Law 25: The Cost Of A Privacy Breach In Quebec Just Went Up. Way Up

When you’re starting to drown between employee concerns, payroll duties and helping your CEO -- HR Insider is there to help get the logistical work out of the way.

Need a policy because of a recent regulatory change? We’ve got it for you. Need some quick training on a specific HR topic? We’ve got it for you. HR Insider provides the resources you need to craft, implement and monitor policies with confidence. Our team of experts (which includes lawyers, analysts and HR professionals) keep track of complex legislation, pending changes, new interpretations and evolving case law to provide you with the policies and procedures to keep you ahead of problems. FIND OUT MORE...

Favorite Print Email

When Law 25 came into effect in Quebec on Sept. 22, 2022, businesses that fail to report a confidentiality incident could face unprecedented fines of up to $25M. As businesses across the province prepare to comply with the new legislation, Gowling WLG is producing a series of articles and other resources to help guide and inform those making the shift. This is the second article in our new series. The first article, “Quebec CEOs will need to serve as default privacy officers under Bill 64” can be found here.

If an organization believes that a confidentiality incident involving personal information has occurred, it will be required to take reasonable measures to reduce the risk of injury and to prevent new incidents of the same nature. Organizations must promptly notify the Commission d’accès à l’information (the “CAI“) and any persons whose data is affected by a confidentiality incident involving personal information that “presents a risk of serious injury,” as well as any person or body that could reduce the risk.The content of the notice will be specified in a Regulation¹ that is to come into force on Sept. 22, 2022.

Organizations will be required to keep a register of all confidentiality incidents. Under the draft regulations, such register must be kept for five years from the date the organization became aware of the incident – a departure from the two years required under the federal private sector privacy legislation, PIPEDA.

Again, an organization that fails to report a confidentiality incident to the CAI or to any person concerned could face unprecedented penal and monetary administrative penalties. Like penal fines to the tune of up to $25M (or, if greater, the amount corresponding to four per cent of worldwide turnover for the preceding fiscal year), or monetary administrative penalties of up to $10M (or, if greater, two per cent of worldwide turnover for the preceding fiscal year). The Quebec Privacy Act also introduces a minimum $1,000 award in punitive damages for infringements that cause harm and are intentional or result from a gross fault.

*For reference: “Bill 64 was the name of the original legislative text first proposed to Quebec’s national assembly on June 12, 2020 … Bill 64 finally completed its passage into legislation when it received formal assent on September 22, 2021. At this point, it became The Privacy Legislation Modernization Act – otherwise known as Law 25.”

Footnote

1. Regulation respecting confidentiality incidents (draft), (2022) no 26 G.O. II, 3935, s. 9

by Christopher Oates , Jasmine Samra , Melissa Tehrani and Wendy Wagner

Gowling WLG

You May Also Like

Independent Contractor Policy

Access to Employee Records Policy

Inventions and Confidentiality Policy