The legal issue of data use
The guest of the aperitif: Éloïse Gratton. Éloïse is a lawyer, more precisely Partner and National Co-Leader, Privacy and Data Protection Practice Group at Borden Ladner. She has also previously taught at HEC and the University of Montreal. Today, she lectures and is sought after for her expert advice on privacy bills.
Jean-François is full of praise for her, calling her…
Generous, fun, not sleepy and knows a lot about her subject!
As they say, it promises.
In this aperitif, Jean-François and Éloïse discuss:
- The history of data protection with us
- Provincial Bill 64 (in Quebec)
- Federal Bill C-11 (in Canada)
- Companies – Will they really follow these laws?
- What Organizations Should Do Today for Privacy
And since the subject is rather strong, let's not waste time, let's go !
(If you need to catch up on data protection and the cookie apocalypse, head over to our blog ).
A LITTLE HISTORY
In Quebec, we are the first jurisdiction in Canada to have introduced a law, in early 1990, regarding the protection of personal information. Although the main principles remain, the law is now somewhat outdated. Indeed, the reality on the web has evolved enormously, and therefore, the update is essential with law 64 in Quebec.
In Canada, federal law C-11 prevails, unless you are in Quebec, Alberta or British Columbia. This means that, for example, a Quebec company doing business across Canada must comply with 1. Quebec rules in Quebec, 2. British Columbia rules in British Columbia, 3. Alberta rules in Alberta, and 4. Canadian rules elsewhere in the country. Complicated? Barely…!
And how do Canadian laws compare to the United States and Europe? We are in between. In Europe, privacy protection is much stricter, and large penalties apply. Let's say that Europe is giving GAFAM a hard time.
In the United States, the vision is very different. There are few interventions, apart from California which has implemented a similar law in Canada.
In Canada, our laws are more aligned with Europe, but without major penalties. However, this should change with everything that is coming.
WHAT IS BILL 64?
As explained above, the Quebec government hopes to update itself in order to adapt to the current context, and therefore, to better protect the privacy of Quebecers. These updates include:
- The governance
- Access to information
- The age of consent, which increases from 13 to 14 years
- The use of data in research (today facilitated)
- Penalties (recalcitrants would be liable to fines of up to 10 million or 10% of their turnover)
The big difference with the law of the 90s? Express consent. Because at the time, we already had to explain, in its terms and conditions, how the data will be used. Today, it's the same, but the user must now tick whether or not he accepts the terms and conditions, hence the concept of explicit consent.
Another difference: companies are asked to use clear language and not legal jargon that everyone misunderstands. Does that imply that you can write hundreds of pages of terms and conditions in plain language, but no one will read it because it's too long? Here, the law is still unclear.
In Quebec, the law stipulates that one must ask for consent for… absolutely everything. Éloïse does not agree with this position, because the burden is placed on individuals, not on companies. She hopes that Quebec uses its “common sense” to seek consent when it really matters (example below).
WHAT ARE THE DIFFERENCES WITH BILL C-11?
The two laws are not necessarily completely different, but C-11 is a bit more flexible with respect to consent. It is admitted (as in Europe) that it does not make sense to use consent all the way.
We have therefore created exceptions for usual business practices that are not contrary to consumer expectations. For example, you don't need your client's consent to send them their invoice (because it's just… normal to do so!). But in Quebec, we must systematically obtain consent.
IS QUEBEC GOING TOO FAR?
The Quebec bill is tougher than in Canada. In some respects (such as systematic consent) it goes further than in Europe.
That said, the bill is not yet finished, it is currently being negotiated clause by clause. The federal government has already tabled it… Perhaps Quebec will realize that it is preferable to link up a little more with Canada… To be continued.
Is this a Quebec political strategy to win votes? Not necessarily. There are also a lot of good things in the project, in terms of research or security incidents. That said, marketing is often unloved by curators (with its targeting, profiling, etc.).
According to Jean-François, this sometimes goes too far, for example with this article from LaPresse accusing MétéoMédia (Pelmorex) of geolocating its users , while they geolocate them to give them the weather forecast…! It's a shame to attack a Canadian company, while, just next door, the GAFAM go much further.
WHAT ABOUT DATA STORED IN FOREIGN SERVERS?
Even if a Quebec company's data is stored elsewhere, it must comply with Quebec laws for its operations here. But for Éloïse, the real question is: once the personal information is hosted abroad, are they subject to other rules? The answer is yes. If data is hosted in China, and the Chinese government decides to have access to it, Chinese laws prevail. And we still need to know where our data is hosted, because sometimes we don't even know...
Hosting abroad is always a business risk for companies. But currently, it is not forbidden to do so, you just have to be transparent. However, in Bill 64, it becomes more complicated to store abroad. You have to look at which countries are eligible and if they have similar laws. You have to have a contract, do a risk assessment… In short, it's very cumbersome. That said, Éloïse does not believe that these requirements will remain, because they are unrealistic.
DO THE SAME LAWS APPLY IN B2B?
There is now an exception for business contacts. So today, a professional email address is personal information, but there would be a future exclusion. We would therefore not need to have explicit consent to use this data. That said, with the anti-spam law that applies (C-28) you can't do anything (like send an email without consent). And in advertising? Still a lot of gray areas.
For Éloïse, Bill C-28 was already going too far. We must make a difference between the impact of the personalization of advertising and data security... This law gives us competitive disadvantages compared to other markets which, like the United States, still operate with a regime opt out.
IS THERE AN EXPIRATION DATE FOR THE DATA?
No. But there is a principle that you don't keep data if it is no longer necessary for your product or service. Companies must therefore reflect on this and have a retention policy; how long do we want to keep our data?
That said, getting rid of data goes against new AI tools; the more data we have, the more fun we can have, understand trends, make amazing discoveries.
So how can we be clear about the use of data, when all uses are not yet known by companies using AI? Well, whether this new use is compatible with the original collection remains to be seen.
WHAT ABOUT FREE PLATFORMS OR SERVICES?
If we offer free services, does the email become consent? With the new bill, it's still a gray area. For example, at Facebook in 2009, it was concluded that personal information is the price to pay for the free use of the platform. Would this reasoning be the same in Quebec? We don't know yet.
IS IT UTOPIAN TO THINK THAT COMPANIES WILL FOLLOW THE LAWS? OR THAT REAL PENALTIES WILL BE GIVEN?
Today, yes, it is utopian. But with the laws and penalties to come in Quebec (up to 10 million), we imagine that this will become quite a deterrent. In Canada, it is different, the law gives less power to the Office of the Privacy Commissioner.
That said, the same penalties were provided for with Bill C-28; we were talking about thirty full-time inspectors in Canada… And yet, few fines were given. It's true, but according to Éloïse, this law is very poorly drafted, it has several exceptions, and therefore, it is difficult to apply.
Be aware, however, that the decisions of the commissioners are sometimes surprising. For example, the one from last fall on smart billboards in a shopping mall. These panels collected general data on the time and type of profile frequenting the place (eg gender and age). But because a unique number was assigned to each passerby, we decided that the data could be sensitive...
But how do you get explicit consent in this context? It's almost impossible… On the other hand, it would be necessary to inform the visitor minimally (even if it remains not explicit), and to ensure that no sensitive information is collected (like the unique number). What exactly is sensitive data? Another gray area!
WHY ARE THERE STILL TOO MANY GRAY AREAS?
It's true, it brings a lot of uncertainty. But it also brings an interesting flexibility for companies which innovate, and which want to launch new practices. For example, the notion of sensitive data is not clear, but it is better to see how things evolve before settling. In Europe, the list of sensitive information is already determined (religion, sexual orientation, financial data, etc.).
WHAT SHOULD COMPANIES DO TODAY FOR PRIVACY?
1. Write a quality terms and conditions section
- Clear access to the different sections (for example, with an automated table of contents).
- Prioritize the information that really interests the reader at the very beginning of the document.
- Write in plain language, not legalese.
- Be as transparent as possible about the use of data, including concrete examples; it is not enough to mention that the data could be shared with third parties – examples of these third-party platforms are needed.
2. Create a pilot group (or focus group ) to test reasonableness (i.e. the reasonable expectation of the average consumer)
- For example, is the use of data X reasonable and non-intrusive? Is it understood?
- Since there are a lot of gray areas, documenting such a process can back us up , and help us manage risk.
3. Make sure you have explicit consent for the use of data
4. Respect the wishes of customers
- Some of your customers no longer want to receive your newsletter? Well, the least you can do is respect their wishes.
5. Have the technological means of our ambitions
- Are your databases segmented well enough to meet your usage promises?
- Or are your systems strong enough to use your data as promised?
AND FINALLY, WILL WE BE ABLE TO KEEP UP WITH ALL THESE CHANGES?
It's a challenge, but one of the fundamental principles is that the law must be technologically neutral. Which means we won't have to change it in 6 months or 1 year. Which also means that we have more flexible laws, and therefore gray areas.
In other words, we need to do risk management, less compliance. It's hard to tick boxes. We have to stop seeing everything black or everything white. Rather, it is about navigating risk intelligently and responsibly, taking consumer psychology into account.
Because let's not forget one thing: all these upheavals are for the good of the consumer. If we do things that way, it should be fine.