Introduction

The Act to Modernize Legislative Provisions respecting the Protection of Personal Information (“Bill 64” or the “Bill”)[1] received royal assent on September 22, 2021, introducing new obligations for private sector businesses in Québec phased over the course of three years. As part of a series of blogs on the steps businesses will have to take to ensure compliance, obligations incumbent on businesses in the case of a cybersecurity incident are amongst the most pressing concerns to the private sector.

Bill 64 was introduced in an effort to add robust protections for the personal information of citizens held by private businesses. The provisions discussed in this blog amending the Private Sector Act are set to come into force on September 22nd, 2022 and September 22nd, 2023 making them high priority items for businesses to prepare for.

Bill 64’s new cyber incident reporting requirements for the private sector may sound familiar to businesses that are already compliant with analogous requirements under the Canadian Federal Personal Information Protection and Electronic Documents Act (PIPEDA), Alberta’s Personal Information Protection Act (PIPA) and the European General Data Protection Regulation (GDPR). However, even for such businesses, it is important to understand that Bill 64 introduces significant new requirements for businesses in Québec that differ from existing Canadian cyber incident reporting regimes:

  • Different scope of application: Bill 64 introduces a new definition of a “confidentiality incident” versus existing “breach of security safeguards” standard in PIPEDA and PIPA;
  • Differences in breach notification standards: Bill 64’s new “risk of serious injury” standard differs from PIPEDA and PIPA’s established “real risk of significant harm” standard;
  • Similar incident registration requirements: Bill 64 requires registration of all confidentiality incidents regardless of risk of harm, aligning with Federal PIPEDA record keeping requirements;
  • Unique risk mitigation and remediation obligations: Bill 64 requires businesses introduce new risk mitigation and remediation procedures to prevent future confidentiality incidents; and
  • Significantly larger penalties for non-compliance: with penalties of up to $25,000,000 or up to 4% of worldwide revenue for non-compliance.

Scope of Application

Bill 64 introduces a revised definition for a “confidentiality incident”, meaning access, use, or communication not authorized by law of personal information; or a loss or any other breach in the protection of such information.[2] This new definition is coupled with an expanded definition of personal information, with Bill 64 adding that personal information includes any information relating to a natural person which can directly or indirectly allow them to be identified.[3]

By comparison, the Federal PIPEDA and the Alberta PIPA define a breach as a loss, unauthorized access, or unauthorized disclosure of personal information resulting from a breach of security safeguards.[4] GDPR shares a similar definition of a personal data breach, meaning accidental or unlawful destruction, loss, alteration, disclosure of, or access to personal data held by a company.[5]

Bill 64’s definition includes access, use, communication, and loss of personal information, not authorized by law. In practice, Bill 64’s definitions covers the common situations a data breach may arise, but also includes the broad and potentially amorphous category of “any other breach” in the protection of personal information that could extend to activities beyond what PIPEDA or PIPA may define as a breach, and align more closely with GDPR’s interpretation. The result is that businesses may be required to monitor a broader spectrum of cybersecurity risks triggering Bill 64’s reporting and recording obligations compared to existing Canadian privacy protection regimes.

Breach Notification Requirements

Companies in Québec are now required to notify individuals impacted by a confidentiality incident where the breach poses a “risk of serious injury.”[6] Bill 64’s standard for notifying affected customers is assessed using similar factors to the established “real risk of significant harm” standard employed by PIPEDA and the Alberta PIPA. “Risks of serious injury”, like “real risks of significant harm”, are context-based assessments considering the sensitivity of the information involved and the likelihood that the information is to be misused.[7]

Unlike PIPEDA and PIPA’s standard of “real risks of significant harm”, the “risk of serious injury” standard has no clear definition in Bill 64. Moreover, it is as yet unclear whether the apparent different standard of a mere “risk” (as opposed to a “real risk”) will ultimately constitute a distinction without a difference. There is a possibility that both standards will be applied by the newly founded Comission d’accès à l’information (“CAI”) in similar ways given that the criteria align closely, but companies should be mindful of developments to see if the wording in Bill 64 is interpreted in a manner that is more stringent than PIPEDA and PIPA requirements.

For the time limits to notify third parties of a “risk of serious injury”, Bill 64 aligns more closely with existing requirements for timely notification in Canadian privacy protection regimes. If the incident presents a risk of serious injury, businesses must report the incident to the CAI as well as any person whose personal information is impacted by the incident as soon as is practicable.[8] Failure to do so may result in the CAI compelling disclosure to affected parties, administrative monetary penalties, as well as statutory penalties.[9]

PIPEDA and PIPA require notification as soon as feasible to the Privacy Commissioner in the event a breach of security safeguards presents a “real risk of significant harm.”[10] By comparison, GDPR requires disclosure of a data breach to the country’s supervisory authority no later than 72 hours after the breach where it causes a risk of harm.[11]

Incident Registration Requirements

Bill 64 imposes new recording requirements for businesses that experience a confidentiality incident. Businesses that process the personal information of citizens in Quebec will now need to keep a register of any confidentiality incidents that affect their customers’ personal information, whether they pose a “risk of serious injury” or not, and send the register to the CAI on request.[12]

This requirement for mandatory recording of all confidentiality breaches for subsequent review by regulatory authorities brings Quebec’s private sector’s record keeping obligations in line with Canadian Federal and European data breach record keeping obligations. PIPEDA requires that organizations keep and maintain records of every breach of security safeguards involving information under its control, whether they pose a “real risk of significant harm” or not, and to provide a record to the Privacy Commissioner on request.[13] GDPR maintains similar requirements, requiring that controllers document any personal data breaches, their effects, and remedial actions taken.[14] The Alberta PIPA does not require a similarly detailed record keeping obligation for the private sector.

Risk Mitigation and Remediation Requirements

Bill 64 requires a broader spectrum of risk mitigation and remediation requirements when compared to existing Canadian privacy regimes, resulting in notable differences to take into account for effective compliance.

Bill 64 requires that any person with cause to believe that a confidentiality incident has occurred must take reasonable measures to reduce the risk of injury and prevent new incidents.[15] Similar to the newly introduced incident registration requirements, Bill 64 introduces risk mitigation and remediation obligations regardless as to whether or not the confidentiality incident results in a “risk of serious injury” and applies the obligation to any person with cause to believe a confidentiality incident has occurred. As a consequence, Bill 64 applies more stringent obligations on businesses than PIPEDA and PIPA.

Coupled with the above mentioned record keeping requirements, Bill 64’s requirements more closely resemble GDPR’s requirements for remediation and may exceed GDPR for subsequent risk mitigation. GDPR requires that companies who suffer a data breach maintain a record of the remedial action taken in addition to any data breach. Bill 64 requires that reasonable measures be taken to reduce the risk of injury during a confidentiality breach and that reasonable measures are taken to reduce subsequent risks.[16]

Significantly Larger Penalties

Among Bill 64’s most significant changes are the potential for significantly increased penalties for failure to adequately respond to cyber incidents relative to other Canadian laws. Bill 64 sets out two potential schemes for non-compliance, an administrative monetary penalty and a penal penalty.

Administrative monetary penalties can be imposed by the CAI for failures to inform, collection and communication of personal information in contravention of the act, failure to report confidentiality incidents, and failure to take appropriate security measures to protect personal information.[17] Companies that are found in contravention of Bill 64’s provisions may enter into an undertaking with the CAI to remedy the default, and avoid an administrative monetary penalty.[18] If an undertaking with the CIA is not engaged with, the maximum penalty that can be imposed is $10,000,000 or 2% of worldwide turnover for the preceding fiscal year, whichever is greater.[19]

Depending on the severity, frequency, and impact of non-compliance, the CAI may instead apply a penal penalty with a maximum of $25,000,000 or 4% of worldwide turnover for the preceding fiscal year, whichever is greater.[20] Penalties for non-compliance with Bill 64 have the potential to be the most costly in Canada, as both PIPEDA and PIPA impose penalties of up $100,000 per violation.[21] Bill 64’s fines for non-compliance now more closely approximate those for GDPR non-compliance.[22]

With heightened penalties for non-compliance coming into force in September 22, 2023, businesses should consider the following steps to ensure compliance with Bill 64’s new obligations.

Concrete Steps to Consider for Compliance

  1. Prepare a Breach Registry

Bill 64 requires that companies keep a registry of confidentiality incidents that impact their customers data, regardless as to whether or not they pose a risk of serious harm. GDPR compliant companies might be familiar with similar breach registry requirements, but PIPEDA compliance only requires reporting for incidents causing real risk of significant harm. As part of complying with Bill 64’s obligation to prevent new incidents of the same nature, companies should consider updating their internal reporting practices to record more detailed information on confidentiality incidents, remedial measures to taken to reduce the risk of harm, and steps taken to mitigate existing risks.

  1. Develop methodologies to determine the seriousness of confidentiality incidents

Confidentiality incidents with risks of serious harm need to be reported promptly to the CAI, and must be notified to impacted parties as soon as practicable. To know when a company is required to begin the notification process, active monitoring of personal information held and assessment processes for the severity of a breach are needed. Though PIPEDA, PIPA, and GDPR use similar criteria to assess risk of harm, Companies should tailor their privacy impact assessments to the factors listed in Bill 64 to demonstrate compliance in the event of a cyber incident.

  1. Update existing breach reporting documentation

As mentioned above, Bill 64 has varied disclosure requirements that may require newly drafted notification documentation that takes in account the specific criteria to be assessed during a confidentiality incident. Companies are required to notify the CAI and affected individuals for incidents involving a serious risk of harm as soon as practicable, and pre-drafted materials may assist in efficiently notifying impacted parties. The CAI may set the content and form of notification for mandatory reporting during a confidentiality incident by regulation, which may require newly drafted notification documentation.

Conclusion

Bill 64 has made significant additions to the reporting requirements that businesses who process personal information in Québec should be aware of. Given that the sections concerning breach notification and registry maintenance are set to come into force on September 22nd, 2022, with penalties for non-compliance coming into force on September 22nd, 2023, companies should consider planning for how to align their internal privacy and data security practices with Bill 64’s new requirements.