International laws on personal data protection are changing. The global trend has reached Quebec, where the National Assembly is studying Bill 64, a law with consequences for companies of all sizes, not just major digital companies like the GAFAMs of this world.
“Many companies end up collecting, sometimes unwittingly, data about their clients and other stakeholders,” says Jocelyn Auger, a lawyer who specializes in IT and partner at BCF Business Law. “Once passed, the new data protection law will affect everyone in Quebec.” He says it’s not too early for businesses to start preparing for the change from both organizational and technological standpoints.
Mr. Auger, who is scheduled to speak about personal data protection and the legal consequences of cybersecurity breaches at the Cybersecurity 20/20 conference on November 24, explains that while the upcoming legal framework is new, the principles behind it aren’t. In fact, they’re the same principles that were adopted by the Organization for Economic Cooperation and Development (OECD) in 1980.
Included in these principles are limits on data collection, individual consent to the collection and use of their personal data, and the opportunity for people to access their entire file. Privacy and transparency are also issues raised by the OECD.
Dominique Derrier, who is the chief information security officer at NOVIPRO, believes that we need to limit data purging without holding business back.
Outdated legislative framework
“The old legislative framework dates back several decades. It was designed to balance business interests and privacy concerns,” explains Mr. Auger.
But this balance has been upset by more recent developments, such as the emergence of companies that sell data, the widespread use of smart phones and other devices that collect large volumes of personal information, and the advent of artificial intelligence tools capable of processing information in ways that were previously impossible.
“The old laws were essentially written in another world,” says Mr. Auger. “The arrangement was no longer fair for individuals.”
Changing laws
The General Data Protection Regulation (GDPR), which came into effect in the European Union in 2018, is based on the same general principles, but imposes several new restrictions on the collection and use of personal data. For instance, companies now have to disclose their profiling activities and allow individuals to provide incremental consent, by which they can allow or refuse the collection of specific data such as where a device is located.
Under the European regulation, internet users also have the right to be forgotten, which essentially allows them to have their information deleted from search engine databases. In addition, personal data is now considered private until users explicitly grant access to it, rather than the other way around.
Finally, the GSPD has imposed stricter reporting requirements and in the event of a security breach companies can face fines equivalent to 4% of their revenues or €20 million.
In comparison, the California Consumer Privacy Act, which came into effect on January 1, 2020, doesn’t go quite as far, but it nonetheless reflects the same concerns. The same is true for Canadian legislation, which was amended in 2018.
Quebec’s Bill 64 is following a similar path. “Here in Quebec, the maximum fines could reach $25 million,” says Mr. Auger. “Under the current law, the maximum is just $50,000.”
Companies should start preparing now
Mr. Auger recommends that companies start updating their practices right away and aim to meet GDPR requirements, since they are the most stringent.
“Appoint a privacy officer and make privacy a central consideration in your product design,” he advises. “Give your customers the chance to obtain copies of their data and make sure your product integrity will be preserved even if consumers ask for their data to be erased. A lot of older databases simply can’t support this.”
Dominique Derrier, who worked as a data protection officer while the GDPR was being updated, adds: “Compliance is achievable if companies are methodical about it. They’ve got to identify personal data, adhere to all cybersecurity principles and track their progress.”
Mr. Derrier is confident that Quebec’s new legislative framework will automatically make corporate data assets more secure. Those that do business with European and international companies are already prepared, but adapting to the new Quebec law could prove challenging for SMEs. But there’s no way around it.
“The new laws are stay,” says Jocelyn Auger. “There’s no going back.”