Law 25 Fines: Understanding the Real Penalty Calculations for Your Firm

When Law 25 refers to penalties "up to $10M or 2% of global revenue," the word "or" means whichever amount is greater. It's not a choice between two options. It's an alternative ceiling mechanism written directly into the legislation. The same principle applies to criminal fines: $25M or 4% of global revenue, whichever is greater.

But for a mid-sized financial services firm, these astronomical figures don't tell the whole story. The real financial risk for an SMB isn't a $10 million administrative penalty. It's the private class action, with a mandatory floor of $1,000 per affected person, which can exceed your annual revenue in a matter of weeks.

Here's how it all works in practice.

The "Or" Always Means Whichever Is Greater

Section 90.1 of the Act respecting the protection of personal information in the private sector (PPIPS) provides for administrative monetary penalties (AMPs) of up to "$10,000,000 or the amount corresponding to 2% of worldwide turnover for the preceding fiscal year, if the latter amount is greater."

Section 92 provides for criminal fines of up to "$25,000,000, or the amount corresponding to 4% of worldwide turnover for the preceding fiscal year, whichever is greater."

The wording is unambiguous. The fixed amount serves as a baseline threshold. The revenue percentage replaces it only when it's higher. This interpretation is unanimous among Canadian law firms (Osler, McCarthy Tétrault, Fasken, BLG) and confirmed by the CAI itself.

In practice, the percentage only exceeds the fixed amount for very large companies. For AMPs, the tipping point is at $500M in revenue (2% of $500M = $10M). For criminal fines, you need $625M in revenue (4% of $625M = $25M).

To illustrate the magnitude of the change: during the 2019 Desjardins breach, the old 1993 law provided penalties so "ridiculous" (the word used by CAI president Diane Poitras) that the Commission didn't even bother to impose them. The maximum for a first offense was approximately $10,000. Under Law 25, with $18 billion in revenue, Desjardins would face a theoretical maximum of 4% of global revenue, or $720 million. From $10,000 to $720,000,000. That's the difference.

Three Distinct and Cumulative Enforcement Paths

Law 25 doesn't provide just one type of penalty, but three independent paths. Each has its own bodies, procedures, and caps. Most importantly, they can be cumulated.

1. Administrative Monetary Penalties (AMPs)

Who imposes them: The Commission d'accès à l'information (CAI), through a designated person from the Surveillance Division. Cap: $10M or 2% of global revenue (whichever is greater) for companies. $50,000 for individuals. Process: The CAI first sends a non-compliance notice. The company can submit observations or propose a commitment (corrective measures). If the commitment is accepted and honored, no AMP is imposed. Otherwise, the CAI issues a claim notice with the amount. The company can request an internal review (30 days), then appeal to the Court of Québec (following 30 days). Limitation period: 2 years from the violation. Statutory sections: 90.1 to 90.17 PPIPS.

2. Criminal Fines

Who imposes them: The Court of Québec, on prosecution initiated by the CAI. Cap: $25M or 4% of global revenue (whichever is greater) for companies. $5,000 to $100,000 for individuals. Important detail: Fines are doubled for repeat offenses (section 92). Furthermore, section 93 provides for the personal liability of directors and officers who authorized or acquiesced to the offense. Limitation period: 5 years. Offenses covered: Broader spectrum than AMPs, including obstruction of CAI investigations, non-compliance with its orders, and attempts to re-identify de-identified or anonymized data.

3. Private Right of Action

Who exercises it: Any person who is a victim of an unlawful infringement of their rights (section 93.1 PPIPS). Mandatory floor: The court must award punitive damages of at least $1,000 per person. This is a minimum, not a maximum. Conditions: The infringement must be intentional or result from gross fault. The plaintiff must demonstrate actual harm and a causal link. Class actions: Expressly permitted. Cumulation: This right is independent of AMPs and criminal fines. A firm can receive an AMP from the CAI, a criminal fine from the Court, and a class action for the same facts.

Concrete Example: A Firm With $500,000 in Annual Revenue

Take a financial advisory firm with annual revenue of $500,000, common in Quebec.

The cap calculations:

For AMPs: 2% of $500,000 = $10,000. Compared to the fixed cap of $10M, the $10M is greater. The theoretical cap remains $10M.

For criminal fines: 4% of $500,000 = $20,000. The theoretical cap remains $25M.

But in practice, the firm doesn't risk $10M. The CAI's General Framework for Applying AMPs, published on May 23, 2023, provides base amounts by severity: from $1,000 (minor violation) to $15,000 (very serious violation) for a company. These amounts are then adjusted based on ten criteria, including ability to pay (assets, revenue, income). Norton Rose Fulbright notes that a $10M AMP should only arise "in exceptional circumstances."

For a firm with $500K in revenue, a realistic AMP for a serious violation (e.g., failure to report a confidentiality incident) would likely range from a few thousand to tens of thousands of dollars.

The real danger lies elsewhere.

If that same firm manages 2,000 client files and a breach occurs through gross fault (complete absence of a privacy policy, no security measures, a known incident ignored), each affected client can claim a minimum of $1,000 in punitive damages. The theoretical class action exposure: 2,000 × $1,000 = $2,000,000. Four times the firm's annual revenue.

AMPs take into account the ability to pay. Class actions know no such limit.

The 10 Criteria the CAI Uses to Determine AMP Amounts

The CAI doesn't set AMPs arbitrarily. Its General Framework, published in May 2023, structures the determination in two steps.

Step 1: Categorize severity. Four levels (A, B, C, D) with a base amount for each. For a company: $1,000 (minor) to $15,000 (very serious). Step 2: Adjust based on 10 criteria.

1. The nature and objective severity of the violation

2. Its repetitive character

3. Its duration

4. The sensitivity of the information affected

5. The number of individuals concerned

6. The risk of serious harm

7. Measures taken to remedy the violation

8. The degree of cooperation with the CAI

9. Compensation offered to affected individuals

10. The entity's ability to pay

These criteria work both ways. A firm that responds quickly, cooperates with the CAI, compensates affected individuals, and demonstrates good faith will see its amount reduced. A firm that ignores warnings, conceals an incident, or refuses to cooperate will see the amount increased.

For Criminal Fines, 8 Distinct Factors

Section 92.1 requires the Court of Québec judge to consider eight specific factors when setting the fine:

1. The nature, severity, repetitive character, and duration of the offense

2. The sensitivity of the information

3. The intentional character or negligence

4. The foreseeability of the offense

5. Attempts at concealment

6. Failure to take reasonable preventive measures

7. Having increased revenues or reduced expenses through the offense

8. The number of individuals exposed to the risk of harm

Factor 7 is particularly relevant for firms: if a judge determines you saved money by not implementing required protection measures, that will count against you.

Where Enforcement Stands as of Early 2026

Since penalties came into force in September 2023, the CAI has not yet imposed any publicly disclosed AMP. Its initial approach has been educational and supervisory. No criminal prosecutions under the new regime have been reported either.

This doesn't mean the CAI is inactive. Increasingly formal non-compliance notices are being issued. Orders have been rendered, notably against the use of facial recognition in the workplace (Transcontinental Printing, September 2024) and a facial recognition project in retail stores (Metro, 2024-2025).

Several law firms (Osler, BLG, DLA Piper) describe the regime as "fully operational" and note that enforcement activity is progressively intensifying. The trajectory mirrors the early years of the European GDPR (2018-2019), where authorities initially focused on guidance before ramping up with record penalties. In Europe, cumulative fines now exceed €5.65 billion.

The message is clear: just because penalties haven't been imposed yet doesn't mean they won't be. The tools are in place. The question isn't "if," but "when."

What This Means for Your Firm

Three reflexes to adopt:

Document everything. Cooperation with the CAI and corrective measures taken are explicit mitigating factors in the General Framework. In the event of an incident, your first reflex should be to document what happened, what you did to fix it, and when. Assess your class action exposure. Count your active and former client files. Multiply by $1,000. That's your theoretical minimum exposure in case of gross fault. This number should motivate your compliance investments more than any AMP cap. Choose compliant vendors. Your responsibility doesn't stop at your walls. If a technology vendor causes a breach because they lack adequate security measures, it's you who faces the class action from your clients. Certifications like SOC 2 Type II, ISO 27001, and ISO 27701, combined with data residency in Canada, significantly reduce this risk.

---

*This article is part of a series on Law 25 and compliance for financial services firms. See also:*

• *[Quebec's Law 25: What Every Financial Advisor Needs to Know in 2026](/blog/quebec-law-25-guide-financial-advisors)*
• *[The 7 Law 25 Obligations Your Firm Must Meet Now](/blog/law-25-obligations-financial-firm)*
• *[Law 25 Class Actions: The Financial Risk Small Firms Underestimate](/blog/law-25-class-action-risk-small-firms)*
• *[How to Evaluate Whether Your Tech Vendors Are Law 25 Compliant](/blog/law-25-vendor-compliance-evaluation)*