resim
resim

Starting September 22, the Quebec government will impose the bulk of new requirements aimed at protecting personal information. A major challenge for Quebec businesses, large and small. For some SMEs, it is too late. They will certainly not be ready by the deadline.

“I’ll be honest with you. It’s a bit the same thing for many SMEs: we did nothing. We didn’t take it seriously because it was so complicated that we said, “This shouldn’t apply to us,” explains the human resources director of a small company contacted by La Press. Finally, we realize at one minute to midnight that, yes, this is aimed at us, not just big companies. »

The manager wants to remain anonymous so as not to cause trouble for her employer, who is far from achieving the objectives of the Act to modernize legislative provisions regarding the protection of personal information, called law 25. She does not want to attract the attention of the Commission for Access to Information (CAI), responsible for investigating the glitches in the new rules, and even less those of ransomware hackers, who have stolen personal information from dozens of Quebec SMEs in recent years.

“It’s absolutely certain that a lot of companies have big issues,” says Soleïca Monnier, a lawyer specializing in personal information at Fasken.

This obligation concerns all personal data collected from any natural person: customers, employees, suppliers, etc. No more, in principle, driving license numbers, social insurance numbers, dates of birth and other contact details stored forever in the servers of your employer or financial institution. Also no more, complete customer contact details kept ad vitam aeternam in the computer of your mechanic or your cleaner.

Good news for the citizens of Quebec. But for companies, these new provisions mean carefully identifying and classifying each personal information collected according to these questions: is such information still useful? To do what ? Shouldn’t we destroy it? Is there a law requiring me to keep it?

For the small business manager contacted by La Presse, it is a colossal task, which she has only just tackled, a few days before the September 22 deadline.

“We have a garage, we have the office, we have guys on the ground all over Quebec… We have set up our teams to be able to carry out the life cycle of the information we receive, but that’s fine. be complicated, because you have different databases,” she says.

Especially since companies must keep certain data for longer due to legal obligations. For example, businesses must keep tax records for seven years to be able to answer potential tax questions.

“The bigger the companies, the more complex the measures to be taken,” says Soleïca Monnier.

A few weeks before the deadline, for example, the Société de transport de Montréal says it must continue to “deploy considerable efforts” to meet the new obligations and external assistance is scarce. “It is clear that these delays seem to have created a scarcity of labor and subject matter experts on the market,” spokesperson Justine Lord-Dufour wrote in an email to La Presse.

Even the grocer Metro, with a market capitalization of more than 16 billion and its approximately 95,000 employees, must work extra hard to finish the job on time. “It’s still a demanding job,” agrees vice-president of communications Marie-Claude Bacon, in an interview with La Presse.

Of all the major companies contacted, only Quebec’s number one supermarket and pharmacy company accepted La Presse’s interview request.

Even if large corporations like Metro have more resources, the challenge is still considerable. The grocer has the equivalent of three full-time people completing the job, accompanied by outside consultants. “Of course we could have chosen to have a few more people to go more quickly, but we don’t see any serious problems,” says Marie-Claude Bacon.

Like all organizations, however, society must grope forward, since no one knows exactly how the CAI will interpret the new rules established by Quebec. “We had to make decisions based on assumptions, since some information is missing,” concedes the vice-president.

For example, all Quebec websites will have to ask the Internet user for permission before collecting personal information. The measure targets in particular the data collected by navigation cookies, the famous “cookies”.

The CAI must produce “guidelines” on the proper way to seek public consent. But the final version of these rules “is planned for October 2023”, according to the Commission’s website, i.e. after the entry into force of the new law.

In short, businesses will have to make adjustments in the weeks following the entry into force of the new provisions of Bill 25, confirms Metro, as will Desjardins.

“We are following the CAI’s alignments on this subject as it publishes them,” writes Chantal Corbeil, spokesperson for the financial cooperative.

Former lawyer at the Commission, now self-employed, Cynthia Chassignieux notes that the most advanced companies are those dealing with the European Union. They have already had to adapt to the strict regulations on the protection of personal information that it adopted in 2016. “Others are completely feverish and waiting to see what the government will do. »

“I think the Commission d’access à l’information (CAI) somewhat underestimated the support needed,” says Francis Bérubé, director of provincial affairs at the Canadian Federation of Independent Business. He pleads for better help to get through the reform, “extremely complicated”.

At the Borden Ladner Gervais firm, one of the largest in terms of personal information, lawyer Simon Du Perron also notes the shortcomings in the assistance provided for businesses. “Unfortunately, the Commission doesn’t really have a strategic advisory branch,” he laments. I think she’s still digesting Bill 25.”

Result: some companies that took longer to react are starting to feel a certain panic and lawyers specializing in the field are overwhelmed.

“You can’t duplicate yourself… Everything comes in the crosshairs in the end,” says Simon Du Perron.

At the CAI, nobody hides about it: obviously, the privacy watchdog is not strong enough. In December, its president called for more resources in an interview with La Presse. “It’s boring to say, but there is an issue of resources,” said Diane Poitras.

In the world of personal information lawyers, the Commission’s site is unanimously criticized. They noted significant gaps in the available information.

The CAI, for example, publishes a “Support Guide” for carrying out “assessments of privacy factors, an obligation in force since the first wave of measures linked to Law 25, on September 22, 2022. However, the version currently online dates from March 2021!

“The information included in this guide reflects the laws before their amendment by [Law] 25,” the text warns. It will be revised later. » Two and a half years later and a few days before the second wave of measures of the law, the document is still not up to date.

“The Commission is working hard, to the extent of its ability, to inform companies,” writes Jorge Passalacqua, director of communications for the CAI, in an email to La Presse. The organization promises to put an improved website online from one day to the next, which will be better able to better inform businesses.

For the year 2022-2023, when the first series of measures linked to Law 25 came into force, the Commission received 1.5 million more than before, but the organization requested four times more.

For 2023-2024, Quebec has granted an additional budget of 4.2 million.

The Minister responsible for the Protection of Personal Information, Jean-François Roberge, refused our request for an interview.

In an email to La Presse, he said he was “aware” that Law 25 “implies significant changes for businesses.” “The CAI is there to support them in these changes and that is why we have more than doubled the CAI’s budget in recent years. »

In an unsigned message, the Ministry of Executive Council assures that “the government has heard the requests of the Access Commission and is very aware of the new responsibilities which have been assigned to it by the reform on the protection of personal information”.

The Ministry emphasizes that the Commission’s budget has still doubled over the past seven years, reaching 12.6 million in 2023-2024.

Starting September 22, businesses that collect personal information will need to:

• Seek consent from the data subject before collecting any personal information, including web browsing data collected by cookies.

• Have governance policies on the collection and retention of personal information, its protection and destruction.

• Publish a personal information privacy policy “in simple and clear terms.”

• Inform the people targeted by the collection of personal information of the use of any technology allowing the identification or location of a person, or even the creation of a profile.

• Evaluate any acquisition, development or overhaul of an IT system with a view to protecting personal information.

• Default technology systems to the highest privacy settings.

• The Access to Information Commission will be able to impose penalties on offenders of up to 2% of a company’s global turnover or $10 million.

Recurring cost per year that Bill 25 represents for the private sector, according to the estimate of the Canadian Federation of Independent Business. “And it’s quite conservative,” says Francis Bérubé, director of provincial affairs.