With Law 25, citizens obtain new rights. Companies, for their part, have several obligations to implement. (Photo: 123RF)
The deadline to comply with the second part of Law 25 on the management of personal information in Quebec is fast approaching. From September 22, the fines for companies caught in default could be steep.
The Act modernizing legislative provisions regarding the protection of personal information in the private sector, also called “Law 25”, governs the management of personal data in businesses.
“This is the first major law for the protection of personal information in Canada. It is a law that is inspired by the General Data Protection Regulation (GDPR) in Europe,” summarizes Imran Ahmad, partner and Canadian head of the Technology Division, and Canadian co-head of the Governance Division of the information, privacy and cybersecurity at Norton Rose Fulbright Canada.
With Bill 25, citizens obtain new rights, such as the right to deindexation, where someone can ask a company to stop the dissemination of one or more of their personal information. Companies, for their part, have several obligations to implement.
Rethinking data management
The management of personal information — both the address of its customers and the social insurance number of its employees, regardless of whether they are recorded on digital or physical media — is at the heart of these obligations for businesses.
Customer consent when collecting information must, for example, be clear and explicit, particularly in relation to what will be done with this information, and with which suppliers it will be shared. Companies must also carry out a complete mapping of the personal information they hold, which then allows the data to be deleted when the associated consent expires, or if a customer requests it, for example.
“Many of these elements were once good practices to adopt, but they are now codified in law,” says Imran Ahmad.
“Law 25 will not only affect the work of lawyers. It is a law that will require a change in behavior in several professions, and which could disrupt the way things are done,” notes Romain Gauthier, CEO and co-founder of Didomi, which offers different solutions to help companies comply with the law. 25, particularly in relation to tools for obtaining consent from visitors on the Web.
Bill 25 also affects other aspects of personal information, in relation to the management of confidentiality incidents, for example.
Sometimes a long job
After the entry into force of a first component that was fairly simple to implement on September 22, 2022, where companies had to designate a person responsible for the protection of personal information, then publish their title and contact details on the website of the company, the second part expected on September 22 may be more complex.
“If you already have customers in Europe and therefore already comply with the GDPR, it is not very complicated. Otherwise, it can take a lot of work, especially if you have a lot of personal information,” says Romain Gauthier.
“It should take businesses at least 90 days to comply properly,” observes Imran Ahmad. It may be shorter for small businesses, 30 to 60 days, but then they have to hurry. »
“It took us longer than we thought to do it, we had planned to finish three months earlier,” notes Yannick Desmarais, founder and CEO of Worximity Technology, a Montreal technology company with around forty employees.
The Commission for Access to Information (CAI) does not have information on the current state of progress of companies in their process to become compliant, since they are not required to do so. inform the Commission, according to what a CAI spokesperson explained to “Les Affairs”.
Fines to be expected
The incentives for doing the work are significant: for non-compliance, a company could be fined up to $25 million, or 4% of global turnover.
“We do not yet know to what extent the CAI will distribute fines. There will likely have to be misconduct, not just a technical violation that can be fixed quickly,” predicts Imran Ahmad.
Remember that Meta was fined 1.2 billion euros (1.75 billion Canadian dollars) this spring in Europe for violating the GDPR equivalent to Quebec’s Law 25.
