When it comes to new technologies, the outlining laws are often established as we encounter obstacles. Today, in Quebec, whether as a customer, owner of a small or medium-sized enterprise (SME), or the leader of a multinational corporation, everyone is affected by the Act to modernize legislative provisions as regards the protection of personal information, also known as the Law 25.
First, a bit of context: Largely inspired by the General Data Protection Regulation of the European Union (the famous "GDPR"), Law 25 aims to strengthen and unify the protection of personal data in Quebec, notably by substantively amending the Act respecting the protection of personal information in the private sector. This Act intends to grant to individuals a greater control over their personal data and imposes strict obligations on companies that process such personal data.
Some main points of Law 25 include explicit consent for data processing, the right for users to be forgotten, notifications obligation in case of data breach, and the appointment of a data protection officer for organizations handling data. The implementation of these new obligations unfold in three stages.
The first phase introduced the concepts of accountability and responsibility for businesses, while the current second phase requires in-depth internal evaluation and establishment of transparency-fueled protocols tailored to each company, regardless of their size, regarding the collection, processing, use, security, and destruction of the personal information it collects, along with the foundation of various user rights, such as the right to be forgotten. The final phase will go a step further, introducing the right to data portability for users, imposing on companies the duty to provide a copy, upon request, of the personal information they hold on individuals, thereby allowing them to take this information elsewhere for importation and use.
Accountability is the new standard.
Each company is henceforth obligated to demonstrate transparency and benevolence towards the personal data it collects. The Act now required each company to identify the personal data it requires, and to articulate and publish its commitments regarding such data. Among all the information it wants to gather, the reason for doing so must be determined and lawful. If an organisation struggles to justify to identify the intended use regarding personal information that is collected, it might be a hint that this information should not be collected. Moreover, in this quantitative field, minimizing the amount of information collected by a company often adequates to lowering the impact of a potential data breach!
What about the users?
Law 25 encourages reflection on the data everyone shares without much consideration. It fosters greater accountability and a reclaiming of power over what each individuals wishes to share. It also promotes the creation of value and a sense of mutual trust between the company and its customers.