This article is part of our Bill 64 Blog Series, which will provide readers with a 360° view on Bill 64 and its sweeping amendments to Quebec’s Act Respecting the Protection of Personal Information in the Private Sector (the “Private Sector Act”). To view other blog posts in the series, please visit this page.

An Act to Modernize Legislative Provisions Respecting the Protection of Personal Information ("Bill 64") received royal Assent on September 22, 2021, and is set to bring significant changes to the Act Respecting the Protection of Personal Information in the Private Sector ("Private Sector Act") in Québec, which will be gradually implemented over the next three years. As part of a series of blogs aimed at guiding businesses with respect to these new obligations, this blog discusses the enforcement mechanisms introduced by Bill 64, which will have a significant impact on how privacy laws will be applied across the Province of Québec.

The amendments to the Private Sector Act include increased powers for the Commission de l’accès à l’information ("Commission") to enforce the Private Sector Act, as well as amendments that expose businesses to significant monetary penalties for violations of the Private Sector Act. Here is what your organization needs to know in order to navigate this new enforcement regime.

NEW ENFORCEMENT MECHANISMS

1. Introduction of monetary administrative penalties

One of the major changes introduced by Bill 64 is the introduction of a regime that provides for the imposition of significant monetary administrative penalties.[1] This regime will be implemented on September 22, 2023.

This regime gives the Commission the power to impose monetary administrative penalties, in order to promote the achievement of the objectives pursued by the Private Sector Act, to encourage organizations to quickly take the necessary remedial measures in the event of a failure, and to deter repetition of such failures.[2] The Commission is empowered to impose monetary administrative penalties for a very wide range of contraventions under section 90.1 of the Private Sector Act.

The Private Sector Act, as amended by Bill 64, stipulates that the decision to impose monetary administrative penalties and their amount will be assessed by the Commission based on several criteria, including:

  • The nature, seriousness, duration, and repetitiveness of failures;
  • Sensitivity of the personal information concerned;
  • The number of persons concerned and the risk of prejudice to which they are exposed;
  • The person in default’s ability to pay.[3]

An organization’s response to contraventions will also have a significant impact in the Commission’s assessment of the appropriate sanction. The Private Sector Act provides that the Commission may consider measures already taken by companies to remedy the breach or mitigate its consequences, the degree of cooperation offered to the Commission, and the compensation already offered by companies to persons whose personal information is compromised.[4]

The amount of monetary administrative penalties imposed on a company could be up to 10 million dollars, or, if greater, 2% of worldwide turnover for the preceding fiscal year. These amounts are comparable to those provided for in the European Union’s General Regulation on Data Protection ("GDPR").

Some procedural guarantees are granted to businesses. It is expected that parties will be notified before any sanction is imposed, that parties will be given the opportunity to submit observations, and that there will be a process to review the decision as well as a right to contest the decision before the Court of Québec.[5]

2. New penal provisions and significant fines

Under the current legislation, violations of the Private Sector Act by corporations can be construed as penal offences subject to fines that vary depending on the nature of the offences. For example, fines can be as high as $50,000.

The amendments made by Bill 64 incorporate important changes to this regime and significantly increase the amounts of fines for offenders. Those changes will come into force on September 22, 2023. Bill 64 grants the Commission the right to institute penal proceedings for an offence under the Private Sector Act. As such, the Commission’s attorneys may institute penal proceedings before the Court of Québec, similar to the role played by the Director of Criminal and Penal Prosecutions. These penal proceedings could lead, for corporations, to fines ranging from $15,000 to 25 million dollars, or to 4% of the previous year’s worldwide turnover if this amount is higher.[6] These amounts are doubled in the event of a subsequent offence.[7] The criteria that the judge will have to take into consideration in determining the amount of a fine were added to the latest version of Bill 64 and include, among other things, the seriousness of the offence, its intentional or negligent nature, the lack of reasonable measures taken by the company to mitigate the damages and whether the offender intended to financially benefit from the commission of the offence or by failing to take measures to prevent it.[8]

The offences that may lead to fines are listed at section 91 of the Private Sector Act and certain offences were added to the originally introduced version of Bill 64, for example, not taking the necessary security measures to ensure the protection of personal information.

These are important prosecution powers and significant amounts, and the Commission will have to develop a general framework for the application of monetary administrative penalties and specify in which cases penal proceedings will be considered appropriate rather than the imposition of a monetary administrative penalty. In fact, some of the contraventions provided for in the Private Sector Act could give rise to either an administrative monetary penalty or a fine, for example, when a company fails to report an incident to the Commission or the persons concerned.

3. Damage claim

In addition to providing for significant monetary administrative penalties and fines, Bill 64 provides that a breach of the Private Sector Act could give rise to an award of punitive damages in the event of gross fault or intentional infringement. In Québec, in order to claim punitive damages, it must be specifically provided for by a statute. Here, the legislator facilitates the claim for punitive damages for individuals who suffer harm as a result of a breach of the Private Sector Act. An individual may claim $1,000 or more in punitive damages in such a case. Section 93.1 of the Private Sector Act was modified between the initial version and the final version adopted last September and no longer seems to provide a statutory recourse in damages, but is rather limited to the possibility of obtaining punitive damages.

NEW FUNCTIONS, INCREASED POWERS FOR THE COMMISSION

The Private Sector Act, as amended, gives the Commission the power to impose monetary administrative penalties, to institute penal proceedings, as well as other new powers.

For example, the Commission currently has the power to conduct inspections and investigations and to recommend or direct organizations to implement certain corrective measures to ensure the protection of personal information. This power extends following Bill 64 to the imposition of measures to protect the rights of the persons whose information is affected, including by the return of personal information to the person concerned or its destruction thereof.[9]

The Private Sector Act as amended also confirms the injunctive powers of the Commission, which may, among other things, order a party to do something or refrain from doing something, since these decisions have the same effect as a decision rendered by the Superior Court.[10]

In addition, the Commission will be empowered to make peremptory requests enabling it to require any person, whether or not they are subject to the Private Sector Act, to produce any information or documents to verify compliance with the Private Sector Act.[11]

CONCLUSION

While the enforcement and sanction measures provided for by the various privacy laws in Canada and abroad are currently subject to major reviews and reforms, Bill 64 introduces a highly prescriptive and severe sanction and enforcement regime.

Current federal legislation - the Personal Information Protection and Electronic Documents Act - is also being revised and the recent Bill C-11, at first reading, provides for increased powers to the Privacy Commissioner of Canada and significant penalties of 10 million dollars or 3% of an organization’s gross aggregate revenues.

There is still much uncertainty as to the application of this new Québec privacy regime and its coexistence with the federal system. The application of the sanction regime in cases of breaches with cross-border repercussions will also have to be defined. It will be important to determine whether a single privacy incident could lead to fines or sanctions from several regulators, whereas the sanctions in Québec already provide for the corporation’s global revenues to be taken into account.

The major reform of privacy law in Québec imposes considerable obligations on businesses and is likely to result in significant penalties for non-compliance. Organizations would be advised to start implementing a plan to comply with the new requirements of the Private Sector Act quickly, at the dawn of a new era of privacy in the province and prior to the implementation of those enforcement provisions.