What is the scope of An Act respecting the protection of personal information in the private sector1(the "Private Sector Act")?
The Private Sector Act2 applies to any enterprise (within the meaning of the third paragraph of article 1525 of the Civil Code of Québec) that, in the course of its activities, collects, uses, communicates or retains personal information, even in certain cases without an establishment in Québec. Conversely, it will probably not apply to a business located in Québec that does not have employees and that does business without processing the personal information of Quebecers. This is ultimately a factual issue that may require legal advice.
What are the differences between privacy and health information protection?
Most provinces in Canada have specific legislation on the protection of personal health information. In Québec, several general laws govern health information, including the Private Sector Act and the Act respecting Access to documents held by public bodies and the Protection of personal information3 (the "Access Act"), which provide additional protection for health information as "sensitive" personal information. For example, the Private Sector Act provides that the use of sensitive personal information for an undisclosed purpose at the time of collection must be subject to express consent.4
On December 7, 2022, the ministre de la Cybersécurité et du Numérique tabled Bill 3 An Act respecting health and social services information and amending various legislative provisions ("Bill 3"), to create a unified regime for health information held by health and social service organizations.
To learn more on Bill 3, see our bulletin The New and the Familiar: Changes to Health Information.
What is personal information?
Law 25 defines personal information as any information which relates to a natural person and allows that person to be directly or indirectly identified.5 For example, an identification number (such as an employee number), name, mailing address, email address, banking information may constitute personal information. Certain personal information is considered more sensitive and thus requires stronger security measures6 and stricter consent protocole.7
As of September 22, 2023, personal information that relates to the performance of an individual's duties within a company, such as their name, title and position, as well as their professional address, email address and telephone number, will be excluded from the application of the collection of personal information and confidentiality sections of the Private Sector Act,8 along with public information as defined in the Act.9
In practice, what measures are recommended for municipalities to comply with Law 25?
As public bodies, municipalities are subject to the Access Act.10 The Union des municipalités du Québec (UMQ) 6has developed a guide for certain municipalities on the implementation of the obligations of Law 25.11 The Access to information and the protection of personal information department of the Ministère du Conseil exécutif du Québec has posted a guide on the key elements for implementing the obligations of Law 25, which comes into effect September 2022 for the municipal sector.12
What are the changes in terms of corporate sanctions?
Law 25 introduces much greater penalties for companies in the Private Sector Act. The biggest difference is in the fine caps. For the penal regime, fines have jumped from a few tens of thousands of dollars to a maximum of $25 million or 4% of the previous fiscal year's worldwide turnover, whichever is greater.13
In addition to the penal regime, the Private Sector Act also introduced an administrative monetary penalty (an "AMP") regime to provide more flexibility to the CAI in issuing penalties, similar to the federal regime under Canada's anti-spam legislation.14 The maximum amount of the administrative monetary penalty is the greater of $10 million or 2% of global sales for the preceding fiscal year.15 Following the discovery of a breach, a company may, at any time, undertake to the CAI to take the necessary steps to remedy the breach or mitigate its consequences.16 If the CAI accepts the undertaking and the company complies, the company can avoid an AMP.17 The CAI must publish guidelines for the application of AMPs.18
1. For the purposes of this bulletin, all legislative references must be read as incorporating the amendments introduced by An Act to modernize legislative provisions as regards the protection of personal information, S.Q. 2021, c. 25 ("Law 25"), which come into effect in several phases. For a reminder of the different effective dates, see the Annotated Private Sector Act or the Annotated Access Act (Available in French only).
2. CQLR, c. P-39.1.
3. CQLR, c. A -2.1.
4. Private Sector Act, s. 12
5. Private Sector Act, s. 2
6. Private Sector Act, s. 10
8. Private Sector Act, Divisions II and III.
9. This personal information is already excluded, see s. 1 para. 5.
10. Access Act, s. 3.
11. The UMQ's application guide for municipalities and sample documents are available in the "Guides" tab of the "Legal Affairs" section of the UMQ online portal: umq.en1clic.ca.
12. Access to Information and Privacy Branch in collaboration with the Communications Branch, "Key elements for implementing the obligations of the Act to modernize legislative provisions as regards the protection of personal information", online: https://cdn-contenu.quebec.ca/cdn-contenu/adm/min/conseil-executif/publications-adm/acces-information/organismes_municipaux/elements-cles-application-loi-prp.pdf?1671051418 (In French only).
13. Private Sector Act, s. 91
14. S.C. 2010, c. 23.
15. Private Sector Act, s. 90.12
16. Private Sector Act, s. 90.1 para. 2.
17. Private Sector Act, s. 90.1 para. 3.
18. Private Sector Act, s. 90.2
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.