This content is provided for informational purposes and does not constitute legal advice. For any decision with legal or regulatory implications, consult a lawyer or the Commission d'accès à l'information (CAI).

βš–οΈ
Legal information β€” not legal advice This content is educational and general. It does not constitute legal advice and does not assess your particular situation. Consult a lawyer or the CAI for any decision.
CHAPTERS 14–15

Myths to Debunk and Financial Sanctions

8 common myths that create a false sense of security. Followed by the sanctions regime β€” one of the strictest in Canada.

14 Β· Myths

8 myths to debunk

❌ "We're too small to be covered."
False. The law sets no size threshold. A 3-employee SMB is just as subject to it as a multinational β€” with expectations proportionate to its means.
❌ "The CAI doesn't sanction anyone, we have time."
Risky. The CAI initially took an educational stance, but has since started investigations and sanctions. A sanction can be imposed even for simple negligence, with no malicious intent required.
❌ "We have a privacy policy, so we're compliant."
Not enough. A policy without real practices (register, Privacy Officer, security, rights process) doesn't protect anyone. Compliance is operational, not just documentary.
❌ "Consent in our terms of service is enough."
False. Consent must be manifest, free, informed, for specific purposes, and requested separately. Consent buried in terms of service is not valid.
❌ "Our data is with a supplier, that's their problem."
False. The organization remains responsible and must govern the relationship by contract and, for out-of-province hosting, carry out a PIA.
❌ "We can keep the data indefinitely, just in case."
False. The law requires you to destroy or anonymize information once its purposes are fulfilled. "Just in case" retention violates the purpose-limitation principle.
❌ "If we're GDPR-compliant, we're fine with Law 25."
Partially true. The two regimes are similar but have differences (terminology, deadlines, oversight authority, de-indexing). GDPR compliance is an excellent starting point, not an automatic equivalence.
❌ "Anonymizing just means removing the name."
False. Anonymization must be irreversible according to best practices. Removing the name while keeping re-identifiable data (via cross-referencing) is de-identification β€” the data remains personal information.
15 Β· Sanctions

The two types of financial sanctions

CriterionAdministrative penalty (AMP)Penal sanction
Imposed byThe CAI directly β€” no courtThe Court of Quebec (penal prosecution)
SpeedFasterLonger judicial process
Max. β€” individualUp to $50,000Varies by offence
Max. β€” businessUp to $10M or 2% of worldwide revenue (whichever is higher)Between $15,000 and $25M or 4% of worldwide revenue
Can target executives personally?No (legal entities)Yes β€” personally
Is negligence enough?Yes β€” no malicious intent requiredMainly for serious or repeated offences
Limitation period2 years5 years
Putting it in SMB terms: for an SMB with $2M in revenue, 2% is about $40,000 β€” far from negligible, and imposable directly by the CAI without going through a court.
15.4 Β· Beyond the fines

Punitive damages and reputational risk

  • Punitive damages: in the case of an unlawful and intentional breach, a court can award damages of at least $1,000 per individual β€” opening the door to potentially very costly class actions
  • Reputational risk: lost customer trust can cost far more than the fine itself
  • Operational costs of an incident: business interruption, restoration, notification, credit monitoring, legal fees
15.5 Β· Triggers

How does a CAI investigation get triggered?

  • By complaint: an individual believes their rights were violated and contacts the CAI directly
  • By proactive inspection: the CAI reviews a sector or organization on its own initiative, often in higher-risk areas (online commerce, professional services, sensitive data)

βœ“ Sanctions checklist

  • ☐ Does management know the real financial risk (AMPs up to $10M with no court involved)?
  • ☐ Can we demonstrate our due diligence (documented evidence of our efforts)?
  • ☐ Have we assessed our exposure to a class action ($1,000/person in damages)?