Introduction
On June 29, 2022, the Québec government published a draft regulation on the process for reporting privacy breaches under the new privacy law. This regulation describes what information needs to be sent to the Commission d'accès à l'information (the CAI) and to affected individuals when a breach meets the threshold for mandatory reporting, as well as the minimum retention period for records of all confidentiality incidents.
What you need to know
- If the Regulation is approved, Québec will have two
requirements that differ from the federal regime:
- Provide the CAI with a summary of the factors that establish a real risk of serious harm. The Québec proposal aligns with the current Alberta requirements.
- Retain records of confidentiality incidents for five years, which exceeds the federal two-year requirement.
- The requirement to describe the factors that support the mandatory reporting threshold may create tensions with maintaining privilege over legal advice.
- The Regulation may come into force as early as September 2022, so businesses should be updating their internal procedures now to ensure compliance.
Overview of the measures proposed
Comparison with federal regulation
Although similar to the breach reporting requirements under federal PIPEDA, some aspects of the proposed Québec regulation are more onerous:
Proposed Québec Regulation |
Federal Regulation |
Requirement: Contents of regulatory report |
|
|
|
Requirement: Contents of individual notification |
|
|
|
Requirement: Record retention |
|
5 years after the date the organization became aware of the incident. |
2 years after the breach has occurred. |
Privilege and transactional considerations
Notably, the draft Regulation would require organizations to describe the elements that lead it to conclude the "risk of serious injury" threshold for mandatory reporting was met. This is similar to the Alberta regime, but is not a federal requirement. This may pose strategic challenges for organizations that wish to err on the side of caution in reporting incidents that do not clearly meet the threshold, while minimizing litigation and reputational risk. Businesses will need to carefully craft their breach reports to meet this requirement without waiving privilege over legal advice that informed the reporting assessment, and without creating admissions that may be used against them in litigation relating to the incident.
Similarly, business should consider privilege when creating internal records of confidentiality incidents and should keep legal advice in a separate file from the factual summaries contained in their breach records. Companies engaged in transactions should expect to be asked to provide their breach records in the course of due diligence, which emphasizes the need to ensure they do not contain privileged legal and risk assessments.
Preparation
The Québec government proposed that the regulation will take effect on September 22, 2022 for the private sector. Organizations should review their breach response policies, regulatory report, individual notification and breach record templates, breach record retention periods, and privilege protocols to ensure they align with the Québec requirements.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.