The following article is authored by Jean-François J.N. Latreille, CD – a trusted collaborator of ours and senior partner at DUBÉ LATREILLE AVOCATS INC. You can read the original article here.
In recent weeks, Bill 25 has generated a lot of interest on social networks and in business circles in la Belle Province… and for good reason! Indeed, some of its provisions come into force today (September 22, 2022) – including the obligation to designate a Privacy Officer – which is already raising compliance issues for businesses.
It is worth remembering that Bill 25, entitled An Act to modernize legislative provisions respecting the protection of personal information, sent shockwaves through Quebec’s digital ecosystem when it was adopted in September 2021, since then, businesses would have to be transparent (!) and act responsibly in their management and protection of personal information or face severe financial penalties. There is nothing like this to get the attention of executives and boards of directors! Considering the changes and the substantial resources that will be required to meet these new requirements, is Bill 25 a good thing for Quebec businesses?
First, it must be recognized that Quebec’s privacy laws were in dire need of revision and updating to address the new issues raised by the extraordinary growth of new technologies. Indeed, the outdated nature of the legislation in place meant that the Quebec authorities were unable to effectively manage and protect personal information due to a lack of enforcement measures. These serious shortcomings led to widespread complacency and abuse by organizations to the detriment of individuals whose right to privacy was, and continues to be, abused.
These cyber-attacks very often result in the compromise of thousands of files containing personal information. Unsurprisingly, these incidents lead to significant inconveniences for the victims (invasion of privacy, fraud, etc.), which translates into a significant loss of confidence in companies and institutions.
This is why governments in various jurisdictions, faced with the same problems, have been forced to review their policies and regulations to remedy the situation. Europe, in this regard, has taken the lead with the adoption of its remarkable General Data Protection Regulation (“GDPR”), which, since 2018, has significantly influenced legislative reforms in the field (Bill 25 is largely based on it) and international trade (e.g., with respect to cross-border data flow). In fact, the GDPR has shaped the emergence of a growing international movement whereby companies must adhere to certain privacy compliance standards in order to share data across markets. The influence of this movement is increasingly reflected in the internal regulations of certain States, as is the case in Canada (Bill 25, Bill C-27 at the federal level, etc.).
In view of the foregoing, it is true that Bill 25 will require substantial transformations on the part of businesses in terms of personal information management and protection. However, for the reasons given above, this change was necessary and, ultimately, inevitable. Indeed, the government’s intervention was essential to put an end to the bad practices that were taking place.
Moreover, by being the first to adopt new standards in Quebec, based on the European model and in line with international trends, Quebec businesses will be one step ahead of other Canadian jurisdictions, which could give them a significant competitive advantage.
In the meantime, it is important to start making the changes required by Bill 25 to comply. With most of the terms of the law coming into effect on September 22, 2023 (including administrative and criminal penalties), the countdown has already begun. Let’s get to work!
1 – Failing that, the highest authority of the organization concerned will have to answer for the obligations of the law (art. 103, Act 25).
2 – At least as long as information security is not integrated (built-in) and relegated to the users (end users).
10 – See the eloquent example of the SHREMS II ruling (July 16, 2020) of the Court of Justice of the European Union, which invalidated an automatic certification process for the transfer of European data to the United States on the grounds that the said process (Privacy Shield) did not comply with European protection standards; https://www.cnil.fr/fr/invalidation-du-privacy-shield-les-suites-de-larret-de-la-cjue;
Learn more about how your business can prepare for the new Bill 25 requirements by speaking with experts.