Skip to main content

On Your Mark, Report: The Regulation Respecting Confidentiality Incidents Is in Force

Reading Time 3 minute read


Privacy & Cybersecurity Bulletin

A holiday gift: The Regulation respecting confidentiality incidents[1] came into force on December 29, 2022[2], with few changes to the draft proposed last June.[3] The Regulation is part of Québec’s privacy law reform implemented by Law 25.[4] On September 22, 2022, the provisions[5] concerning the mandatory incident register and reporting of those with a risk of serious injury took effect. The Regulation establishes the content of the register and specifies the terms of notification concerning these requirements.

For more information on the content of the Regulation, see our bulletin on the subject here.

As of September 22, 2023, a company or public body’s failure to report a confidentiality incident to the Commission d’accès à l’information or to the persons concerned may be subject to the following penalties:


Private Sector Act

Access Act

Monetary administrative penalty

Up to $10,000,000 or 2% of the previous year’s worldwide turnover, whichever is greater[6]


Penal fines

Up to $25,000,000 or 4% of the previous year’s worldwide turnover, whichever is greater[7]

From $5,000 to $100,000, for an individual[8]


Up to $30,000[9]


[1]      Regulation respecting confidentiality incidents, published under Order in Council 1761-2022 of November 30, 2022, in the Gazette officielle du Québec of December 14, 2022, 154th year, n 50, p. 4003.

[2]      Except with respect to political parties, independent members and independent candidates, for which it will come into force on September 22, 2023; Regulation, s. 9.

[3]      In reference to the notice to the Commission d'accès à l’information of a confidentiality incident that poses a risk of serious injury, the word “date” has been replaced by “the date or time period” on which the measures were taken; see Regulations, s. 3(10).

[4]      An Act to modernize legislative provisions as regards the protection of personal information, QS 2021, c. 25 (“Law 25”), which modifies, in particular, the Act respecting the protection of personal information in the private sector, CQLR c. P-39.1 (“Private Sector Act”) and the Act respecting Access to documents held by public bodies and the protection of personal information, CQLR c. A-2.1 (the “Access Act”).

[5]      For a reminder of the different implementation milestones, see our Annotated Private Sector Law and our Annotated Access Act (available in French only).

[6]      Private Sector Act, supra note 4, s. 90.1 par. 1(3) and 90.12.

[7]      Ibid., s. 91 par. 1 and 91 par. 1(3).

[8]      The Private Sector Act provides that where an offence is committed by a legal person, the administrator, director or representative who ordered or authorized the act or omission constituting the offence, or who consented thereto, is a party to the offence and is liable to the prescribed penalty.

[9]      Access Act, supra note 4, s. 158(6).

Contact the Authors

For more information or to discuss a particular matter please contact us.

Contact the Authors



    Receive email updates from our team