The Unexpected Effect of the Introduction of Mandatory Breach Notification Requirements in Québec
Charles S. Morgan, Daniel G.C. Glover, and Eugen Miscoi of McCarthy Tétrault LLP write:
Since September 22, 2022, organizations doing business in Québec have to report any confidentiality incidents (i.e., privacy breaches) that cause a risk of serious injury, due to the partial entry into force of An Act to modernize legislative provisions as regards the protection of personal information (formerly known as “Bill 64”). An organization affected by a confidentiality incident that causes a risk of serious injury must also notify any affected individual of the circumstances of the breach and the impact on them. For more details on the information that must be disclosed and documented for each confidentiality incident, please refer to the Regulations on Confidentiality Incidents published on November 30, 2022.
Quebec’s privacy regulator, the Commission d’accès à l’information (“CAI”), has been exercising this new authority for only a few months now, but this did not go unnoticed in local media. Over the last few months, information provided to journalists by the CAI – presumably in response to access to information requests – led to some eye-catching headlines:
This information-sharing development amplifies the impact of the new Québec breach notification obligations and constitutes a significant change in the enforcement landscape of privacy laws in Québec. It could foreshadow the possibility of further public disclosures of ongoing investigations as of September 22, 2023, when the lion’s share of Bill 64’s provisions will enter into force.
Read more at Lexology.