Since September 22, 2022, organizations doing business in Québec have to report any confidentiality incidents (i.e., privacy breaches) that cause a risk of serious injury, due to the partial entry into force of An Act to modernize legislative provisions as regards the protection of personal information (formerly known as “Bill 64”). An organization affected by a confidentiality incident that causes a risk of serious injury must also notify any affected individual of the circumstances of the breach and the impact on them. For more details on the information that must be disclosed and documented for each confidentiality incident, please refer to the Regulations on Confidentiality Incidents published on November 30, 2022.
Quebec’s privacy regulator, the Commission d’accès à l’information (“CAI”), has been exercising this new authority for only a few months now, but this did not go unnoticed in local media. Over the last few months, information provided to journalists by the CAI – presumably in response to access to information requests – led to some eye-catching headlines:
- “Victim of a Cyber-attack, Sobeys Opts for the Omerta” – TVA Nouvelles, November 8, 2022
- “About 30 Companies Reported Leaks in Two Months” – La Presse, December 8, 2022
- “The CAI’s President Wants More Money to Enforce New Laws” – La Presse, December 8, 2022[1]
This information-sharing development amplifies the impact of the new Québec breach notification obligations and constitutes a significant change in the enforcement landscape of privacy laws in Québec. It could foreshadow the possibility of further public disclosures of ongoing investigations as of September 22, 2023, when the lion’s share of Bill 64’s provisions will enter into force.
The precedent whereby the CAI openly shared with the media the names of organizations that reported a confidentiality incident to it may have a…
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
