Quebec officially puts an end to the excessive use of personal information in the private sector. Recalcitrant companies face severe financial penalties.
• Read also: Cybercrime worries IT managers
• Read also: A law for digital transformation
The countdown has begun: the Act to modernize the protection of Quebecers’ personal data was sanctioned on Tuesday and companies have two years to comply.
After several months of negotiations, the CAQ government adopted its project targeting businesses and public bodies.
“There are a lot of small companies for whom it is a big step to climb”, mentions the minister responsible for the governmental digital transformation, Eric Caire.
“The main challenge linked to cyber attacks and data theft are problems of neglect and lack of expertise,” he argues.
Quebec is the first jurisdiction in the country to attack the methods of the private sector. It provides a framework for the use of data collected by companies and public bodies.
“People say it’s not a game. It’s not just a great tool for doing business. You play with life, with the identity of the people who entrust you with this information and it is a responsibility in the digital world which is extremely heavy, ”the minister said, admitting, without flinching, that several organizations are involved. bad mood.
Salty fines
Regardless of the criticisms, companies will have to quickly adjust to strict legal and technological rules in order to better protect citizens’ data.
“Yes, the business costs him money, but the citizen who has his data and his identity stolen is appalling. He is going to live through hell, ”he says, happy to have received the support of the opposition parties to bring this project to fruition.
Companies that fail to meet the new standards face heavy penalties. Administrative and criminal penalties may reach $ 25 million or 4% of global turnover. “Ultimately, we will punish those who are in bad faith, those who do not take it seriously,” said Cairo.
To illustrate what constitutes negligence that would expose itself to the ultimate penalty, the Minister gives the example of the data breach at Desjardins in 2019.
It is the Access to Information Commission (CAI) which will be responsible for enforcing the rules.
Budgets will thus have to be released, Minister Cairo said. Although the majority of the provisions will be in effect within two years, the process will run until September 2024.
Colossal task
According to lawyer Caroline Deschênes, we must not underestimate the extent of the work that a company will have to do to comply with these obligations.
“It represents a tremendous amount of work and a lot of costs and resources,” explains the associate lawyer at Langlois, who is already supporting several companies in their transition. “There are certainly concerns and they have been addressed.”
Also to see
www.journaldemontreal.com