Privacy Law - Bill 25

In recent years, the pervasiveness of computers and the Internet have brought about what has come to be known as the « Digital Age », a new era characterized by unprecedented interconnectivity and interoperability between individuals, machines and networks around the world.

One of the most remarkable aspects of this technological revolution is the ability to convert any type of information (words, images, sounds, etc.) into a standard form, that is « data », and exchange same over the Internet with other entities anywhere in the world almost instantaneously.

In the span of 2-3 decades, this revolution has completely upended our society, in particular the way we interact, communicate and conduct business. This is why a growing majority of businesses have come to depend on computer networks and information systems connected to the Internet to run their operations. This data driven dependency is only the beginning as it is expected to increase further with artificial intelligence, automation (industry 4.0), the development of the Internet of things (IoT) devices, and the rolling out of 5G technology.

While these technological innovations provide significant advantages to their users, they also raise important legal issues pertaining to cybersecurity and privacy with far-reaching consequences.  

What is privacy?

Privacy can be defined as the right of an individual not to share or disclose certain personal information, or the right to keep same anonymous or confidential. Because this right is an important tenet of a democratic society, it is recognized in Section 5 of Quebec’s Charter of human rights and freedoms.

Yet, every day, people relinquish some of their privacy one way or another to organizations. In the normal course of business, organizations routinely collect, use and disclose « personal identifiable information » or « PII » (such as social insurance number, address, phone number, date of birth, revenues, health insurance number, etc.) pertaining to employees, clients, partners, etc. Understandably, if individuals agree or are obliged to disclose their PII in order to obtain a service, they have a legitimate expectation that their PII will be used for a legitimate purpose and reasonably protected since unlawful use or disclosure could prove to be very prejudicial (violation of privacy, damage to reputation, fraud, impersonation, etc.) to the individuals concerned.

Why should businesses be concerned about privacy?

Privacy has become a growing concern amongst users who increasingly show an interest in the Privacy policies of organizations and their reputation before they choose to do business or to entrust their PII with same. This is due in part to the abuse surrounding personal data collection over the years, together with the disregard and negligence pertaining to the protection of PII which has contributed to a great extent to the compromission of millions of users’ accounts containing personal information.    

In light of the widespread complacency displayed by businesses and organizations pertaining to PII security, various jurisdictions have expressed the will to adopt more restrictive and compelling privacy laws to better protect PII and to make organizations more accountable. The General Data Protection Regulation (or « GDPR ») in Europe and the Consumer Privacy Act (or « CCPA ») in California are good examples of this trend, while the federal government of Canada recently introduced Bill C-27 (An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make related and consequential amendments to other Acts).

Meanwhile, the government of Quebec has drawn up an ambitious bill (Bill 25), that is an Act to Modernize the Legislative Provisions Respecting the Protection of Personal Information (PL-64), which came into force following its adoption by the National Assembly on September 21, 2021. This Bill is of great consequence for the Quebec business community as it includes new obligations for organizations including the duty to designate a person responsible for PII management, to establish rules of governance pertaining to PII, to disclose data breaches, and to obtain free and informed consent prior to collecting PII). The Bill comprises as well new rights for individuals such as the right to information, to withdraw consent, to rectification, and to erasure from corporate records. Overall, these significant changes will bring about a small revolution in personal data management where failure to comply may result in substantial fines.

Given the time and resources that will be required from businesses to integrate the principles and obligations of Bill-25 into their operations (and considering also the benefits this implies in terms of data control and risk management), decision-makers ought to plan ahead accordingly as this might prevent them from making costly non-compliant investments.

What are the risks pertaining to privacy?

Most organizations collect personal identifying information (PII) for various uses and purposes in the normal course of business, whether for HR, services, marketing, health, finance, contracts, etc.  As such, they are subject to cyber threats like any other data driven entity. However, in the event of a cyber incident involving the compromission of PII, the issue of Privacy adds another layer of risk that may exacerbate all the others considering the potential impact it may have on operations, reputation, liability, and compliance.

From a Privacy point of view, the underlying risks of a data breach involving PII can be further described as follows:

1. Operational risk : it may compel an organization to interrupt partially or completely its operations for some time in order to determine the source/cause of the breach, to isolate and eradicate the threat, and ascertain what PII has been compromised to take appropriate contingency measures (including notification to the victims and the authorities). The ensuing downtime can be very costly and even fatal to an organization considering the loss of productivity and the negative impact on moral, reputation and business performance.
2. Liability risk : A data breach involving PII will likely expose the organization to law suits, including a strong likelihood of class actions, for the damages incurred by the victims (users, clients, employees, business partners, shareholders, etc.).
3. Reputational risk: The compromise of PII can prove to be very damaging to the image and reputation of an organization, especially if the public relations aspect of the crisis is neglected and/or if it turns out the organization has been negligent in the protection of personal information. The consequences can translate into significant loss of business as it will affect the trust of clients, employees, business partners, insurance providers and, necessarily, the value of the organization itself.
4. Compliance risk : Compliance is the obligation by an organization to respect the law. Although laws in Quebec pertaining to Privacy have been until now rather permissive for organizations who disregard PII security, Bill 64 will change the rules drastically given the substantial fines violators will be exposed to. As a result, compliance will become an important issue that organizations will need to address in their risk assessment pertaining to PII.