What is the scope of An Act respecting the protection of personal information in the private sector[1](the “Private Sector Act”)?

The Private Sector Act[2] applies to any enterprise (within the meaning of the third paragraph of article 1525 of the Civil Code of Québec) that, in the course of its activities, collects, uses, communicates or retains personal information, even in certain cases without an establishment in Québec. Conversely, it will probably not apply to a business located in Québec that does not have employees and that does business without processing the personal information of Quebecers. This is ultimately a factual issue that may require legal advice.

What are the differences between privacy and health information protection?

Most provinces in Canada have specific legislation on the protection of personal health information. In Québec, several general laws govern health information, including the Private Sector Act and the Act respecting Access to documents held by public bodies and the Protection of personal information[3] (the “Access Act”), which provide additional protection for health information as “sensitive” personal information. For example, the Private Sector Act provides that the use of sensitive personal information for an undisclosed purpose at the time of collection must be subject to express consent.[4]

On December 7, 2022, the ministre de la Cybersécurité et du Numérique tabled Bill 3 An Act respecting health and social services information and amending various legislative provisions (“Bill 3), to create a unified regime for health information held by health and social service organizations.

To learn more on Bill 3, see our bulletin The New and the Familiar: Changes to Health Information.

What is personal information?

Law 25 defines personal information as any information which relates to a natural person and allows that person to be directly or indirectly identified.[5] For example, an identification number (such as an employee number), name, mailing address, email address, banking information may constitute personal information. Certain personal information is considered more sensitive and thus requires stronger security measures[6] and stricter consent protocole.[7]

As of September 22, 2023, personal information that relates to the performance of an individual's duties within a company, such as their name, title and position, as well as their professional address, email address and telephone number, will be excluded from the application of the collection of personal information and confidentiality sections of the Private Sector Act,[8] along with public information as defined in the Act.[9]

In practice, what measures are recommended for municipalities to comply with Law 25?

As public bodies, municipalities are subject to the Access Act.[10] The Union des municipalités du Québec (UMQ) has developed a guide for certain municipalities on the implementation of the obligations of Law 25.[11] The Access to information and the protection of personal information department of the Ministère du Conseil exécutif du Québec has posted a guide on the key elements for implementing the obligations of Law 25, which comes into effect September 2022 for the municipal sector.[12]

What are the changes in terms of corporate sanctions?

Law 25 introduces much greater penalties for companies in the Private Sector Act. The biggest difference is in the fine caps. For the penal regime, fines have jumped from a few tens of thousands of dollars to a maximum of $25 million or 4% of the previous fiscal year's worldwide turnover, whichever is greater.[13]

In addition to the penal regime, the Private Sector Act also introduced an administrative monetary penalty (an “AMP”) regime to provide more flexibility to the CAI in issuing penalties, similar to the federal regime under Canada's anti-spam legislation.[14] The maximum amount of the administrative monetary penalty is the greater of $10 million or 2% of global sales for the preceding fiscal year.[15] Following the discovery of a breach, a company may, at any time, undertake to the CAI to take the necessary steps to remedy the breach or mitigate its consequences.[16] If the CAI accepts the undertaking and the company complies, the company can avoid an AMP.[17] The CAI must publish guidelines for the application of AMPs.[18]