Now this May Hurt: The CAI’s General Framework on Monetary Administrative Penalties
This article is part of our Law 25 Blog Series, which will provide readers with a 360° view on Law 25 (formerly known as Bill 64) and its sweeping amendments to Quebec’s Act Respecting the Protection of Personal Information in the Private Sector (“Private Sector Act” or “Act”). To view other blog posts in the series, please visit this page. We have also put together a comprehensive toolkit for businesses looking for resources to understand and ensure that they are compliant with Law 25. This toolkit can be found here.
Introduction
On September 22, 2023, most of the new provisions of the Private Sector Act introduced by the Act to Modernize Legislative Provisions respecting the Protection of Personal Information (“Law 25”) will enter into force. One of the fundamental changes to the Act will be the newfound powers of the Commission d’accès à l’information du Québec (“CAI”) to issue monetary administrative penalties (“MAPs”). The Quebec legislator has taken a decidedly GDPR[1] approach: for organizations[2], the new MAPs amounts can be as high as the greater of $10,000,000 or 2% of the previous year’s worldwide turnover for any failure to comply with the obligations of the Private Sector Act. For individuals, the maximum amount is $50,000.
The CAI has partly lifted the veil on how it will wield its new powers with the issuance of a new General Framework for the Applicable of MAPs[3] (“General Framework”) on May 23, 2023. Following our previous publications on Law 25, this blog provides a recap of the process and criteria that the CAI will use to impose such MAPs, its new categorisation of MAPs and the attenuating and aggravating factors used in imposing MAPs.
A Recap
- What Law 25 Says
With Section 90.2 of the Act, the Quebec legislator empowered the CAI to develop a “general framework” that sets out the intended purposes of MAPs as well as a criteria to guide their imposition. According to the Act, those criteria must minimally include:
- The nature and objective seriousness of the violation, risk of harm to individuals, and measures taken to remedy the breach;
- The repetitive nature and duration of the breach, sensitivity of personal information, and number of individuals affected; and
- The ability to pay of the person in default and the compensation it offered to the individuals affected by the failure.
Based on this guidance, the General Framework specifies that the CAI will seek two objectives in imposing MAPs: (1) incite the person in default to take rapid corrective measures; and (2) dissuade recidivism. It does not, however, add to the list of criteria included in the Act.
- Procedures for Imposing MAPs
The General Framework restates the process set out in the Act. When deciding whether to impose MAPs, the CAI, acting through a designated person, that is the director of the Surveillance Section of the CAI, will follow a specific procedure. Namely, the CAI will provide a notice of non-compliance informing the individual or organization (“person”) of their non-compliance with the Private Sector Act. The defaulting person will then be provided with the opportunity to take immediate action to remedy the violation.
Following a notice of non-compliance, the CAI may formally impose MAPs by notification of a notice of claim, which will include the penalty amount and the CAI’s reasoning. Nonetheless, a defaulting person is provided with certain rights. For instance, the defaulting person will have the right to request a review of the decision and the right to contest the reviewed decision before the Court of Quebec. Figure 1 below summarises the process for imposing MAPs:
Figure 1: Procedure for imposing MAPs
It should be noted that the delays to request the review of a decision, to the CAI or to the Court of Quebec (30 days from the notification of the notice of claim or of a decision) is quite short and will require pro-activeness from organizations subject to the MAPs process in order to preserve their rights. On the other hand, the CAI has a two year delay from the date of a violation to impose any MAPs, otherwise such action is prescribed (s. 90.10).
- Penal Sanctions
As noted in a previous publication, Law 25 also grants the CAI the power to institute penal proceedings for offences set out in Section 91 of the Act (which are broadly defined and include the processing of personal information in contravention with the Private Sector Act, the failure to report a confidentiality incident and the failure to comply with an order of the CAI).[4] In imposing penal sanctions, the judge will take into account various factors, including the seriousness of the offence, the sensitivity of the information and the intention of the defaulting person. For organizations, penal fines under Law 25 will range from $15,000 to $25 million, or 4% of the previous year’s worldwide turnover if this amount is higher.[5]
The General Framework provides insights as to when the CAI intends to take the route of penal proceedings. Mainly, it will do so when the consequences of the contravention of the Private Sector Act are serious, notably given its gravity, the vulnerability of the individuals concerned and the sensitivity of the information involved. Other factors will include the failure by the defaulting person to remedy the breach, intent or negligence, as well as whether the defaulting person has obstructed the work of the CAI.
Categorisation of MAPs, More Power Granted to the CAI
The General Framework sets base amounts for infractions of varying gravity. The CAI uses a two-step process to decide on the penalties.
The severity of the non-compliance is categorised into four levels: (A) minor, (B) moderate, (C) serious, and (D) very serious. Such categorisation serves to indicate the base amount imposed for non-compliance, as shown in the table below, which we reproduce from the General Framework:
Table 1: Base Amount for MAPs
Category | Individual | Organizations |
A[6] | $500 | $1,000 |
B[7] | $1,500 | $4,000 |
C[8] | $3,000 | $8,000 |
D[9] | $5,000 | $15,000 |
Following the initial categorization, the CAI can increase or decrease the base amount according to aggravating and mitigating factors including the nature and objective seriousness of the non-compliance, the risk of harm to individuals, and the sensitivity of personal information involved. Consequently, the base amounts are not minimum amounts (i.e. an AMP may be lower than the relevant base amount listed under Table 1 if sufficient mitigating factors are present). On the opposite side, however, where there are aggravating factors fines can be significant, reaching, in the case of an organization, $10,000,000 or 2% of worldwide turnover for the previous year, whichever is greater.
CONCLUSION
The entry into force of the bulk of Law 25’s amendments to the Private Sector Act in September 2023 will increase compliance risks for organizations dealing with personal information, not the least because of the introduction of significant monetary penalties. The General Framework provides much needed guidance on the CAI’s potential assessment of non-compliance, but significant uncertainty remains as to what will trigger the imposition of the harsher penalties.
To learn more about how our Cyber/Data Group can help you navigate the privacy and data landscape, please contact national co-leaders Charles Morgan and Daniel Glover.
[1] “GDPR” means the General Data Protection Regulation.
[2] i.e. all other cases than natural persons.
[3] The General Framework for application of administrative monetary sanctions (French: Le Cadre général application des sanctions pécuniaires), published on May 23, 2023, is only available in French on CAI’s official website.
[4] Amended Private Sector Act, sections 91 – 93.
[5] Amended Private Sector Act, section 91.
[6] “A minor breach, generally of an administrative nature, whose anticipated consequence is either none or minor.” [Translated]
[7] “Moderate breach related to non-compliance with the rules governing the protection of personal information, whose anticipated consequence is moderate.” [Translated]
[8] "A serious breach which, due to its nature, is detrimental to the general objectives of personal information protection, with an anticipated major consequence." [Translated]
[9] "A very serious breach that undermines the integrity of personal information protection, with an anticipated major, real and/or irreparable consequence." [Translated]