Skip to content
discover Hilo Intelligence
Law 25 Guide

Sanctions and penalties

The three sanction regimes under Law 25 — administrative monetary penalties up to $10M or 2% of global revenue, penal fines up to $25M or 4% of global revenue, and civil recourse with $1,000 minimum punitive damages.

Updated April 20, 20265 min readWritten by Pascal DupuissanctionsfinesCAIremediess. 90.1-93.1

Law 25 introduced three simultaneous sanction regimes that can apply to the same incident. For an SMB, exposure is now comparable to what we see under the European GDPR — a poorly handled incident can cost hundreds of thousands of dollars, even for a 20-person business.

This chapter details each regime, the calculation criteria and the decisions already issued by the CAI.

The administrative regime — CAI monetary penalties

Cap (s. 90.1)

The Commission may impose an administrative monetary penalty up to a maximum of $50,000 for a natural person and, in any other case, $10,000,000 or, if greater, the amount corresponding to 2% of global turnover for the preceding fiscal year.

Which breaches?

Administrative penalties target failures to meet the Act's obligations, for example:

  • Failure to designate a privacy officer (s. 3.1).
  • Failure to adopt a governance policy (s. 3.2).
  • Failure to perform a PIA before a transfer outside Quebec (s. 3.3).
  • Failure to notify an incident to the CAI (s. 3.5).
  • Failure to obtain valid consent (s. 12–14).
  • Failure to respond to an access request within 30 days (s. 32).

Grading criteria (s. 90.3)

The CAI considers in particular:

  • The nature and severity of the breach.
  • The duration of the breach.
  • Whether it is repeated.
  • The advantages gained from the breach.
  • The financial capacity of the enterprise.
  • The corrective measures adopted.
  • The collaboration with the Commission.

In other words: an SMB that discovers a breach, reports it proactively, corrects quickly and collaborates with the CAI faces a significantly lower sanction than one that conceals it.

Process (s. 90.4–90.8)

  1. The CAI investigates (ex officio, on complaint or on report).
  2. It sends a notice of intent with the proposed amount and reasons.
  3. The enterprise has 30 days to submit written observations.
  4. Final decision, with reasons.
  5. Appeal to the Cour du Québec within 30 days.

The penal regime — fines after prosecution

Cap (s. 91)

Anyone who contravenes [list of sections] commits an offence and is liable to a fine of $5,000 to $50,000 for a natural person and $15,000 to $25,000,000 or, if greater, 4% of global turnover in any other case.

Difference with the administrative regime

  • Penal targets more severe conduct (intentional unauthorized communication, illegal collection, intentional refusal).
  • Penal requires prosecution by the Director of Criminal and Penal Prosecutions (DPCP), with a trial. The burden of proof is higher (beyond reasonable doubt).
  • Penal adds to the administrative — they can coexist.

Doubling for repeat offences

On a repeat offence (s. 91 in fine), fines are doubled. A second breach of the same nature exposes to potentially compounded amounts.

The civil remedy — punitive damages

Section 93.1

Where an infringement of a right conferred by this Act or by articles 35 to 40 of the Civil Code of Québec causes prejudice and is intentional or results from gross fault, the court awards the injured person punitive damages of at least $1,000, regardless of compensatory damages.

Key characteristics:

  • Floor of $1,000 per person — a class action of 10,000 people therefore exposes to a floor of $10M.
  • Adds to compensatory damages (financial loss, moral prejudice, lost opportunity).
  • Requires gross fault or intent — but "gross fault" is interpreted broadly: absence of basic controls often suffices.

Class actions

Quebec is a favourable forum for class actions, notably in privacy matters. Since 2023 we see more class-action certification requests tied to Quebec data breaches. Several cases have settled for significant amounts.

Real-world sanctions already rendered by the CAI

CAI decisions are public, available on the Commission's website. Without citing specific companies, here are patterns we observe:

  • Small SMBs sanctioned for failure to designate a privacy officer and publish contact details, while the business had been operating over a year.
  • Data breaches not notified in time, with fines proportionate to the duration of silence.
  • Invalid consent obtained via pre-checked boxes, corrected under order.
  • Transfers outside Quebec without a documented PIA, with obligation to produce one and suspend transfers in the meantime.

The CAI has clearly announced it will step up enforcement in the coming years — the first three years (2022–2025) were mostly educational, with many opinions and orders. From 2026 onward, monetary penalties are expected to rise.

Who bears the responsibility?

The enterprise, first

Sanctions target the enterprise (the legal person). The president and directors are generally not personally liable — unless:

  • Personal gross fault.
  • Complicity in an intentional act.
  • False statement to the privacy officer or to the CAI.
  • Breach of fiduciary duty (for share-corporation directors).

The privacy officer

The privacy officer is not personally sanctionable under Law 25 for enterprise breaches. Their liability is internal (toward the employer), not regulatory.

Vendors

An IT vendor (like us) can be co-responsible if:

  • They themselves committed a breach (vendor-side leak).
  • They refused to cooperate on an access request or incident notification.
  • They exceeded the contractual mandate (using data for their own purposes).

Our client contracts explicitly provide for segregation of Law 25 responsibilities and commit us to act solely for the mandate.

Quick checklist — reduce exposure

  • Written designation of a privacy officer, contact details published.
  • Governance policy published and dated.
  • PIAs documented for all transfers outside Quebec.
  • Incident register kept, even for minor incidents.
  • Written incident-management procedure, tested at least once.
  • Annual team training on Law 25.
  • Vendor contracts aligned with Law 25 requirements.
  • Cyber insurance covering administrative sanctions and defence costs.

Common mistakes that worsen sanctions

  • Trying to conceal an incident. — Concealment = aggravation. The CAI weighs bad-faith cases heavily.
  • Refusing to collaborate with the CAI. — Cooperation is an explicit mitigation factor.
  • Not documenting. — Without documentation, due diligence cannot be shown. The CAI presumes the worst.
  • Delegation without authority. — If the privacy officer can't correct, responsibility climbs back to senior leadership with heavier consequences.
  • Does our cyber insurance cover CAI administrative penalties (not automatically — some policies exclude fines)?
  • Do we have class-action exposure (customer-base size × data sensitivity)?
  • In a CAI investigation, what is our communication protocol with the Commission?
  • Are our directors personally exposed in some scenarios?
PreviousTransfers outside QuebecNextTemplates and samples
Back to collection overview Law 25 Guide

Question about this guide?

Pascal and Jérémie can answer directly by email or during a discovery call.

Get in touch