The following op-ed first appeared in the Toronto Star on October 7, 2023.
Although still behind the EU, Quebec is miles ahead of the rest of Canada when it comes to privacy and data legislation. The second wave of Quebec’s Law 25 took effect on Sept. 22. and is the most significant corporate privacy legislation in the country to date.
Our French Canadian counterparts genuinely recognize that online data is the sole property of individuals, requiring strong policies to ensure companies respect that right. We anticipate other provinces and territories will soon adopt similar measures and all Canadian companies should get ready, quickly.
The new Quebec Law 25 aims to make companies accountable for information entrusted to them. And no, it’s not just large enterprises that need to comply — every business, from a solopreneur to a multinational, needs to get on board.
Although still behind the EU, Quebec is miles ahead of the rest of Canada when it comes to privacy and data legislation. The second wave of Quebec’s Law 25 took effect on Sept. 22. and is the most significant corporate privacy legislation in the country to date.
Our French Canadian counterparts genuinely recognize that online data is the sole property of individuals, requiring strong policies to ensure companies respect that right. We anticipate other provinces and territories will soon adopt similar measures and all Canadian companies should get ready, quickly.
The new Quebec Law 25 aims to make companies accountable for information entrusted to them. And no, it’s not just large enterprises that need to comply — every business, from a solopreneur to a multinational, needs to get on board.
In June 2019, Laval police uncovered an insider cyberattack on Desjardins, one of Canada’s major banks. The attacker, with database access through their job, stole and sold personal identifiable information (PII) to a third party, affecting over 9.7 million victims worldwide over a two-year period.
Following this event and the overall increase in cybercrime, the Quebec Government initiated two significant actions:
- Establishing the Ministère de la Cybersécurité et du Numérique (MCN) to handle cybersecurity and digital infrastructure, recognized and praised globally as a Herculean task.
- The creation of Law 25. With its roots in the EU’s General Data Protection Regulation, Law 25 aims to modernize aging privacy laws and hold companies accountable for the data they collect. It also introduces the right to be forgotten.
Prior to this new law, companies were not required to protect personal information, or even allow individuals to withdraw their personal information. Before bills like this, companies could freely collect and sell data on individuals, resulting in data leaks, fraud, and a violation of privacy.
Starting last week, Quebec companies must now structure personal data in a manner that enables easy requests for data removal from customers, subcontractors and all current or former employees.
Moreover, companies are now fully accountable for data hosting. In case of a cyberattack resulting in data breach, they must promptly notify affected individuals, report to the central authority handling access requests, and maintain a breach inventory.
Get ready, Canada, because this Quebec legislation is gaining positive traction and will likely (and should be!) adopted by all the rest of Canada.
Here’s what Canadian companies need to consider — and fast — lest they be slapped with huge fines and red tape:
Take personal data seriously
It can no longer be an afterthought. In Quebec, dedicated departments for data management and protection are mandatory under Law 25. Individuals whose data is collected must be informed about its acquisition, usage, and the process to withdraw consent.
Individuals are now in control
In Quebec, individuals can now prohibit companies from collecting or holding onto their data. For the first time in Canada, citizens can now request that their personal information not be held or shared. If a customer asks to forget them, the company is obligated to do so.
Consequences
European-like penalties await you if you don’t inform the individual (and the authorities) about any breaches of personal information. We’re talking penalties of up to $50,000 per individual, and up to $24,000,000 for a business.
If you’re a business operating in Canada, we recommend nurturing a cybersecurity mindset as soon as possible. You will need to start training your employees on what is a threat and how to react when uncertain about a potential attack.
To enhance security, begin with an inventory of what requires protection. Focus on reducing potential avenues for malicious actors to steal your credentials and data.
Once you secure your end points, you can take the time to restructure your data properly and implement the necessary processes to follow Law 25-like legislation that’s most certainly coming to the rest of Canada.
René-Sylvain Bédard is CEO of Quebec-based SME cybersecurity company, Indominus, a current participating company in Rogers Cybersecure Catalyst’s Cyber Accelerator program. Will Christodoulou is co-founder of Ontario-based customer data ownership company, Cyder, also an alum of the Catalyst Cyber Accelerator.