The government and the cybersecurity industry have placed great emphasis on the similarities between Quebec’s law on the protection of personal information online and the European law on which it is inspired. Certain notable differences still remain, which could cause the government not to respect its own law, according to an expert.
“The National Assembly of Quebec requires your consent for this website to use cookies (Cookies)”, indicates a newly installed pop-up window at the entrance to the Quebec Parliament website. The National Assembly is not the only one to have adopted this approach. Many websites have done so to comply with the second of the three waves of measures provided for by Bill 25, which must, among other things, better regulate the way in which websites collect data on their visitors. It started in September 2022; it will be completed next year.
The formulation favored by the National Assembly complies in every respect with what is required by the General Data Protection Regulation (GDPR), which has existed for five years in Europe. However, this is not quite what Quebec law requires, notes Stéphane Hamel, lecturer at the Faculty of Administrative Sciences at Laval University and specialist in digital marketing.
More than cookies
“The National Assembly banner talks about cookie files rather than more general personal information,” he said, which would have required more clarity on what is then done with this data. “For example, there is no declaration that personal information is used by third parties located outside Quebec,” explains the expert. “The National Assembly site is a case, but I see the same problems elsewhere. The problem is that government sites should be the example to follow — and they are not, at the moment. »
It’s even more annoying for Quebec.ca. The site, which aims to be the gateway to the various services of the Quebec government, does not indicate anywhere whether it collects personal data, nor with which partners this collection occurs. The Quebec government site nevertheless uses the services of Google and Microsoft, among others; this should be explicitly stated in accordance with the new law.
The government is not alone in its failure to comply with the law. Stéphane Hamel also noted breaches on the sites of several companies, including the grocers IGA and Metro, the aircraft manufacturer Bombardier and Tourisme Montréal.
Contacted on this subject, a spokesperson for the National Assembly indicated that those responsible for the website were aware of the situation. A new update in accordance with the new law is promised for January 2024.
Since last Friday, Stéphane Hamel has analyzed numerous sites other than those of the government. He discovered several fairly frequent gaps: “There is no list of partners involved, there is no indication that personal information will be sent outside Quebec… And once consent is granted, there is no It is not always possible to come back and change our preferences. And regardless of the user’s choice, trackers are still triggered. »
These trackers are generally those from Google and Meta. The two American giants commonly use an element integrated into millions of websites around the world called a “web beacon”. This piece of code allows their advertising agency to know that a particular Internet user has visited websites that are not theirs. There are also trackers integrated into YouTube videos embedded on websites.
Microsoft, for its part, uses a tracking tool invisible to Internet users which allows website managers to trace the journey of visitors on their sites. The Microsoft Clarity web analytics application builds a so-called click density map on sites where it is integrated. This map allows you to discover which links are the most popular with Internet users. To achieve this, Clarity lists each visitor separately using a code that includes the Internet address (IP) unique to each of these visitors.
Minister Jean-François Roberge, responsible for Access to information and the Protection of personal information, and who is responsible for the new law on the protection of personal information, returns the ball to the Commission for Access to Information. information. “It is the Commission which has the function of monitoring the application of this law. If necessary, it will be able to carry out the necessary checks”, indicated to the Duty his press secretary, Thomas Verville.
Need for case law
If there is a similarity between the Quebec framework on the protection of personal information and the European framework, it is that in both cases, a good understanding of the new provisions may take time… and even require some legal proceedings .
In Europe, it took five years to arrive at a first indictment relating to non-compliance with the GDPR. Last May, Meta was fined $1.75 billion by Ireland, which the Californian giant rushed to appeal.
“So it’s not over,” already indicated last spring the CEO of the French digital consulting firm Didomi, Romain Gauthier. “Between the moment the law is thought of, comes into force and becomes jurisprudence, several years will pass. » However, the more time passes, the more the law risks losing its bite, particularly against multinationals with deep pockets which can drag out legal proceedings over several years. “Even in Europe, with advances, we cannot create the impression that companies are facing a serious threat. »
Unless the reputational impact of a possible penalty brings organizations back on the right path, nuances the French expert.
Stéphane Hamel nods. “Protecting data well can become a positive marketing value for a company, but it may take a few bad examples to get people to react,” he says. Or a few years, time to fully understand a very complex Quebec law.