This text is part of the special section Le droit au Québec
Two almost simultaneous events have forced the irruption of digital technology into the general practice of law. The pandemic, by giving a boost to telework, has increased tenfold the challenges of cybersecurity and technological governance of companies. As of June 2020, the Government of Quebec has undertaken to modernize its laws for the protection of personal information. Since September 2021, Quebec companies have been operating in a significantly stricter framework.
Selena Lu, a partner at the Lavery firm, does not hesitate to tell what she calls her “covid conversion”. “I’m not a techno girl, I’m a mergers and acquisitions girl, of classic business law, and I had to learn very quickly, in the midst of a pandemic. Everything changed almost at once: the way of considering contracts, particularly with regard to warranties, the way of carrying out due diligence, in addition to imposing technological governance. »
“Lawyers are now required to have a minimum knowledge of computer language,” notes Vincent Gautrais, professor and holder of the University of Montreal Chair in Security and Electronic Business Law. “A lot of companies aren’t up to date, and all of our students are sucked into private practice. »
The sudden changes over the past two years are not a clap of thunder in a blue sky, but questions of digital technologies have long remained confined to rather specialized spheres of law. “I had been very fashionable at the end of the 1990s when I had just finished my doctoral thesis on the digital contract, just before the bursting of the techno bubble in 2000, recalls Vincent Gautrais. The madness started again in 2015 with artificial intelligence. »
“Until recently, technological governance was perceived as a problem for large companies, but SMEs and even NPOs have also realized that they have to think about it,” adds Selena Lu. She explains that a chocolate factory that has its recipe on a computer or a psychologist’s office that keeps its clients’ files on a computer also have a cybersecurity issue.
Pioneering Quebec
It is highly likely that Quebec lawyers familiar with these issues will be in high demand across the continent. Quebec has indeed taken a big lead over all the Canadian provinces, and even over the federal government with its new “Act to modernize legislative provisions for the protection of personal information”.
Also called Bill 25 or Bill 64, this new law, sanctioned by the National Assembly on September 22, 2021 after 15 months of work, introduces a series of new obligations. For example, the board of directors of a Quebec company will have to appoint a person in charge of personal information. A company guilty of having failed in its obligations will have to pay fines ranging from 15,000 dollars to 25 million dollars, and up to 4% of its worldwide turnover – and the double in the event of recidivism.
“With this law, Quebec has moved closer to the European system and its General Data Protection Regulation. [RGPD] “, notes Selena Lu. She cites in particular the introduction of the concept of the right to be forgotten, which will allow a person to demand the removal of certain information and certain hyperlinks.
Law 25 is due to come into force in September 2023, which gives companies only 18 months to adapt. “What will be decisive are the resources that will be given to the Commission d’accès à l’information). It’s all well and good, the heavy penalties. But if the Commission does not have the resources and the personnel to follow up, it will come to nothing. It will take sanctioning capacity, ”adds the partner.
Cybersecurity is everywhere
Cybersecurity is associated with spectacular ransomware and sabotage attacks. In fact, in an age where even a coffee maker can be wifi, businesses have so much electronic access that any hacker armed with a keyboard can simply set up shop, spy, and steal whatever information they care about.
Selena Lu now sees cybersecurity and technology governance issues almost everywhere. “I represent an NPO that receives donations, and therefore financial information on donors. The organization works with volunteers, who have access to accounts from any portal, even in cafes, there is no list of volunteers, access codes, passwords. Do you realize the risks? »
“It calls into question what is meant by ‘force majeure’,” she explains. In principle, a company can avoid its contractual obligations by invoking a case of force majeure, that is to say an unforeseeable and irresistible event. “But precisely, in the context where 20% of companies are victims of a cyberattack each year, we can no longer plead that we did not know it, that it was unforeseeable”, she concludes.