Privacy breaches: Quebec releases final regulations for confidentiality incident reporting
December 16, 2022Quebec has released final regulations for a mandatory confidentiality incident (breach) reporting regime that came into force in late 2022.
The reporting framework has three key requirements. Companies must:
- Report confidentiality incidents carrying a risk of serious injury to the provincial privacy regulator, the Commission d’accès à l’information du Quebec (CAI)
- Notify affected individuals
- Keep registers (records) of confidentiality incidents for 5 years
The regulations list numerous specifics that must be included and steps that must be taken. For example, reports to the CAI must include a description of why the incident carries a risk of serious injury, number of people affected, dates and expected timelines for notifying those affected and for taking mitigating measures, in addition to other requirements.
View confidentiality incident regulations.
These regulations are part of significant amendments to modernize Quebec’s privacy regime. Even members without stores in Quebec can still fall under this regime if they collect or process Quebecers’ data, e.g. for e-commerce or as part of a Canada-wide audience. More amendments are coming into force in 2023 and 2024, including new financial penalties. View more information.
For more on this, please contact Senior Policy Analyst Kate Skipton, kskipton@retailcouncil.org, or Quebec Government Relations lead Apraham Niziblian at aniziblian@retailcouncil.org.