When Law 25 comes into effect in Quebec on Sept. 22, 2022, businesses that fail to report a confidentiality incident could face unprecedented fines of up to $25M. As organizations doing business in the province prepare to comply with the new legislation, Gowling WLG is producing a series of articles and other resources to help guide and inform those making the shift. This is the second article in our new series. The first article, "Quebec CEOs will need to serve as default privacy officers under Bill 64" can be found here.
If an organization believes that a confidentiality incident involving personal information has occurred, it will be required to take reasonable measures to reduce the risk of injury and to prevent new incidents of the same nature. Organizations must promptly notify the Commission d'accès à l'information (the "CAI") and any persons whose data is affected by a confidentiality incident involving personal information that "presents a risk of serious injury," as well as any person or body that could reduce the risk.The content of the notice will be specified in a Regulation that is to come into force on Sept. 22, 2022.
Organizations will be required to keep a register of all confidentiality incidents. Under the draft regulations, such register must be kept for five years from the date the organization became aware of the incident – a departure from the two years required under the federal private sector privacy legislation, PIPEDA.
Again, an organization that fails to report a confidentiality incident to the CAI or to any person concerned could face unprecedented penal and monetary administrative penalties. Like penal fines to the tune of up to $25M (or, if greater, the amount corresponding to four per cent of worldwide turnover for the preceding fiscal year), or monetary administrative penalties of up to $10M (or, if greater, two per cent of worldwide turnover for the preceding fiscal year). The Quebec Privacy Act also introduces a minimum $1,000 award in punitive damages for infringements that cause harm and are intentional or result from a gross fault.
*For reference: "Bill 64 was the name of the original legislative text first proposed to Quebec's national assembly on June 12, 2020 … Bill 64 finally completed its passage into legislation when it received formal assent on September 22, 2021. At this point, it became The Privacy Legislation Modernization Act - otherwise known as Law 25."
Should you have any questions on how these changes affect your business, please feel free to contact the authors and members of our Quebec Cyber Security & Data Protection Group.
 Regulation respecting confidentiality incidents (draft), (2022) no 26 G.O. II, 3935, s. 9
 Everything you need to know about Quebec's Law 25 (ex Bill 64)