For Quebec Internet users, Bill 25 has been synonymous for several months with “pop-up” windows asking for their consent. For businesses, this is often a headache. A handful of them would comply, and a majority have no intention of complying. However, experts argue, resources and simple guides are available to tame this complex law.
Posted at 1:52 a.m.
Updated at 6:00 a.m.
3 %
According to a survey of 100 Quebec SMEs and NPOs conducted in June 2023 by the Interdisciplinary Cybersecurity Research Group (GRIC) at the University of Sherbrooke, 40% said they were ready for Bill 25. In reality, after analysis, barely 3% were actually ready. Last February, a survey by the French firm Axeptio came to a similar conclusion, with 5% of companies that can be considered compliant.
In three times
The Act to modernize legislative provisions relating to the protection of personal informationor law 25, adopted in September 2021 and inspired by European legislation, provides for three phases, each time demanding a little more from companies handling personal information.
Since September 2022, they must in particular designate a person responsible for the protection of this information and report any incident to the Commission for Access to Information (CAI).
In September 2023, the obligation to comply with the rules of consent (hence the appearance of windows on most websites) and the development of a “Privacy Impact Assessment (PIA)” were introduced.
The last step, in September 2024, concerns the right to “portability”, under which everyone can request a copy of the data concerning them.
The law provides for maximum fines of 25 million.
A tough assessment
One of the requirements that seems the most onerous is the assessment of privacy factors. This intimidating term is explained by the body responsible for implementing Law 25, the CAI, in a 60-page guide.
It is precisely on this obligation that Emeline Manson, a trainer in fraud prevention and cybersecurity, decided to launch a free tool. Essentially, the EFVP must be written for any company that offers services involving personal information or communicates it outside Quebec.
PHOTO MATHIEU CHEVALIER, PROVIDED BY EMELINE MANSON
Emeline Manson, fraud prevention and cybersecurity trainer and president of the firm CY-clic
There, we have an organization that looks at this and says to itself: “concretely, what do I do tomorrow morning?” It’s discouraging, really discouraging.
Emeline Manson, fraud prevention and cybersecurity trainer and president of the firm CY-clic
The trainer does not like the concept of “compliance”, preferring to emphasize the security behaviors of a company.
“Our goal is really to make it less big, to make it more fun, more comforting, less guilt-inducing. It is the reputation of cybersecurity and Bill 25 at the moment to be a lot of guilt. »
Small steps
She says it’s all about taking stock of the personal information a company handles, establishing how it’s stored and taking effective measures to protect it.
“The Access to Information Commission wants to have proof that we have at least asked the question. If we don’t document it, if it’s not written anywhere, it’s as if we hadn’t thought about it. If the Commission comes to us, we must be able to prove to them that we have made this assessment, that we have had this reflection, that we have taken this step. »
Rather than terrorizing small and medium-sized businesses with insurmountable demands, Mme Manson says he prefers the “small steps method”. “If you see the whole mountain, it discourages you and you do nothing. It’s worse than doing it in small chunks, doing it as best you can and being able to demonstrate that you are in a process, that you have sought to comply. »
Broaden the debate
For Nicolas Duguay, co-director general of In-Sec-M, an organization bringing together key players in cybersecurity, we must see compliance with Law 25 in a broader perspective.
PHOTO CATHERINE LEFEBVRE, ARCHIVES SPECIAL COLLABORATION
Nicolas Duguay, co-CEO of In-Sec-M
For years, the Quebec government has encouraged private organizations of all sizes to digitize, but without ensuring that cybersecurity structures are present. This explains in particular why there is an explosion of cyberattacks.
Nicolas Duguay, co-director general of In-Sec-M
Rather than focusing solely on compliance with Law 25, his organization set up a program subsidized by Quebec, MaLoi25, which also integrates what is called “cyber resilience.”
So far, he acknowledges, listening to entrepreneurs has been, let’s say, minimal.
“I am called upon to make speeches, presentations, I systematically ask people: “Who has heard of law 25?” I always have a minority of people who raise their hands. There really is a communication gap. »
Awaiting fines
MaLoi25 offers a self-diagnosis as a starting point, a basis for support offered later at a rate that is promised to be “advantageous.” While Mr. Duguay cannot specify what emerges from the thousands of self-diagnoses carried out, he makes this general observation: “It’s typical, and it’s not just in terms of protecting personal information or cybersecurity: there is a form of candor that we observe in companies here. We’re waiting to see the sanctions. I have the impression that there will be a fairly significant boom in requests for Bill 25, the day when in The Press, The Montreal Journal or on Radio-Canada, we will see that such a company has been singled out by the Quebec government and has been fined. Which is not tomorrow, obviously. »
