A little over nine months after it passed An Act to modernize legislative provisions as regards the protection of personal information (“Bill 64”) overhauling, among other legislation, the province’s public and private sector personal information protection laws, Québec has introduced its Draft Regulation (the “Regulation”) detailing how entities will be expected to handle breaches involving personal information (“Confidentiality Incidents”).
Québec is late to the game when it comes to mandatory breach reporting. Every American state, the European Union, as well as Alberta and Canadian provinces subject to the Personal Information Protection and Electronic Documents Act (“PIPEDA”) require entities to report breaches involving personal information to appropriate regulators and to the individuals whose personal information is compromised. Each law, however, is somewhat different with respect to how, when and what to disclose. Québec’s Regulation is no exception. The following paragraphs identify some of the specificities that mark the Regulation, notably with respect to record keeping, thresholds, and the definition of a Confidentiality Incident. They then present the specific disclosure and record keeping requirements this Regulation imposes.
- Record keeping: Unlike PIPEDA that requires an organization to maintain a record of every breach of security safeguard for 24 months, the Regulation proposes a 5-year retention period from the date or time-period the entity became aware of the Confidentiality Incident.
- Threshold: Whereas PIPEDA and Alberta’s Personal Information Protection Act require notification to their respective privacy commissions and the individuals whose personal information is compromised, if the breach could lead to a “real risk of significant harm”, Bill 64 requires notification in the event of a “risk of serious injury”. Although it is too soon to know whether this difference in terminology will lead to significantly different reporting thresholds, the possibility exists.
- Confidentiality Incident: PIPEDA defines a breach of security safeguards as “the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards […] or from a failure to establish those safeguards.” Bill 64, however, defines a “confidentiality incident” as follows:
- access not authorized by law to personal information;
- use not authorized by law of personal information;
- communication not authorized by law of personal information; or
- loss of personal information or any other breach in the protection of such information.
Again, although it is too soon to know the impact of this differing terminology, the definition of a Confidentiality Incident appears to cover a broader scope of activity than the “breach of security safeguards”.
Disclosure and Record-keeping Requirements
If the Regulation comes into effect as is, an entity located in Québec that is subject to a Confidentiality Incident will be required to adhere to the following disclosure and record-keeping requirements.
Notice to the Commission d’accès à l’information (“CAI”)
Timetable for Implementation
The Regulation, which was introduced on June 29, 2022, is scheduled to take effect 45 days after – roughly a month before the first provisions of Bill 64, including the breach notification piece, are scheduled to take effect. As of September 22, 2022, entities operating in Québec will be required to disclose Confidentiality Incidents and comply with the above notice and record keeping requirements.>