Charles S. Morgan, Ellen Yifan Chen, and Philippe April of McCarthy Tétrault LLP write:
The Act to Modernize Legislative Provisions respecting the Protection of Personal Information (“Bill 64” or the “Bill”)[1] received royal assent on September 22, 2021, introducing new obligations for private sector businesses in Québec phased over the course of three years.
[…] it is important to understand that Bill 64 introduces significant new requirements for businesses in Québec that differ from existing Canadian cyber incident reporting regimes:
- Different scope of application: Bill 64 introduces a new definition of a “confidentiality incident” versus existing “breach of security safeguards” standard in PIPEDA and PIPA;
- Differences in breach notification standards: Bill 64’s new “risk of serious injury” standard differs from PIPEDA and PIPA’s established “real risk of significant harm” standard;
Read more on Lexology.
h/t, @fanCRTCProfling