All Things Newz
Law \ Legal

New Breach Reporting Requirements In Force In Quebec – Privacy Protection


To print this article, all you need is to be registered or login on

As of September 22, 2022, private-sector entities carrying on
business in Quebec are required to notify Quebec’s Commission
d’acces a l’information (CAI) and affected individuals of a
privacy breach (referred to as a “confidentiality
incident”) that presents a risk of serious injury. This
obligation stems from amendments to Quebec’s Act respecting
the protection of personal information in the private sector

(PPIPS) as a result of Quebec’s Bill 64, An Act to
modernize legislative provisions as regards the protection of
personal information.


A “confidentiality incident” is defined under PPIPS to

  • Access to personal information not authorized by law

  • Use of personal information not authorized by law

  • Communication of personal information not authorized by law,

  • Loss of personal information or any other breach of the
    protection of such information

In assessing the severity of the risk posed by a confidentiality
incident, the organization must consider the sensitivity of the
information, the anticipated consequences of its use and the
likelihood that the information will be used for injurious

Where a confidentiality incident raises the possibility of
serious injury to an individual whose personal information is
disclosed, private-sector organizations must promptly notify both
the CAI and any affected individuals in accordance with
regulations. The CAI posted a notice form that specifies all the information
to be provided. Additionally, organizations are required to keep a
register of all confidentiality incidents and provide the register
to the CAI upon request.


The amendments to the PPIPS provide the CAI with significant new
enforcement powers that will come into force on September 22, 2023.
Serious violations of the PPIPS may constitute an offence, whereby
the CAI can institute penal proceedings and impose fines of up to
the higher of C$25-million or 4% of the organization’s
worldwide turnover for the preceding fiscal year.

In addition to these fines, the CAI will have the power to
impose administrative monetary penalties (AMPs) of up to the higher
of C$10-million or 2% of the organization’s worldwide turnover
for the preceding fiscal year. The CAI will have discretion to
establish conditions on a private-sector entity to remedy the harm
caused by the breach, which may include paying a sum of money. The
CAI is expected to release more guidance on fines and AMPs this

To comply with these new obligations, private entities are
required to take the following steps:

  • Appropriately delegate responsibility to a “person in
    charge of the protection of personal information” (PIC) within
    the organization. The PIC occupies a key role in ensuring an
    organization’s compliance with the PPIPS. Following a
    confidentiality incident, the PIC must be consulted by an
    organization in the completion of its mandatory risk

  • Create or update an incident response policy to respond to
    confidentiality incidents, including measures to reduce the risk of
    injury and prevent new incidents of the same nature.

  • Test incident response policy using a tabletop simulation to
    ensure all responsible parties understand their roles in the event
    of a confidentiality incident.

  • Develop mechanisms to meet mandatory confidentiality incident
    reporting obligations to the CAI and individual notice

  • Devise record-retention procedures for the confidentiality
    incident register.

  • Train employees on their obligations to report confidentiality

For permission to reprint articles, please contact the
Marketing Department.

© 2020 Blake, Cassels & Graydon LLP.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Privacy from Canada

AIDA: The Unfinished Third Act


On June 16, 2022, the Canadian government introduced Bill C-27, which introduced three Acts meant to modernize federal privacy laws. I reviewed the Consumer Privacy Protection Act…


Source link

Related posts

Tax Authorities’ FAQ On DAC6 – Tax Authorities

Restructuring Frameworks Undergoing Change – Insolvency/Bankruptcy

IFCs Can Support The Great Asian Digital Asset Revolution – Fin Tech