By subscribing to our newsletter you agree to receive periodic e-mails from Dubé Latreille Avocats Inc.
An error has occurred. Please try again later.
In recent years, the pervasiveness of computers and the Internet have brought about what has come to be known as the « Digital Age », a new era characterized by unprecedented interconnectivity and interoperability between individuals, machines and networks around the world.
One of the most remarkable aspects of this technological revolution is the ability to convert any type of information (words, images, sounds, etc.) into a standard form, that is « data », and exchange same over the Internet with other entities anywhere in the world almost instantaneously.
In the span of 2-3 decades, this revolution has completely upended our society, in particular the way we interact, communicate and conduct business. This is why a growing majority of businesses have come to depend on computer networks and information systems connected to the Internet to run their operations. This data driven dependency is only the beginning as it is expected to increase further with artificial intelligence, automation (industry 4.0), the development of the Internet of things (IoT) devices, and the rolling out of 5G technology.
While these technological innovations provide significant advantages to their users, they also raise important legal issues pertaining to cybersecurity and privacy with far-reaching consequences.
At DUBÉ LATREILLE, our mission is to guide our clients in this complex world so that their business benefits from technological progress while minimizing their risks.
Privacy can be defined as the right of an individual not to share or disclose certain personal information, or the right to keep same anonymous or confidential. Because this right is an important tenet of a democratic society, it is recognized in Section 5 of Quebec’s Charter of human rights and freedoms.
Yet, every day, people relinquish some of their privacy one way or another to organizations. In the normal course of business, organizations routinely collect, use and disclose « personal identifiable information » or « PII » (such as social insurance number, address, phone number, date of birth, revenues, health insurance number, etc.) pertaining to employees, clients, partners, etc. Understandably, if individuals agree or are obliged to disclose their PII in order to obtain a service, they have a legitimate expectation that their PII will be used for a legitimate purpose and reasonably protected since unlawful use or disclosure could prove to be very prejudicial (violation of privacy, damage to reputation, fraud, impersonation, etc.) to the individuals concerned.
Privacy has become a growing concern amongst users who increasingly show an interest in the Privacy policies of organizations and their reputation before they choose to do business or to entrust their PII with same. This is due in part to the abuse surrounding personal data collection over the years, together with the disregard and negligence pertaining to the protection of PII which has contributed to a great extent to the compromission of millions of users’ accounts containing personal information.
In light of the widespread complacency displayed by businesses and organizations pertaining to PII security, various jurisdictions have expressed the will to adopt more restrictive and compelling privacy laws to better protect PII and to make organizations more accountable. The General Data Protection Regulation (or « GDPR ») in Europe and the Consumer Privacy Act (or « CCPA ») in California are good examples of this trend, while the federal government of Canada recently introduced Bill C-27 (An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make related and consequential amendments to other Acts).
Meanwhile, the government of Quebec has drawn up an ambitious bill (Bill 25), that is an Act to Modernize the Legislative Provisions Respecting the Protection of Personal Information (PL-64), which came into force following its adoption by the National Assembly on September 21, 2021. This Bill is of great consequence for the Quebec business community as it includes new obligations for organizations including the duty to designate a person responsible for PII management, to establish rules of governance pertaining to PII, to disclose data breaches, and to obtain free and informed consent prior to collecting PII). The Bill comprises as well new rights for individuals such as the right to information, to withdraw consent, to rectification, and to erasure from corporate records. Overall, these significant changes will bring about a small revolution in personal data management where failure to comply may result in substantial fines.
Given the time and resources that will be required from businesses to integrate the principles and obligations of Bill-25 into their operations (and considering also the benefits this implies in terms of data control and risk management), decision-makers ought to plan ahead accordingly as this might prevent them from making costly non-compliant investments.
Most organizations collect personal identifying information (PII) for various uses and purposes in the normal course of business, whether for HR, services, marketing, health, finance, contracts, etc. As such, they are subject to cyber threats like any other data driven entity. However, in the event of a cyber incident involving the compromission of PII, the issue of Privacy adds another layer of risk that may exacerbate all the others considering the potential impact it may have on operations, reputation, liability, and compliance.
From a Privacy point of view, the underlying risks of a data breach involving PII can be further described as follows:
In order to assist our corporate clients in dealing with the legal challenges pertaining to Privacy, including in particular Bill 25, DUBE LATREILLE offers the following services: