New Breach Reporting Requirements in Force in Quebec

As of September 22, 2022, private-sector entities carrying on business in Quebec are required to notify Quebec’s Commission d’acces a l’information (CAI) and affected individuals of a privacy breach (referred to as a “confidentiality incident”) that presents a risk of serious injury. This obligation stems from amendments to Quebec’s Act respecting the protection of personal information in the private sector (PPIPS) as a result of Quebec’s Bill 64, An Act to modernize legislative provisions as regards the protection of personal information.

CONFIDENTIALITY INCIDENT

A “confidentiality incident” is defined under PPIPS to mean:

• Access to personal information not authorized by law

• Use of personal information not authorized by law

• Communication of personal information not authorized by law, or

• Loss of personal information or any other breach of the protection of such information

In assessing the severity of the risk posed by a confidentiality incident, the organization must consider the sensitivity of the information, the anticipated consequences of its use and the likelihood that the information will be used for injurious purposes.

Where a confidentiality incident raises the possibility of serious injury to an individual whose personal information is disclosed, private-sector organizations must promptly notify both the CAI and any affected individuals in accordance with regulations. The CAI posted a notice form that specifies all the information to be provided. Additionally, organizations are required to keep a register of all confidentiality incidents and provide the register to the CAI upon request.

NEW ENFORCEMENT POWERS

The amendments to the PPIPS provide the CAI with significant new enforcement powers that will come into force on September 22, 2023. Serious violations of the PPIPS may constitute an offence, whereby the CAI can institute penal proceedings and impose fines of up to the higher of C$25-million or 4% of the organization’s worldwide turnover for the preceding fiscal year.

In addition to these fines, the CAI will have the power to impose administrative monetary penalties (AMPs) of up to the higher of C$10-million or 2% of the organization’s worldwide turnover for the preceding fiscal year. The CAI will have discretion to establish conditions on a private-sector entity to remedy the harm caused by the breach, which may include paying a sum of money. The CAI is expected to release more guidance on fines and AMPs this year.

To comply with these new obligations, private entities are required to take the following steps:

• Appropriately delegate responsibility to a “person in charge of the protection of personal information” (PIC) within the organization. The PIC occupies a key role in ensuring an organization’s compliance with the PPIPS. Following a confidentiality incident, the PIC must be consulted by an organization in the completion of its mandatory risk assessment.

• Create or update an incident response policy to respond to confidentiality incidents, including measures to reduce the risk of injury and prevent new incidents of the same nature.

• Test incident response policy using a tabletop simulation to ensure all responsible parties understand their roles in the event of a confidentiality incident.

• Develop mechanisms to meet mandatory confidentiality incident reporting obligations to the CAI and individual notice requirements.

• Devise record-retention procedures for the confidentiality incident register.

• Train employees on their obligations to report confidentiality incidents.

For more information about changes to Quebec’s privacy laws, read our August 2022 Blakes Bulletin: Quebec Privacy Law: Is Your Organization Ready for New Rules in Force This September? or contact :

Sunny Handa                    +1-514-982-4008
Ellie Marshall                    +1-416-863-3053
Natalie LaMarche            +1-416-863-2734
Liliane Langevin               +1-514-982-5065

or any other member of our Cybersecurity group.