To print this article, all you need is to be registered or login on Mondaq.com.
As of September 22, 2022, private-sector entities carrying on
business in Quebec are required to notify Quebec’s Commission
d’acces a l’information (CAI) and affected individuals of a
privacy breach (referred to as a “confidentiality
incident”) that presents a risk of serious injury. This
obligation stems from amendments to Quebec’s Act respecting
the protection of personal information in the private sector
(PPIPS) as a result of Quebec’s Bill 64, An Act to
modernize legislative provisions as regards the protection of
A “confidentiality incident” is defined under PPIPS to
- Access to personal information not authorized by law
- Use of personal information not authorized by law
- Communication of personal information not authorized by law,
- Loss of personal information or any other breach of the
protection of such information
In assessing the severity of the risk posed by a confidentiality
incident, the organization must consider the sensitivity of the
information, the anticipated consequences of its use and the
likelihood that the information will be used for injurious
Where a confidentiality incident raises the possibility of
serious injury to an individual whose personal information is
disclosed, private-sector organizations must promptly notify both
the CAI and any affected individuals in accordance with
regulations. The CAI posted a notice form that specifies all the information
to be provided. Additionally, organizations are required to keep a
register of all confidentiality incidents and provide the register
to the CAI upon request.
NEW ENFORCEMENT POWERS
The amendments to the PPIPS provide the CAI with significant new
enforcement powers that will come into force on September 22, 2023.
Serious violations of the PPIPS may constitute an offence, whereby
the CAI can institute penal proceedings and impose fines of up to
the higher of C$25-million or 4% of the organization’s
worldwide turnover for the preceding fiscal year.
In addition to these fines, the CAI will have the power to
impose administrative monetary penalties (AMPs) of up to the higher
of C$10-million or 2% of the organization’s worldwide turnover
for the preceding fiscal year. The CAI will have discretion to
establish conditions on a private-sector entity to remedy the harm
caused by the breach, which may include paying a sum of money. The
CAI is expected to release more guidance on fines and AMPs this
To comply with these new obligations, private entities are
required to take the following steps:
- Appropriately delegate responsibility to a “person in
charge of the protection of personal information” (PIC) within
the organization. The PIC occupies a key role in ensuring an
organization’s compliance with the PPIPS. Following a
confidentiality incident, the PIC must be consulted by an
organization in the completion of its mandatory risk
- Create or update an incident response policy to respond to
confidentiality incidents, including measures to reduce the risk of
injury and prevent new incidents of the same nature.
- Test incident response policy using a tabletop simulation to
ensure all responsible parties understand their roles in the event
of a confidentiality incident.
- Develop mechanisms to meet mandatory confidentiality incident
reporting obligations to the CAI and individual notice
- Devise record-retention procedures for the confidentiality
- Train employees on their obligations to report confidentiality
For permission to reprint articles, please contact the
Blakes Marketing Department.
© 2020 Blake, Cassels & Graydon LLP.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Privacy from Canada