New rules on personal information | SMEs lagging behind

Starting September 22, the Quebec government will impose the bulk of new requirements aimed at protecting personal information. A major challenge for Quebec businesses, small and large. For some SMEs, it is too late. They will definitely not be ready by the deadline.

“We didn’t take it seriously”

“I’ll be honest with you. It’s a bit the same thing for many SMEs: we did nothing. We didn’t take it seriously because it was so complicated that we said: “This shouldn’t apply to us,” explains the human resources director of a small company who contacted The Press. Finally, we realize at one minute to midnight that, yes, this is aimed at us, not just big companies. »

The manager wants to remain anonymous so as not to cause trouble for her employer, who is far from achieving the objectives of the Act to modernize legislative provisions regarding the protection of personal informationcalled law 25. She does not want to attract the attention of the Commission for Access to Information (CAI), responsible for investigating the glitches in the new rules, and even less those of ransomware pirates, who stole personal information of dozens of Quebec SMEs in recent years.

“It’s absolutely certain that many companies have big issues at stake,” says Soleïca Monnier, a lawyer specializing in personal information at Fasken.

One of the biggest nightmares for small businesses: the data “destruction schedule.” Starting September 22, businesses will have to delete personal information when it is no longer needed.

This obligation concerns all personal data collected from any natural person: customers, employees, suppliers, etc. No more, in principle, driving license numbers, social insurance numbers, dates of birth and other contact details stored forever in the servers of your employer or financial institution. Also no more, complete customer contact details kept ad vitam aeternam in the computer of your mechanic or cleaner.

Good news for the citizens of Quebec. But for companies, these new provisions involve carefully identifying and classifying each personal information collected according to these questions: is this information still useful? To do what ? Shouldn’t we destroy it? Does a law require me to keep it?

For the small business manager contacted The Pressit is a colossal task, to which she has only just tackled, a few days before the deadline of September 22.

“We have a garage, we have the office, we have guys on the ground all over Quebec… We have set up our teams to be able to carry out the life cycle of the information we receive, but that’s okay. be complicated, because we have different databases,” she says.

Especially since companies must keep certain data for longer due to legal obligations. For example, businesses must keep tax records for seven years to be able to answer potential tax questions.

Major project for large companies

“The bigger the companies, the more complex the measures to be taken,” says Soleïca Monnier.

A few weeks before the deadline, for example, the Société de transport de Montréal says it must continue to “deploy considerable efforts” to meet the new obligations and external help is rare. “It is clear that these delays seem to have created a scarcity of labor and experts in the field on the market,” writes spokesperson Justine Lord-Dufour in an email to The Press.

Even the grocer Metro, with a market capitalization of more than 16 billion and its approximately 95,000 employees, must work extra hard to finish the job on time. “It’s still a demanding job,” agrees vice-president of communications Marie-Claude Bacon, in an interview with The Press.

Among all the large companies contacted, only Quebec’s number one supermarket and pharmacy company accepted the interview request from The Press.

Even though larger companies like Metro have more resources, the challenge is still considerable. The grocer has the equivalent of three full-time people completing the work, along with external consultants. “Of course we could have chosen to have a few more people to go more quickly, but we don’t see any serious problems,” says Marie-Claude Bacon.

groping

Like all organizations, however, the company must grope its way forward, since no one knows exactly how the CAI will interpret the new rules established by Quebec. “We had to make decisions based on hypotheses, since certain information is lacking,” concedes the vice-president.

For example, all Quebec websites will have to ask permission from the Internet user before collecting personal information. The measure targets in particular the data collected by navigation cookies, the famous “cookies”.

The CAI must produce “guidelines” on the proper way to seek public consent. But the final version of these rules “is planned for October 2023”, according to the Commission’s website, i.e. after the entry into force of the new law.

In short, companies will have to make adjustments in the weeks following the entry into force of the new provisions of Law 25, confirms Metro, as will Desjardins.

“We are following the CAI’s alignments on this subject as it publishes them,” writes Chantal Corbeil, spokesperson for the financial cooperative.

Former lawyer at the Commission, now self-employed, Cynthia Chassignieux notes that the most advanced companies are those dealing with the European Union. They have already had to adapt to the strict regulations on the protection of personal information that it adopted in 2016. “Others are completely feverish and waiting to see what the government will do. »

Commission for access to information: companies want better support

“I think the Commission d’access à l’information (CAI) somewhat underestimated the support needed,” says Francis Bérubé, director of provincial affairs at the Canadian Federation of Independent Business. He pleads for better help to get through the “extremely complicated” reform.

At the Borden Ladner Gervais firm, one of the largest in terms of personal information, lawyer Simon Du Perron also notes the shortcomings in the assistance planned for businesses. “Unfortunately, the Commission does not really have a strategic advisory branch,” he laments. I think she is still digesting Law 25.”

Result: some companies which took longer to react are starting to feel a certain panic and lawyers specializing in the field are overwhelmed.

“We can’t duplicate ourselves… Everything comes into focus in the end,” says Simon Du Perron.

At the CAI, no one is making any secret about this: clearly, the confidentiality watchdog is not powerful enough. In December, its president called for more resources during an interview with The Press. “It’s boring to say, but there is a resource issue,” said Diane Poitras.

In the world of personal information lawyers, the Commission’s site is unanimously criticized. They note significant gaps in the available information.

The CAI, for example, publishes a “Support Guide” for carrying out “assessments of factors relating to private life, an obligation in force since the first wave of measures linked to Law 25, on September 22, 2022. However, the version currently online is from March 2021!

“The information included in this guide reflects the laws before they were amended by the [loi] 25, warns the text. It will be revised later. » Two and a half years later and a few days before the second wave of measures of the law, the document is still not up to date.

“As far as his abilities are concerned”

“The Commission is working hard, to the best of its ability, to inform businesses,” writes Jorge Passalacqua, director of communications for the CAI, in an email to The Press. The organization promises to put an improved website online any day now that will be better able to provide businesses with better information.

The leaders of the CAI still deplore the “chronic underfunding” of their organization, which prevents it from carrying out its mission.

For the year 2022-2023, when the first series of measures linked to Law 25 came into force, the Commission received 1.5 million more than before, but the organization requested four times more.

For 2023-2024, Quebec has granted an additional budget of 4.2 million.

The minister responsible for the Protection of Personal Information, Jean-François Roberge, refused our interview request.

In an email to The Press, he says he is “aware” that law 25 “implies significant changes for businesses”. “The CAI is there to support them in these changes and this is why we have more than doubled the CAI’s budget in recent years. »

In an unsigned message, the Ministry of Executive Council assures that “the government has heard the requests of the Access Commission and is very aware of the new responsibilities which have been assigned to it by the reform on the protection of personal information”.

The Ministry emphasizes that the Commission’s budget has still doubled over the past seven years, reaching 12.6 million in 2023-2024.