The Commission d'accès à l'information (CAI) is the authority responsible for overseeing the application of Law 25 in Quebec. Understanding how it works in practice helps organizations calibrate their compliance approach.
The CAI's Investigation Powers
The CAI can open an investigation in two ways: on complaint from an individual, or on its own initiative. In both cases, it has the power to:
- Request documents, policies, and internal registers
- Interview staff members
- Inspect IT systems (with the assistance of an expert if needed)
- Issue binding orders
Investigations are generally triggered by reported incidents, complaints from individuals who believe their rights were not respected, or sectors the CAI identifies as presenting elevated risks.
Administrative and Penal Sanctions
The law provides for two distinct types of sanctions.
Administrative monetary penalties (AMPs) are imposed directly by the CAI. They can reach:
- $10 million, or 2% of worldwide turnover for the preceding fiscal year (whichever is higher), for less serious infractions
- $25 million, or 4% of worldwide turnover (whichever is higher), for more serious infractions, such as failing to notify an incident or failing to comply with an order
Penal sanctions apply in the most serious cases. They can be imposed by a court and include fines similar to AMPs, as well as potential civil remedies by affected individuals.
Personal Liability
A less-discussed aspect of the law involves the liability of directors and officers. If an organization commits an infraction and a director or officer was aware of it without taking reasonable steps to prevent it, that person may be held personally liable.
This does not mean that every breach leads to personal liability. But it underscores the importance of serious governance: the Privacy Officer must have the authority and resources to act.
The CAI's Current Approach: Education First
It's important to put these powers in their practical context. Since the first provisions came into force in 2022, the CAI's approach has been primarily educational. The Commission has published guides, guidelines, and forms to help organizations comply. It has answered questions, issued recommendations, and allowed time to correct gaps before considering enforcement measures.
The maximum penalties exist and they are significant. But the trajectory the CAI has adopted so far looks more like that of a guide than a prosecutor.
Compliance as Organizational Maturity
The best reason to comply with Law 25 is not to avoid a fine. It is to responsibly manage the information that clients, employees, and partners have entrusted to you.
An organization that handles personal data well reduces its risk exposure, builds credibility with stakeholders, and develops practices that hold up as regulations evolve. Compliance is more of an organizational insurance policy than an externally imposed constraint.
Observantia helps you document your compliance process and produce the registers the CAI might request during an inspection, including the incident register and internal policies.
This content is provided for informational purposes only and does not constitute legal advice. For questions specific to your situation, consult a qualified legal professional.