Since September 22, 2022, organizations doing enterprise in Québec should report any confidentiality incidents (i.e., privateness breaches) that trigger a threat of great damage, because of the partial entry into drive of An Act to modernize legislative provisions as regards the safety of non-public info (previously often known as “Invoice 64”). A corporation affected by a confidentiality incident that causes a threat of great damage should additionally notify any affected particular person of the circumstances of the breach and the affect on them. For extra particulars on the knowledge that have to be disclosed and documented for every confidentiality incident, please check with the Rules on Confidentiality Incidents printed on November 30, 2022.
Quebec’s privateness regulator, the Fee d’accès à l’info (“CAI”), has been exercising this new authority for only some months now, however this didn’t go unnoticed in native media. Over the previous few months, info supplied to journalists by the CAI – presumably in response to entry to info requests – led to some eye-catching headlines:
- “Sufferer of a Cyber-attack, Sobeys Opts for the Omerta” – TVA Nouvelles, November 8, 2022
- “About 30 Corporations Reported Leaks in Two Months” – La Presse, December 8, 2022
- “The CAI’s President Desires Extra Cash to Implement New Legal guidelines” – La Presse, December 8, 2022
This information-sharing improvement amplifies the affect of the brand new Québec breach notification obligations and constitutes a major change within the enforcement panorama of privateness legal guidelines in Québec. It may foreshadow the potential for additional public disclosures of ongoing investigations as of September 22, 2023, when the lion’s share of Invoice 64’s provisions will enter into drive.
The precedent whereby the CAI brazenly shared with the media the names of organizations that reported a confidentiality incident to it might have a chilling impact on future breach experiences. As there may be nonetheless scant regulatory steerage on what constitutes a “threat of great damage”, organizations could also be extra reticent to report a confidentiality incident out of worry of attracting undesirable detrimental consideration or hypothesis from the press in situations the place the chance of great damage is unclear or debatable. We be aware that, whereas the CAI has solely been sharing with the media the names of the organizations that reported a confidentiality incident to it with out further particulars, the President of the CAI doesn’t rule out the potential for sharing extra info with the general public sooner or later.
Greatest follow dictates that any public relations efforts about an ongoing incident must be restricted till sufficient info turns into obtainable to keep away from misinforming the general public. Organizations fairly want to mitigate the chance of getting to backtrack on a earlier communication when their investigations are ongoing. Nevertheless, the truth that journalists are proactively inquiring with privateness regulators on whether or not a given group has reported any new privateness breaches adjustments the equation. Organizations that have confidentiality incidents should take into account their communication technique fastidiously, since any perceived inaction might also in the end generate sensational headlines, damage its repute, and affect its incident response technique.
The entry into drive of Invoice 64 and its important new obligations and sanctions for non-compliance is attracting the eye of the media and places the CAI immediately below their highlight. Because the CAI continues to plead for added sources from the provincial authorities to assist it handle its new powers, we are able to count on extra privacy-themed headlines within the mainstream media within the close to future and past September 22, 2023.
 We translated these headlines from French for ease of reference.
 See the abstract of an interview that La Presse held with Diane Poitras, the President of the CAI, at https://www.lapresse.ca/affaires/2022-12-10/commission-d-acces-a-l-information/la-presidente-veut-plus-d-argent-pour-faire-appliquer-les-nouvelles-lois.php
By Charles S. Morgan, Daniel G.C. Glover and Eugen Miscoi