Quebec privacy regulator ceases publishing list of organizations reporting data breaches

On May 27, 2025, Quebec’s privacy regulator, the Commission d’accès à l’information (“CAI”) released a statement that it will cease publishing on its website the list of public and private enterprises that have reported confidentiality incidents to the CAI. The CAI’s decision to cease publishing notices of confidentiality incidents will likely be welcomed by enterprises that have suffered data breaches.

The CAI indicates that this measure is taken with a view of ensuring increased protection for individuals who have fallen victim to confidentiality incidents impacting their personal information. More specifically, the CAI says that by ceasing to publish this information, it is contributing to minimizing the risk of prejudice to affected individuals, avoiding inadvertently revealing the existence of technological vulnerabilities or cybersecurity concerns, avoiding hindering the management of the incident by the affected enterprise and preserving the CAI’s surveillance and investigative powers. The CAI will, however, continue to publish statistics pertaining to the breach notices that it receives.

Previously, the CAI had gone back and forth on the issue of whether to publish details related to confidentiality incidents. Prior to this most recent announcement, the CAI would publish a list of companies that declared a confidentiality incident once every three months. The information that was made publicly available was limited to the name of the enterprise having declared the confidentiality incident and the date on which the incident was reported to the CAI, though the last publicly available report on the CAI’s website dates back to September 2024.

As a reminder, a confidentiality incident, namely the unauthorized access, use or disclosure of personal information, or any other loss of personal information or any other breach of the protection of personal information, must be reported to the CAI where the incident represents a risk of serious injury. Determining whether the incident poses a risk of serious injury requires analyzing the sensitivity of the information concerned, the anticipated consequences of its use, and the likelihood that the information will be used for injurious purposes.