Law 25: Penalties for Privacy Breaches Increase


Wendy J. Wagner, Melissa Tehrani, Jasmine Samra and Christopher Oates. Source: Gowling WLG website

When Bill 25 comes into force in Quebec on September 22, 2022, companies that fail to report a privacy incident face fines of up to $25M.

As companies doing business in the province prepare to comply with the new legislation, Gowling WLG has chosen to prepare a series of articles and other resources to guide and inform organizations about to take turn. This text is one of them.

If an organization has reason to believe that a confidentiality incident involving personal information has occurred, it must take reasonable measures to reduce the risk of harm being caused and to prevent new incidents of the same nature from occurring. .

Organizations must immediately notify the Commission d’accès à l’information (the “CAI”) and any person whose data is affected by a confidentiality incident involving personal information which “presents a risk that serious harm may be caused », as well as any person or organization that could reduce this risk. The content of the notice will be specified by a regulation which will come into force on September 22, 2022.

Organizations will be required to keep a record of all privacy incidents.

Under a draft regulation on the subject, this register must be kept for five years from the date on which the organization becomes aware of the incident, which constitutes a change from the two-year period. required by federal privacy law for the private sector (the Personal Information Protection and Electronic Documents Act or “PIPEDA”).

Again, an organization that fails to report a privacy incident to the CAI or any relevant person could face unprecedented criminal and administrative monetary penalties, including fines of up to $25 million (or, if greater, the amount corresponding to 4 percent of the worldwide turnover of the preceding fiscal year), or administrative monetary penalties of up to $10 million (or, if greater, 2 percent of the worldwide turnover of the previous fiscal year).

The Act also provides for the award of punitive damages of at least $1,000 for infringements that cause injury and that are intentional or result from gross negligence.

About the authors

Christopher Oates is an associate lawyer at Gowling WLG based in Toronto. He practices in the Advertising and Product Regulatory Group. His practice includes advising clients on privacy and consumer protection law, including drafting and reviewing privacy policies and advice on privacy in the context of financial institutions, social media, and more.

Jasmine Samra is a lawyer in the Toronto office of Gowling WLG. She advises clients on a wide range of privacy and cybersecurity issues in a variety of industries. She holds a Bachelor of Laws from Western University and a Bachelor of Science from McMaster University.

Melissa Tehrani is a partner in Gowling WLG’s Montreal office and head of the firm’s National Advertising and Regulatory Group. Practicing in the field of advertising, marketing and regulatory affairs, this lawyer advises national and multinational companies in the e-commerce, retail, financial services, automotive and telecommunications industries.

Wendy J. Wagner is a partner in the Ottawa office of Gowling WLG. She leads the firm’s Privacy and Data Protection group. His practice focuses on international trade law, as well as privacy protection, access to information and defamation.


Leave a Comment