For Quebec Internet users, Bill 25 has been synonymous in recent months with pop-up windows asking for consent. For businesses, it is often a headache. A handful of them would comply with it, and a majority have no intention of complying. However, experts argue that resources and simple guides are available to help tame this complex law.
Published at 1:52 a.m.
Updated at 6:00 a.m.
3 %
According to a survey carried out among 100 Quebec SMEs and NPOs in June 2023 by the Interdisciplinary Cybersecurity Research Group (GRIC) of the University of Sherbrooke, 40% said they were ready for Law 25. In reality, after analysis, barely 3% actually were. Last February, a survey by the French firm Axeptio reached a similar conclusion, with 5% of companies that could be considered compliant.
In three stages
The Act to modernize legislative provisions regarding the protection of personal informationor law 25, adopted in September 2021 and inspired by European legislation, provides for three phases, each time demanding a little more from companies handling personal information.
Since September 2022, they must designate a person responsible for protecting this information and report any incident to the Commission d’accès à l’information (CAI).
In September 2023, the obligation to comply with the rules of consent (hence the appearance of windows on most websites) and the development of a “Privacy Impact Assessment (PIA)” were introduced.
The last step, in September 2024, concerns the right to “portability”, under which everyone can request a copy of the data concerning them.
The law provides for maximum fines of 25 million.
A tough assessment
One of the requirements that seems the most onerous is the assessment of privacy factors. This intimidating term is explained by the agency responsible for the application of Law 25, the CAI, in a guide… of 60 pages.
It is precisely on this obligation that Emeline Manson, trainer in fraud prevention and cybersecurity, decided to launch a free tool. Essentially, the EFVP must be drafted for any company that offers services involving personal information or communicates it outside Quebec.
PHOTO MATHIEU CHEVALIER, PROVIDED BY EMELINE MANSON
Emeline Manson, trainer in fraud prevention and cybersecurity and president of the firm CY-clic
There, we have an organization that looks at this and says to itself: “concretely, what do I do tomorrow morning?” It’s discouraging, really discouraging.
Emeline Manson, fraud prevention and cybersecurity trainer and president of the firm CY-clic
The trainer does not like the concept of “compliance”, preferring to emphasize the security behaviors of a company.
“Our goal is really to make it less of a big deal, to make it more fun, more comforting, less guilt-inducing. It’s the reputation of cybersecurity and of Bill 25 at the moment to be very much in the guilt.”
Small steps
She says it’s all about taking stock of the personal information a company handles, establishing how it’s stored and taking effective measures to protect it.
“The Access to Information Commission wants to have proof that we have at least asked the question. If we don’t document it, if it’s not written anywhere, it’s as if we hadn’t thought about it. If the Commission comes to us, we must be able to prove to them that we have made this assessment, that we have had this reflection, that we have taken this step. »
Rather than terrorizing small and medium-sized businesses with insurmountable demands, Mme Manson says he prefers the “baby steps method.” “If you see the whole mountain, it discourages you and you don’t do anything. It’s worse than doing it in small bites, doing it as best you can and being able to demonstrate that you’re on the path, that you’ve tried to conform.”
Broadening the debate
For Nicolas Duguay, co-director general of In-Sec-M, an organization bringing together key players in cybersecurity, we must see compliance with Law 25 in a broader perspective.
PHOTO CATHERINE LEFEBVRE, ARCHIVES SPECIAL COLLABORATION
Nicolas Duguay, co-CEO of In-Sec-M
For years, the Quebec government has encouraged private organizations of all sizes to digitize, but without ensuring that cybersecurity structures are present. This explains in particular why there is an explosion in cyberattacks.
Nicolas Duguay, co-director general of In-Sec-M
Rather than focusing solely on compliance with Law 25, his organization set up a program subsidized by Quebec, MaLoi25, which also integrates what is called “cyber resilience.”
Until now, he admits, listening to entrepreneurs is, let’s say, minimal.
“I am called upon to make speeches, presentations, I systematically ask people: “Who has heard of law 25?” I always have a minority of people who raise their hands. There really is a communication gap. »
Waiting for fines
MaLoi25 offers a self-diagnosis as a starting point, a basis for support subsequently offered at a price that is promised to be “advantageous”. If Mr. Duguay cannot specify what emerges from the thousands of self-diagnoses carried out, he makes this general observation: “It is typical, and it is not only in matters of protection of personal information or cybersecurity: there has a form of candor that we observe in companies here. We are waiting to see the sanctions. I have the impression that there will be a fairly significant boom in requests for Law 25, the day when in The Press, The Montreal Journal or on Radio-Canada, we will see that such a company has been singled out by the Quebec government and has been fined. Which is not tomorrow, obviously. »
