The Unexpected Effect of the Introduction of Mandatory Breach Notification Requirements in Québec - Lexology

The Unexpected Effect of the Introduction of Mandatory Breach Notification Requirements in Québec
Blog Techlex
McCarthy Tétrault LLP
McCarthy Tétrault LLP logo
Canada January 12 2023
Since September 22, 2022, organizations doing business in Québec have to report any confidentiality incidents (i.e., privacy breaches) that cause a risk of serious injury, due to the partial entry into force of An Act to modernize legislative provisions as regards the protection of personal information (formerly known as “Bill 64”). An organization affected by a confidentiality incident that causes a risk of serious injury must also notify any affected individual of the circumstances of the breach and the impact on them. For more details on the information that must be disclosed and documented for each confidentiality incident, please refer to the Regulations on Confidentiality Incidents published on November 30, 2022.

Quebec’s privacy regulator, the Commission d’accès à l’information (“CAI”), has been exercising this new authority for only a few months now, but this did not go unnoticed in local media. Over the last few months, information provided to journalists by the CAI – presumably in response to access to information requests – led to some eye-catching headlines:

This information-sharing development amplifies the impact of the new Québec breach notification obligations and constitutes a significant change in the enforcement landscape of privacy laws in Québec. It could foreshadow the possibility of further public disclosures of ongoing investigations as of September 22, 2023, when the lion’s share of Bill 64’s provisions will enter into force.

The precedent whereby the CAI openly shared with the media the names of organizations that reported a confidentiality incident to it may have a chilling effect on future breach reports. As there is still scant regulatory guidance on what constitutes a “risk of serious injury”, organizations may be more reticent to report a confidentiality incident out of fear of attracting unwanted negative attention or speculation from the press in scenarios where the risk of serious injury is unclear or debatable. We note that, while the CAI has only been sharing with the media the names of the organizations that reported a confidentiality incident to it without additional details, the President of the CAI does not rule out the possibility of sharing more information with the public in the future.[2]

Best practice dictates that any public relations efforts about an ongoing incident should be limited until enough information becomes available to avoid misinforming the public. Organizations reasonably wish to mitigate the risk of having to backtrack on a previous communication when their investigations are ongoing. However, the fact that journalists are proactively inquiring with privacy regulators on whether a given organization has reported any new privacy breaches changes the equation. Organizations that experience confidentiality incidents must consider their communication strategy carefully, since any perceived inaction may also ultimately generate sensational headlines, hurt its reputation, and impact its incident response strategy.

The entry into force of Bill 64 and its significant new obligations and sanctions for non-compliance is attracting the attention of the media and puts the CAI directly under their spotlight. As the CAI continues to plead for additional resources from the provincial government to help it manage its new powers, we can expect more privacy-themed headlines in the mainstream media in the near future and beyond September 22, 2023.

To view all formatting for this article (eg, tables, footnotes), please access the original here.