mitigate the risk, by disclosing to that person or body, without the individual's consent, only the personal information necessary to do so. In the latter case, the person in charge of the protection of personal information must record the disclosure of the information.

In assessing the risk of harm, the following factors must be considered:

• the sensitivity of the information;
• the anticipated consequences of its use; and
• the likelihood that it will be used for harmful purposes.

Organisations must keep a register of confidentiality incidents, which must be sent to the CAI upon request.

When a confidentiality incident is brought to its attention, the CAI may order any person, after giving them the opportunity to submit their observations, to take any measure to protect the rights of the individuals, for the time and under the conditions determined by the CAI, including the return of the compromised personal information to the organisation or its destruction.

An organisation that contravenes the Quebec Private Sector Act's breach notification provisions may be:

• found guilty of an offence and fined not more than CAD 25 million (approx. €17 million), or the greater of 4% of its worldwide turnover for the preceding fiscal year (doubled for a subsequent offence); or
• be condemned to pay an administrative fine not exceeding CAD 10 million (approx. €6.8 million) or the greater of 2% of its worldwide turnover for the preceding fiscal year.

Under the Quebec Access Act, anyone who fails to report a breach of confidentiality to the CAI or to the persons concerned when required to do so commits an offence and is liable to a fine of CAD 1,000 (approx. €681) to CAD 10,000 (approx. €6,813) in the case of a natural person, and of CAD 3,000 (approx. €2,044) to CAD 30,000 (approx. €20,438) in all other cases. Moreover, anyone who, for example, 1) impedes the progress of an inquiry or inspection of the CAI or the hearing of an application by the CAI by providing it with false or inaccurate information, by failing to provide information requested by the CAI or otherwise, or 2) fails to comply with an order of the CAI, commits an offence and is liable to a fine of CAD 5,000 (approx. €3,405) to CAD 100,000 (approx. €68,094) in the case of a natural person and of CAD 15,000 (approx. €10,216) to CAD 150,000 (approx. €102,157) in all other cases.

7.7. Data retention

Under Quebec's privacy laws, personal information may be retained only for as long as necessary to fulfill the purposes for which it was collected or used, after which the organisation must destroy or make anonymous the information, subject to any retention period required by law.

However, personal information used to make a decision about an individual must be kept for at least one year after the decision is made. Moreover, if the organisation refuses to grant a request for access or rectification, the information that is the subject of the request must be kept for as long as is necessary to allow the individual to exhaust the remedies provided by law.

7.8. Children's data

Under Quebec's privacy laws, personal information concerning a child (under 14 years of age) may not be collected from the child without the consent of the person having parental authority or the child’s guardian, unless the collection of the information is clearly for the minor's benefit.

Consent for the processing of a child's personal information is given by the person having parental authority or their guardian. If a minor is 14 years of age or older, consent is given by the minor or by the person with parental authority or their guardian.

The Quebec Access Act has the same requirements.

7.9. Special categories of personal data

Quebec's privacy laws do not contain specific provisions regarding the processing of special categories of information. However, the application of these laws will vary  depending on whether the information is sensitive and whether there are other laws that may permit or restrict the processing of such information.

7.10. Controller and processor contracts

An organisation is responsible for protecting the personal information it holds, including information that has been transferred to a third party for processing.

If the organisation discloses personal information to a third party for the purpose of 'carrying out a mandate or performing a contract of enterprise or for services entrusted to that person or body' (hereafter referred to as a 'third party processor'), the organisation must:

• entrust the mandate or contract in writing; and
• specify the measures to be taken to protect the confidentiality of the personal information, to ensure that the information is used only for the purposes of carrying out the mandate or performing the contract, and to ensure that the information is not retained once the mandate or contract has expired.

The third-party processor shall immediately notify the organisation's Privacy Officer of any breach or attempted breach by any person of any obligation to maintain the confidentiality of the information disclosed and shall also allow the organisation's Privacy Officer to conduct any review of the confidentiality requirements.

8. Data Subject Rights

8.1. Right to be informed

The Quebec Private Sector Act generally requires the knowledge and consent of the individual, except in certain circumstances where consent is not required. Organisations must be open and transparent about their practices and inform individuals about the information collected, used, and disclosed, and the purposes for which such information is processed.

8.2. Right to access

Individuals have a general right to obtain access to their personal information held by organisations. Access requests must be dealt with in accordance with the applicable law and within prescribed time limits.

The organisation must state the reasons for any refusal to comply with a request and indicate the provision of law on which the refusal is based, the remedies available to the applicant under the Quebec Private Sector Act, and the time limit for exercising them. If the applicant so requests, the organisation's Privacy Officer must also help them understand the refusal.

8.3. Right to rectification

An individual may, if personal information concerning them is inaccurate, incomplete, or equivocal, or if collecting, disclosing, or keeping it are not authorised by law, require that the information be rectified.

The organisation must give the reasons for any refusal to grant a request and indicate the provision of law on which the refusal is based, the remedies available to the applicant under the Quebec Private Sector Act, and the time limit for exercising them. If the applicant so requests, the organisation's Privacy Officer must also help them understand the refusal.

8.4. Right to erasure

Under the Quebec Private Sector Act, an individual may require an organisation to:

• cease disseminating personal information about them;
• de-index any hyperlink that provides access to that information, if the dissemination violates the law or a court order; and
• re-index any hyperlink that provides access to that information.

Such a request may be made when the following conditions are met:

• the dissemination of such information would cause the person serious harm in relation to the person's right to respect of their reputation or privacy;
• the harm is clearly greater than the public’s interest in knowing the information or the right to freedom of expression (the balance of convenience criterion); and
• the relief sought does not exceed what is necessary to prevent the continuation of the injury.

In assessing the balance of convenience criterion, the following, in particular, must be taken into account:

• the fact that the person concerned is a public figure;
• the fact that the information concerns the person when they are a minor;
• the fact that the information is up to date and accurate;
• the sensitivity of the information;
• the context in which the information is disseminated;
• the time elapsed between the dissemination of the information and the request made; and
• where the information concerns a criminal or penal procedure, the obtaining of a pardon or the application of a restriction on the accessibility of records of the courts of justice.

8.5. Right to object/opt-out

Individuals have the right to submit complaints to organisations, to withdraw consent (subject to some limitations), and to file complaints with the CAI. Although not explicitly stated in the Quebec Private Sector Act, it is understood that implied consent is permitted for non-sensitive personal information.

8.6. Right to data portability

Under the Quebec Private Sector Act, an individual may request a copy of computerised personal information in the form of a written and intelligible transcript. Unless there are serious practical difficulties in doing so, computerised personal information collected from the applicant (and not information created or derived from their personal information) must, at their request, be disclosed to them in a structured, commonly used technological format. The information must also be disclosed, at the applicant's request, to any person or body authorised by law to collect such information.

8.7. Right not to be subject to automated decision-making

Under the Quebec Private Sector Act, an organisation that uses personal information to make a decision based solely on the automated processing of such information must, at or before the time of the decision, or at the latest at the time the decision is communicated to the individual, inform the individual of the decision.

Upon request, the individual must also be informed of:

• the personal information used to reach the decision;
• the reasons and the main factors and parameters that led to the decision; and
• the right of the person concerned to have the personal information used to make the decision corrected.

The individual must be given the opportunity to submit observations to a staff member who is in a position to review the decision.

The Quebec Access Act has the same requirements.

8.8. Other rights

In addition to the other rights mentioned therein, it should be noted that Act 25 requires organisations to disclose, in advance, their use of technology that can identify, locate, or profile users, and then provide users with the means to activate the identification, location, or profiling features. 'Profiling' is defined as the collection and use of personal information to assess certain characteristics of a natural person, such as work performance, economic situation, health, personal preferences, interests, or behavior.

Also of note, the spouse or a close relative of a deceased person may request personal information concerning the deceased if the following conditions are met:

• knowledge of the information could help the applicant in the grieving process; and
• if the deceased person did not record in writing their refusal to grant such a right of access.

9. Penalties

The CAI has the power to impose monetary administrative penalties and to issue fines for penal offences.

Under the Quebec Private Sector Act, monetary administrative penalties may be imposed on organisations for the following reasons:

• failure to adequately notify the individuals;
• unlawful collection, use, disclosure, retention, or destruction of personal information;
• failure to report a confidentiality incident;
• failure to take the necessary security measures to ensure the protection of the personal information; and
• failure to notify individuals concerned by a decision based exclusively on an automated process or failure to provide individuals an opportunity to submit observations.

The maximum amount of the monetary administrative penalty is CAD 50,000 (approx. €34,048) (for individuals) and CAD 10 million (approx. €6.8 million) (for businesses) or 2% of the previous year's worldwide turnover, whichever is greater.

Act 25 provides that businesses may acknowledge their non-compliance with applicable laws and enter into an undertaking with the CAI to remedy the non-compliance or mitigate its consequences. If such an undertaking is accepted and complied with by the CAI, the business may not be subject to a monetary administrative penalty with respect to the acts or omissions covered by the undertaking.

Under the Quebec Private Sector Act, the CAI may institute criminal proceedings, within five years of the commission of the offense, for the following offenses, among others:

• unlawful collection, use, disclosure, retention, or destruction of personal information;
• failure to report a confidentiality incident;
• failure to take the necessary security measures to ensure the protection of the personal information;
• identifying or attempting to identify a natural person using de-identified information without authorisation;
• impeding the progress of an inquiry or inspection by the CAI or the hearing of an application by the CAI by providing it with false or inaccurate information, by failing to provide information requested by the CAI, or otherwise; and
• failure to comply with an order of the CAI.

The maximum amount of the fine for a penal offence is of CAD 5,000 (approx. €3,406) to CAD 100,000 (approx. €68,106) in the case of a natural person and, in all other cases, of CAD 15,000 (approx. €10,216) to CAD 25 million (approx. €17 million), or the greater of 4% of its worldwide turnover in the preceding fiscal year. In the event of a repeat violation, the fines will be doubled.

The Quebec Private Sector Act also provides that where an individual has suffered an injury as a result of an unlawful infringement of the rights conferred by the Quebec Private Sector Act or by Sections 35 to 40 of the Quebec Civil Code, and where the violation is intentional or results from gross negligence, the court shall also award punitive damages of at least CAD 1,000 (approx. €681).

9.1 Enforcement decisions

The penal provisions of the Quebec Private Sector Act have never been enforced to date. However, the significant increase in the penalties provided (recently introduced by Act 25) sends a signal that the penal provisions may play an important role in the enforcement of Quebec's privacy law regime.

The administrative monetary penalties introduced by Act 25 are new and no enforcement decisions have yet been issued.