Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Quebec: Bill 64 - Part two: New breach notification rules
Bill 64, also known as An Act to modernize legislative provisions as regards the protection of personal information ('the Bill') aims to 'modernize the framework applicable to the protection of personal information'1 in Quebec by adding new provisions in various Acts, including the Act respecting Access to documents held by public bodies and the Protection of personal information and the Act respecting the protection of personal information in the private sector ('the Private Sector Act'). The Bill marks an important reform in Quebec's privacy law. The Bill received parliamentary assent on the 22 September 2021 and the provisions that it contains are set to come into force gradually over the span of three years from the date of assent. In part two of this series, Vanessa Deschêne and Patrick Laverty-Lavoie, Partner and Lawyer respectively at ROBIC L.L.P., discuss the Bill's provisions on breach notification and the practical implications of this for businesses.
This article focuses on notification obligations for enterprises added to the Private Sector Act by the Bill.
What key changes does Bill 64 introduce in regard to breach notification?
As it is already the case in Alberta under the Personal Information Protection Act and under the federal Personal Information Protection and Electronic Documents Act 2000 ('PIPEDA'), the Bill introduces a breach notification regime. Sections 3.5 to 3.8 of the Private Sector Act, which contain the new breach notification requirements for enterprises, are set to come into force one year after the above-mentioned date of the ascent of the Bill. Rather than using the term 'breach of security safeguards', the Bill uses the term 'confidentiality incident'2. A confidentiality incident means the following: '(1) access not authorized by law to personal information; (2) use not authorized by law of personal information; (3) communication not authorized by law of personal information; or (4) loss of personal information or any other breach in the protection of such information'3. In other words, a confidentiality incident is the unauthorised access, use, or disclosure of personal information, the loss of personal information, or any other breach of personal information.
One of the main obligations for an enterprise dealing with a confidentiality incident is found at Section 3.5 of the Private Sector Act which states that '[a]ny person carrying on an enterprise who has cause to believe that a confidentiality incident involving personal information the person holds has occurred must take reasonable measures to reduce the risk of injury and to prevent new incidents of the same nature'4. Therefore, following the incident, an enterprise is required to implement reasonable measures to mitigate the risk of injury resulting from it. Furthermore, such reasonable measures must be taken by the enterprise to prevent new incidents of the same nature in the future. When a confidentiality incident presents a 'risk of serious injury', prompt notification to both the Quebec Commission on Access to Information ('CAI') and to any person whose personal information is concerned by the incident, is required5. The CAI may also order a person carrying on an enterprise to notify a person whose personal information is concerned by a confidentiality incident when the enterprise fails to do so6. Additionally, the person carrying on an enterprise may also notify any person or body that could reduce the risk of the confidentiality incident7. In such cases, the person carrying on an enterprise may do so by communicating to the person or body, 'only the personal information necessary for that purpose without the consent of the person concerned'8. The person in charge of the protection of personal information in the enterprise must record such a communication of the information9.
What are the criteria for notification to CAI and to affected individuals
Among the criteria to be taken into account in determining whether or not notification is required is, of course, the presence of personal information and the risk of 'serious injury' from such an incident. Thus, if the incident involves personal information and there is a risk of serious injury, the company must notify the CAI and the individual concerned10. It is important to note that both the federal and Alberta legislation use the term 'real risk of significant harm' rather than 'risk of serious injury'. It will be interesting to follow the evolution of this new provision, in order to clarify the nuances between the two formulations with regard to risk assessment.
In determining the risk of injury to a person whose personal information is concerned by a confidentiality incident, a person carrying on an enterprise must consider the following: 'the sensitivity of the information concerned, the anticipated consequences of its use and the likelihood that such information will be used for injurious purposes'11. The person in charge of the protection of personal information within the enterprise must also be consulted12. As mentioned above, if the incident presents a risk of serious injury, the person carrying on an enterprise must promptly notify the CAI and any person whose personal information is involved in the incident13. The content and terms of the notices provided following a confidentiality incident may be determined by a government regulation14. At its third paragraph, Section 3.5 of the Private Sector Act states that 'a person whose personal information is concerned by the incident need not be notified so long as doing so could hamper an investigation conducted by a person or body responsible by law for the prevention, detection or repression of crime or statutory offences'15. Therefore, when such an investigation is conducted, notification to the individual may be delayed for as long as such a notification could hamper the investigation. In all cases, enterprises must keep a register of confidentiality incidents16
How will this affect companies in Quebec?
In practical terms, enterprises subject to PIPEDA should already have the mechanisms in place to meet the new notification requirement. Indeed, the proposed additions regarding the obligation to notify and maintain a registry, as well as the involvement of the Privacy Officer, are very similar to what was introduced in 2018 in the federal legislation. If an enterprise is not already PIPEDA compliant, it will need to create a confidentiality incident log, known as a 'register', and internal procedures to address confidentiality incidents and to determine when notification is required. In all cases, the Privacy Officer should work closely with the company's Information Security Officer to ensure that internal processes and procedures are consistent.
Vanessa Deschênes Partner
[email protected]
Patrick Laverty-Lavoie Lawyer
[email protected]
ROBIC L.L.P, Montréal
1. Explanatory Notes, Bill 64.;
2. Section 3.5 of the Private Sector Act (added by Bill 64);
3. Id., section 3.6;
4. Id., section 3.5 par. 1;
5. Id., section 3.5 par. 2;
6. Id.;
7. Id.;
8. Id.;
9.Id.;
10. Id.;
11. Id., section 3.7
12. Id.,
13. Id. section 3.5, par. 2;
14. Id., par. 5;
15. Id. par. 3;
16. Id. section 3.8;