ARTICLE
24 June 2026

The CAI’s 2026 Quinquennial Report And Its Implications For Québec’s Private Sector

GW
Gowling WLG

Contributor

Gowling WLG logo
Gowling WLG is an international law firm built on the belief that the best way to serve clients is to be in tune with their world, aligned with their opportunity and ambitious for their success. Our 1,400+ legal professionals and support teams apply in-depth sector expertise to understand and support our clients’ businesses.
Explore Firm Details
In June 2026, Québec’s Commission d’accès à l’information (CAI) published its quinquennial report, titled Transparence et vie privée : protéger la démocratie à l’ère numérique.
Canada Quebec Privacy
Nayla El Zir,Nawal Sassi, and Antoine Guilmain
Your Author LinkedIn Connections
Nayla El Zir’s articles from Gowling WLG are most popular:
  • with readers working within the Insurance industries
Gowling WLG are most popular:
  • within Wealth Management and Compliance topic(s)
  • with Senior Company Executives, HR and Inhouse Counsel

With contributions from Jasmine Basma Saad

In June 2026, Québec’s Commission d’accès à l’information (CAI) published its quinquennial report, titled Transparence et vie privée : protéger la démocratie à l’ère numérique. The report is issued two years after Law 25’s final phase took effect in September 2024. Indeed, through Law 25, marked by its implementation in three-stages, Québec positioned itself as a frontrunner in privacy law reforms in North America.

The CAI’s report provides a list 74 advisory recommendations. Although not binding, these recommendations signal the regulator’s policy direction. This article addresses the recommendations, which are most relevant to the protection of personal information by private-sector organizations.

Rethinking the “individual control” framework

The CAI argues that the traditional model based on individual consent is faltering in the face of the ever-expanding digital economy.

Consent fatigue

In the digital economy, users are incessantly prompted to accept data collection requests, inevitably resulting in resigned consents. To counter this issue, the CAI recommends the deployment of automated consent signals, akin to “Global Privacy Control” mechanisms, which would allow users to set their privacy preferences on their browsers. Once configured, consent would not be asked again. If not configured, the default mechanism would be the user’s refusal to consent.

Just-in-time notices

In response to the widespread failure of users’ engagement with privacy policies, the CAI discusses the implementation of notices such as “just-in-time notices”, such as graphical or sensory cues. These notices are intended to provide users, at the precise moment a choice needs to be made, with the information relevant to that choice, in order to support informed decision-making.

Expanded necessity principle

The CAI recommends codifying the test of necessity and broadening the scope of the necessity criterion through an expansion covering the entire data lifecycle, from its initial collection to its ultimate disclosure, with specific regulations for high-risk practices such as video surveillance.

AI and inferred data

One of the report’s most significant proposals suggests that profiling-based inferences would legally qualify as personal information and would, accordingly, be deemed as data collection. For children under 14, algorithmic inferences would require parental consent unless they are clearly in the child’s best interests.

Data scraping

The CAI recommends the establishment of a clear and extended legal framework regulating data scraping.

Data brokerage

The report calls for extending existing rules to personal information agents to englobe all data brokers, mandating disclosure of scraping activities, and creating a public registry of brokers collecting data on Quebecers. The CAI also suggest the implementation of a single governmental portal allowing citizens to exercise their rights simultaneously with all registered data brokers.

Establishing uniform standards for anonymization

The CAI calls for the application of anonymization rules regardless of timing in the data life cycle. Regulation could thus extend to the subsequent use of anonymized information, with the CAI granted authority to limit the transmission of such datasets and to exclude, where appropriate, the possibility of anonymizing certain types of personal information.

Privacy impact assessments

In terms of privacy impact assessments (PIA), the CAI recommends introducing a three-part structure covering legal compliance, risk assessment and mitigation, alongside a mandatory algorithmic-impact component for AI systems that make automated decision about users. Additional proposed measures notably englobe simplified triggers, lists of “always mandatory” and exempt assessments, and mandatory internal PIA registries.

Deceptive design patterns

The report suggests the implementation of explicit prohibitions on deceptive design patterns affecting privacy, as well as bans on addictive design features on platforms commonly frequented by minors.

Youth privacy

The CAI recommends implementing stronger protections for minors in the digital environment by embedding the “best interests of the child” into privacy laws, prohibiting the commercial use, sale, or harmful exploitation of minors’ personal information, and imposing heightened duties of care on organizations. It also calls for stricter requirements to assess impacts on minors’ fundamental rights and to better regulate the design of digital products and services targeting young users.

Biometrics

The report also calls for the integration of biometric-specific provisions into the existing privacy laws.

CAI’s institutional capacity and enforcement

In the report, the CAI examines its resources, enforcement mechanisms, and relationship with the private sector. Such issues are of direct practical significance for regulated entities.

To accomplish its mandates, the CAI calls for significant structural changes.

The CAI notes that its current resources are insufficient to effectively fulfill its expanded mandate and recommends placing its budget under the oversight of the National Assembly to safeguard its independence. It also proposes replacing statutory appeals to the Court of Québec with judicial review before the Superior Court, thereby strengthening the durability of its decisions. In terms of enforcement, the CAI suggests limiting administrative monetary penalties to objective violations while broadening their scope to enhance legal certainty. Finally, it acknowledges businesses’ need for practical guidance and highlights its efforts to provide tools and frameworks to help simplify compliance.

Conclusion

The CAI’s report is not merely retrospective. Although lacking the force of law, the recommendations embody a substantiated roadmap for Québec’s future privacy regulation and signal a clear shift from procedural compliance to a more robust risk-based framework.

Read the original article on GowlingWLG.com

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Nayla El Zir
Nayla El Zir
Photo of Nawal Sassi
Nawal Sassi
Photo of Antoine Guilmain
Antoine Guilmain
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More