Quebec stands out with its unique approach to regulating the activities of "personal information agents" – those who, on a commercial basis, establish files containing personal information. Law 25 (also known as "Bill 64") solidifies this concept by specifying the notification requirements for these agents, strengthening their specific obligations and significantly increasing penalties for non-compliance. Here's an overview of this one-of-a-kind regime.

1. Notification requirements

Under the Act Respecting the Protection of Personal Information in the Private Sector (the "Quebec Privacy Act"), a personal information agent is defined as "any person who, on a commercial basis, personally or through a representative, establishes files on other persons and prepares and communicates to third parties credit reports bearing on the character, reputation or solvency of the persons to whom the information contained in such files relates is a personal information agent." This definition is based on three cumulative criteria, which are not always easy to assess: carrying on an enterprise in Quebec, establishing files on other persons on a commercial basis, and preparing and communicating credit reports to third parties concerning the character, reputation or solvency of those persons.

The Commission d’accès à l’information du Québec (the "Commission") considers the following enterprises likely to qualify as personal information agents:

  • Collection agencies, whether or not they hold a license from the Office de la protection du consommateur;
  • Investigation agencies holding a license from the Bureau de la sécurité privée under the Private Security Act;
  • Credit bureaus;
  • Subsidiaries of a financial group that collect personal information and prepare and transmit credit reports on other persons to the commercial entities within the group; or
  • Check authorization services.

Any personal information agent must register with the Commission by completing a registration form and paying a fixed fee. The form must include specific information, such as the identity and contact information of the agent, details on the person responsible for the protection of personal information, operational details and the security measures in place. Personal information agents are also required to inform the Commission of any changes or cessation of their activities within a prescribed time.

2. Additional obligations

  • In addition to the general obligations stemming from the Quebec Privacy Act, personal information agents are subject to additional obligations, such as:

    Ensuring that the personal information they hold is up to date and compliant with the law;
  • Allowing persons to access and correct their data if necessary;
  • Informing the public about the personal information held and the associated rights;
  • Ensuring the confidentiality and security of personal information; and
  • Destroying personal information collected more than seven years ago, unless an exception applies.

3. Enforcement

Personal information agents are subject to a reinforced and unique penalty regime. Any failure to meet the additional obligations described above may result in:

  • Monetary administrative penalties of up to $10 million or two per cent of the agent’s worldwide turnover for the preceding fiscal year, whichever is higher;
  • Penal sanctions ranging from $15,000 to $25 million, or four per cent of their worldwide turnover, with a doubling of fines in the case of subsequent offences.

Moreover, directors and officers can also be held personally liable, and punitive damages of at least $1,000 may be imposed in cases of intentional infringement or gross fault under the Quebec Privacy Act.

For any questions, including those on how this framework applies to your activities or the registration process, do not hesitate to contact our Cyber Security & Data Protection Group.