CHAPTERS 14β15
Myths to Debunk and Financial Sanctions
8 common myths that create a false sense of security. Followed by the sanctions regime β one of the strictest in Canada.
14 Β· Myths
8 myths to debunk
β "We're too small to be covered."
False. The law sets no size threshold. A 3-employee SMB is just as subject to it as a multinational β with expectations proportionate to its means.
β "The CAI doesn't sanction anyone, we have time."
Risky. The CAI initially took an educational stance, but has since started investigations and sanctions. A sanction can be imposed even for simple negligence, with no malicious intent required.
β "We have a privacy policy, so we're compliant."
Not enough. A policy without real practices (register, Privacy Officer, security, rights process) doesn't protect anyone. Compliance is operational, not just documentary.
β "Consent in our terms of service is enough."
False. Consent must be manifest, free, informed, for specific purposes, and requested separately. Consent buried in terms of service is not valid.
β "Our data is with a supplier, that's their problem."
False. The organization remains responsible and must govern the relationship by contract and, for out-of-province hosting, carry out a PIA.
β "We can keep the data indefinitely, just in case."
False. The law requires you to destroy or anonymize information once its purposes are fulfilled. "Just in case" retention violates the purpose-limitation principle.
β "If we're GDPR-compliant, we're fine with Law 25."
Partially true. The two regimes are similar but have differences (terminology, deadlines, oversight authority, de-indexing). GDPR compliance is an excellent starting point, not an automatic equivalence.
β "Anonymizing just means removing the name."
False. Anonymization must be irreversible according to best practices. Removing the name while keeping re-identifiable data (via cross-referencing) is de-identification β the data remains personal information.
15 Β· Sanctions
The two types of financial sanctions
| Criterion | Administrative penalty (AMP) | Penal sanction |
|---|---|---|
| Imposed by | The CAI directly β no court | The Court of Quebec (penal prosecution) |
| Speed | Faster | Longer judicial process |
| Max. β individual | Up to $50,000 | Varies by offence |
| Max. β business | Up to $10M or 2% of worldwide revenue (whichever is higher) | Between $15,000 and $25M or 4% of worldwide revenue |
| Can target executives personally? | No (legal entities) | Yes β personally |
| Is negligence enough? | Yes β no malicious intent required | Mainly for serious or repeated offences |
| Limitation period | 2 years | 5 years |
Putting it in SMB terms: for an SMB with $2M in revenue, 2% is about $40,000 β far from negligible, and imposable directly by the CAI without going through a court.
15.4 Β· Beyond the fines
Punitive damages and reputational risk
- Punitive damages: in the case of an unlawful and intentional breach, a court can award damages of at least $1,000 per individual β opening the door to potentially very costly class actions
- Reputational risk: lost customer trust can cost far more than the fine itself
- Operational costs of an incident: business interruption, restoration, notification, credit monitoring, legal fees
15.5 Β· Triggers
How does a CAI investigation get triggered?
- By complaint: an individual believes their rights were violated and contacts the CAI directly
- By proactive inspection: the CAI reviews a sector or organization on its own initiative, often in higher-risk areas (online commerce, professional services, sensitive data)
β Sanctions checklist
- β Does management know the real financial risk (AMPs up to $10M with no court involved)?
- β Can we demonstrate our due diligence (documented evidence of our efforts)?
- β Have we assessed our exposure to a class action ($1,000/person in damages)?