+1 514 919 5858


Become Bill 25 Compliant

Ensure you meet the standards as outlined by the government of Quebec

Vulnerability Assessment

Scan your internal and external IPs at the frequency of your choosing

Executive Report

Generate executive reports that are understandable and meet your needs

Penetration Testing

Red Team penetration testing simulates real-life attacks with 2000+ exploits

Discussion – 


Bill 25 Takes Effect: A Good thing for Businesses?

The following article is authored by Jean-François J.N. Latreille, CD – a trusted collaborator of ours and senior partner at DUBÉ LATREILLE AVOCATS INC. You can read the original article here.

In recent weeks, Bill 25 has generated a lot of interest on social networks and in business circles in la Belle Province… and for good reason! Indeed, some of its provisions come into force today (September 22, 2022) – including the obligation to designate a Privacy Officer[1] – which is already raising compliance issues for businesses.

Space ship taking off. Bill 25 will change how you do business - fast.

It is worth remembering that Bill 25, entitled An Act to modernize legislative provisions respecting the protection of personal information, sent shockwaves through Quebec’s digital ecosystem when it was adopted in September 2021, since then, businesses would have to be transparent (!) and act responsibly in their management and protection of personal information or face severe financial penalties. There is nothing like this to get the attention of executives and boards of directors! Considering the changes and the substantial resources that will be required to meet these new requirements, is Bill 25 a good thing for Quebec businesses?

First, it must be recognized that Quebec’s privacy laws were in dire need of revision and updating to address the new issues raised by the extraordinary growth of new technologies. Indeed, the outdated nature of the legislation in place meant that the Quebec authorities were unable to effectively manage and protect personal information due to a lack of enforcement measures. These serious shortcomings led to widespread complacency and abuse by organizations to the detriment of individuals whose right to privacy was, and continues to be, abused.

On the other hand, there is the scourge of cyber-crime, a growing global phenomenon. Considering the almost total impunity enjoyed by hackers and the cost-benefit ratio that this illicit activity provides them, this problem is likely to persist[2] and to continue to wreak havoc, as we are reminded almost daily by the news (see the following recent incidents : UPA[3], Collège Montmorency[4], BRB (Bombardier)[5], the IHG hotel chain[6] (Holiday Inn chain), Uber[7], Bell Solutions[8], Ville de Laval[9], etc.). 

These cyber-attacks very often result in the compromise of thousands of files containing personal information. Unsurprisingly, these incidents lead to significant inconveniences for the victims (invasion of privacy, fraud, etc.), which translates into a significant loss of confidence in companies and institutions.

This is why governments in various jurisdictions, faced with the same problems, have been forced to review their policies and regulations to remedy the situation. Europe, in this regard, has taken the lead with the adoption of its remarkable General Data Protection Regulation (“GDPR”), which, since 2018, has significantly influenced legislative reforms in the field (Bill 25 is largely based on it) and international trade (e.g., with respect to cross-border data flow). In fact, the GDPR has shaped the emergence of a growing international movement whereby companies must adhere to certain privacy compliance standards in order to share data across markets[10]. The influence of this movement is increasingly reflected in the internal regulations of certain States, as is the case in Canada (Bill 25, Bill C-27 at the federal level, etc.).

In view of the foregoing, it is true that Bill 25 will require substantial transformations on the part of businesses in terms of personal information management and protection. However, for the reasons given above, this change was necessary and, ultimately, inevitable. Indeed, the government’s intervention was essential to put an end to the bad practices that were taking place.

Moreover, by being the first to adopt new standards in Quebec, based on the European model and in line with international trends, Quebec businesses will be one step ahead of other Canadian jurisdictions, which could give them a significant competitive advantage.

Finally, even if Bill 25 still has to prove itself before the Commission d’accès à l’information (CAI) and the courts, it should be seen by businesses as an opportunity to review their ways of doing things in order to protect all the data they hold (including intellectual property, trade secrets, confidential data, etc.) and also in order to prepare for the possible occurrence of a cyber-incident in order to minimize their risks. 

In the meantime, it is important to start making the changes required by Bill 25 to comply. With most of the terms of the law coming into effect on September 22, 2023 (including administrative and criminal penalties), the countdown has already begun. Let’s get to work!

1 – Failing that, the highest authority of the organization concerned will have to answer for the obligations of the law (art. 103, Act 25).

2 – At least as long as information security is not integrated (built-in) and relegated to the users (end users).

3 – https://lp.ca/wuUlAw?sharing=true

4 – https://www.lapresse.ca/actualites/enquetes/2022-09-08/cyberattaque-au-college-montmorency/une-foule-de-donnees-sensibles-sur-le-dark-web.php

5 – https://ici.radio-canada.ca/nouvelle/1907531/brp-reactions-cyberattaque-impacts

6 – https://www-bbc-com.cdn.ampproject.org/c/s/www.bbc.com/news/technology-62937678.amp

7 – https://www.securityweek.com/serious-breach-uber-spotlights-hacker-social-deception?utm_source=dlvr.it&utm_medium=linkedin

8 – https://www.lapresse.ca/affaires/entreprises/2022-09-16/a-la-suite-d-une-attaque-informatique/fuite-de-donnees-chez-bell-solutions-techniques.php

9 – https://www.lapresse.ca/actualites/2022-09-15/la-ville-de-laval-victime-d-une-attaque-informatique.php

10 – See the eloquent example of the SHREMS II ruling (July 16, 2020) of the Court of Justice of the European Union, which invalidated an automatic certification process for the transfer of European data to the United States on the grounds that the said process (Privacy Shield) did not comply with European protection standards; https://www.cnil.fr/fr/invalidation-du-privacy-shield-les-suites-de-larret-de-la-cjue;

Learn more about how your business can prepare for the new Bill 25 requirements by speaking with experts.

Ryan McHugh


You May Also Like

IsaiX & Cybereco

IsaiX & Cybereco

IsaiX joins Cybereco We are excited to annouce that IsaiX Technologies inc. has become a member of Cybereco! Cybereco...