Nearly one in three people consider that they’ve been a victim of fraud, according to a Canada-wide survey conducted for Option consommateurs (a non-profit that defends consumer rights). A sobering reminder that protecting your personal information is important.
The Quebec government adopted Law 25 in 2021 with the objective of protecting personal information. Most of it came into effect in September 2023.
“With digital technology and the Internet being so present, and given how much data is on the Web, there was a need to update and modernize our laws,” explains Me Simon Du Perron on Éducaloi’s Angle droit radio show.
Me Du Perron is a lawyer at the firm Borden Ladner Gervais (BLG). He specializes in cybersecurity, privacy and the protection of personal information. Me Du Perron explains that even prior to law 25, Canada had laws protecting personal information. However, law 25 has introduced updates to these protections in the public and private sectors. It also imposes sanctions “to give teeth to existing laws.”
Law 25 also improves people’s control over their personal information “to the extent possible,” adds Me Du Perron.
A European model
Law 25 is “now considered THE gold standard in North America,” according to the Avenues.ca website. It was inspired by European legislation.
“In terms of protecting personal information, [the European Union was the first] to adopt what is considered modern privacy legislation, says Me Du Perron. Those laws were adopted in the age of the Internet, in the age of technology as we know it. So they quickly became the benchmark for the protection of personal information.”
Given the scope of the personal information reform in Quebec, law 25 has come into effect gradually since its adoption in 2021, “to prioritize the most important aspects [of the reform]”, explains Me Du Perron.
In September 2022, the first provisions of the law came into force. They created obligations to notify users of privacy incidents, and to report them. Thus, when there is unauthorized access to or use of an individual’s personal information, whether by a hacker or someone inside an organization, the organization has “to notify the individuals concerned [and] to notify the Commission d’accès à l’information [du Québec], which is the regulator responsible for applying the law”, states Me Du Perron.
“This measure allows for more transparency, improves security measures, keeps people informed and enables them to be more vigilant,” he explains.
Consent banners and de-indexation rights
The increasing presence of consent banners on websites is also a result of Law 25. “Law 25 requires that users agree to so-called profiling or location technologies,” instead of these technologies operating automatically, says Me Du Perron.
Another example? The right to de-indexation, in other words, a person’s right to have hyperlinks associated with their name removed from certain search engines.
According to Me Du Perron, it’s difficult for the law to keep up with the pace of technology, and the current system remains imperfect, “since in our connected world, many business models and service models are based on the collection of personal information, so it can be difficult to do without it.”
Despite this, “it’s an excellent step forward in making organizations more accountable,” concludes Me Du Perron.