Quebec’s Bill 64 Introduces Unique Cyber Incident Reporting Obligations

Charles S. Morgan, Ellen Yifan Chen, and Philippe April of McCarthy Tétrault LLP write:

The Act to Modernize Legislative Provisions respecting the Protection of Personal Information (“Bill 64” or the “Bill”)[1] received royal assent on September 22, 2021, introducing new obligations for private sector businesses in Québec phased over the course of three years.

[…] it is important to understand that Bill 64 introduces significant new requirements for businesses in Québec that differ from existing Canadian cyber incident reporting regimes:

  • Different scope of application: Bill 64 introduces a new definition of a “confidentiality incident” versus existing “breach of security safeguards” standard in PIPEDA and PIPA;
  • Differences in breach notification standards: Bill 64’s new “risk of serious injury” standard differs from PIPEDA and PIPA’s established “real risk of significant harm” standard;

Read more on Lexology.

h/t, @fanCRTCProfling

About the author: Dissent

Comments are closed.