Law 25 penalties
In this guide & where to go next
Part of the Quebec Law 25 & PIPEDA Compliance series. Related: Who Must Comply With Law 25Law 25 Vs Pipeda
Want it handled? IT Cares — hands-on managed IT across Canada.
Law 25 penalties are among the strictest in North America: administrative monetary penalties can reach up to $10 million or 2% of worldwide turnover, while penal fines can reach up to $25 million or 4% of worldwide turnover, whichever is greater. These figures apply to serious violations and are intended to give Quebec's privacy regime real teeth. The risk of such penalties is a primary reason Quebec businesses now treat privacy compliance as a board-level priority.
The two tiers of financial penalties
Law 25 created two distinct penalty streams. The first is administrative monetary penalties, which the Commission d'accès à l'information (CAI) can impose for certain contraventions. For an enterprise, these can reach up to $10 million or 2% of worldwide turnover for the preceding fiscal year, whichever is higher.
The second stream is penal sanctions for more serious offences, prosecuted through the courts. These can reach up to $25 million or 4% of worldwide turnover, whichever is greater. The use of worldwide turnover as a benchmark, rather than a flat cap, means the potential exposure scales with the size of the organization, mirroring the approach used under the EU's GDPR and making the consequences material even for large enterprises.
What kinds of violations trigger penalties
Penalties under Law 25 are tied to failures to meet the law's obligations. Examples of conduct that can expose an organization include:
- Collecting, using, or disclosing personal information without proper consent.
- Failing to report a confidentiality incident that poses a risk of serious injury.
- Neglecting to take reasonable security measures to protect personal information.
- Not designating a person in charge of the protection of personal information.
- Failing to respect individuals' rights, such as access, correction, or de-indexing requests.
Not every misstep results in the maximum fine. The CAI considers factors such as the seriousness of the breach, whether it was deliberate, and the organization's efforts to mitigate harm. Demonstrating a genuine compliance program can reduce exposure.
Private right of action and reputational cost
Beyond regulator-imposed penalties, Law 25 introduced a private right of action. Individuals whose rights are infringed can seek damages, and where the violation is intentional or results from gross fault, punitive damages of at least $1,000 may apply. This opens the door to civil claims and potential class actions, adding a layer of risk distinct from regulatory fines.
The financial penalty is often not the largest cost of a privacy failure. A reported breach can trigger customer attrition, lost contracts, mandatory notification expenses, and lasting reputational damage. For small and mid-sized businesses, the combination of regulatory, civil, and reputational consequences can be more threatening than the headline fine figures, which is why prevention is far cheaper than remediation.
How to reduce your penalty exposure
The most reliable way to limit penalty risk is to be able to demonstrate a real, maintained compliance program rather than just policies on paper. Key protective measures include keeping a current data inventory, documenting consent, maintaining an incident register, and being able to show that reasonable security measures were in place at the time of any incident.
Technically, that means access controls, encryption, multi-factor authentication, monitored backups, and breach detection, all kept current and evidenced through logs and records. If an incident occurs, an organization that can show it acted diligently and reported promptly is in a far stronger position than one that cannot. A managed IT and cybersecurity partner helps maintain these safeguards and the supporting documentation, turning compliance from a liability into a defensible record that materially reduces the risk and size of any penalty.
FAQ
What is the maximum fine under Law 25?
Penal fines can reach up to $25 million or 4% of worldwide turnover for the preceding fiscal year, whichever is greater, for serious offences. Administrative monetary penalties can reach up to $10 million or 2% of worldwide turnover. These maximums apply to the most serious violations, not routine errors.
Can individuals sue under Law 25?
Yes. Law 25 includes a private right of action allowing individuals to seek damages when their privacy rights are infringed. Where the violation is intentional or results from gross fault, punitive damages of at least $1,000 per person may apply, which also enables potential class actions.
Will small businesses face the maximum penalties?
It is unlikely a small business would face the absolute maximums, which are designed for serious violations by large enterprises. However, smaller organizations can still face significant administrative penalties, civil claims, and notification costs. Maintaining reasonable safeguards and documentation is the best way to limit exposure.
Does reporting a breach reduce penalties?
Prompt, transparent reporting and clear evidence of diligent security measures are factors the CAI weighs when assessing penalties. An organization that detects, reports, and mitigates an incident properly is generally in a much stronger position than one that conceals or mishandles it.