The guest of the aperitif: Éloïse Gratton. Éloïse is a lawyer, more precisely Partner and National Co-Leader, Privacy and Data Protection Practice Group at Borden Ladner. She has also previously taught at HEC and the University of Montreal. Today, she lectures and is sought after for her expert advice on privacy bills.
Jean-François is full of praise for her, calling her…
Generous, fun, not sleepy and knows a lot about her subject!
As they say, it promises.
In this aperitif, Jean-François and Éloïse discuss:
And since the subject is rather strong, let's not waste time, let's go !
(If you need to catch up on data protection and the cookie apocalypse, head over to our blog ).
In Quebec, we are the first jurisdiction in Canada to have introduced a law, in early 1990, regarding the protection of personal information. Although the main principles remain, the law is now somewhat outdated. Indeed, the reality on the web has evolved enormously, and therefore, the update is essential with law 64 in Quebec.
In Canada, federal law C-11 prevails, unless you are in Quebec, Alberta or British Columbia. This means that, for example, a Quebec company doing business across Canada must comply with 1. Quebec rules in Quebec, 2. British Columbia rules in British Columbia, 3. Alberta rules in Alberta, and 4. Canadian rules elsewhere in the country. Complicated? Barely…!
And how do Canadian laws compare to the United States and Europe? We are in between. In Europe, privacy protection is much stricter, and large penalties apply. Let's say that Europe is giving GAFAM a hard time.
In the United States, the vision is very different. There are few interventions, apart from California which has implemented a similar law in Canada.
In Canada, our laws are more aligned with Europe, but without major penalties. However, this should change with everything that is coming.
As explained above, the Quebec government hopes to update itself in order to adapt to the current context, and therefore, to better protect the privacy of Quebecers. These updates include:
The big difference with the law of the 90s? Express consent. Because at the time, we already had to explain, in its terms and conditions, how the data will be used. Today, it's the same, but the user must now tick whether or not he accepts the terms and conditions, hence the concept of explicit consent.
Another difference: companies are asked to use clear language and not legal jargon that everyone misunderstands. Does that imply that you can write hundreds of pages of terms and conditions in plain language, but no one will read it because it's too long? Here, the law is still unclear.
In Quebec, the law stipulates that one must ask for consent for… absolutely everything. Éloïse does not agree with this position, because the burden is placed on individuals, not on companies. She hopes that Quebec uses its “common sense” to seek consent when it really matters (example below).
The two laws are not necessarily completely different, but C-11 is a bit more flexible with respect to consent. It is admitted (as in Europe) that it does not make sense to use consent all the way.
We have therefore created exceptions for usual business practices that are not contrary to consumer expectations. For example, you don't need your client's consent to send them their invoice (because it's just… normal to do so!). But in Quebec, we must systematically obtain consent.
The Quebec bill is tougher than in Canada. In some respects (such as systematic consent) it goes further than in Europe.
That said, the bill is not yet finished, it is currently being negotiated clause by clause. The federal government has already tabled it… Perhaps Quebec will realize that it is preferable to link up a little more with Canada… To be continued.
Is this a Quebec political strategy to win votes? Not necessarily. There are also a lot of good things in the project, in terms of research or security incidents. That said, marketing is often unloved by curators (with its targeting, profiling, etc.).
According to Jean-François, this sometimes goes too far, for example with this article from LaPresse accusing MétéoMédia (Pelmorex) of geolocating its users , while they geolocate them to give them the weather forecast…! It's a shame to attack a Canadian company, while, just next door, the GAFAM go much further.
Even if a Quebec company's data is stored elsewhere, it must comply with Quebec laws for its operations here. But for Éloïse, the real question is: once the personal information is hosted abroad, are they subject to other rules? The answer is yes. If data is hosted in China, and the Chinese government decides to have access to it, Chinese laws prevail. And we still need to know where our data is hosted, because sometimes we don't even know...
Hosting abroad is always a business risk for companies. But currently, it is not forbidden to do so, you just have to be transparent. However, in Bill 64, it becomes more complicated to store abroad. You have to look at which countries are eligible and if they have similar laws. You have to have a contract, do a risk assessment… In short, it's very cumbersome. That said, Éloïse does not believe that these requirements will remain, because they are unrealistic.
There is now an exception for business contacts. So today, a professional email address is personal information, but there would be a future exclusion. We would therefore not need to have explicit consent to use this data. That said, with the anti-spam law that applies (C-28) you can't do anything (like send an email without consent). And in advertising? Still a lot of gray areas.
For Éloïse, Bill C-28 was already going too far. We must make a difference between the impact of the personalization of advertising and data security... This law gives us competitive disadvantages compared to other markets which, like the United States, still operate with a regime opt out.
No. But there is a principle that you don't keep data if it is no longer necessary for your product or service. Companies must therefore reflect on this and have a retention policy; how long do we want to keep our data?
That said, getting rid of data goes against new AI tools; the more data we have, the more fun we can have, understand trends, make amazing discoveries.
So how can we be clear about the use of data, when all uses are not yet known by companies using AI? Well, whether this new use is compatible with the original collection remains to be seen.
If we offer free services, does the email become consent? With the new bill, it's still a gray area. For example, at Facebook in 2009, it was concluded that personal information is the price to pay for the free use of the platform. Would this reasoning be the same in Quebec? We don't know yet.
Today, yes, it is utopian. But with the laws and penalties to come in Quebec (up to 10 million), we imagine that this will become quite a deterrent. In Canada, it is different, the law gives less power to the Office of the Privacy Commissioner.
That said, the same penalties were provided for with Bill C-28; we were talking about thirty full-time inspectors in Canada… And yet, few fines were given. It's true, but according to Éloïse, this law is very poorly drafted, it has several exceptions, and therefore, it is difficult to apply.
Be aware, however, that the decisions of the commissioners are sometimes surprising. For example, the one from last fall on smart billboards in a shopping mall. These panels collected general data on the time and type of profile frequenting the place (eg gender and age). But because a unique number was assigned to each passerby, we decided that the data could be sensitive...
But how do you get explicit consent in this context? It's almost impossible… On the other hand, it would be necessary to inform the visitor minimally (even if it remains not explicit), and to ensure that no sensitive information is collected (like the unique number). What exactly is sensitive data? Another gray area!
It's true, it brings a lot of uncertainty. But it also brings an interesting flexibility for companies which innovate, and which want to launch new practices. For example, the notion of sensitive data is not clear, but it is better to see how things evolve before settling. In Europe, the list of sensitive information is already determined (religion, sexual orientation, financial data, etc.).
1. Write a quality terms and conditions section
2. Create a pilot group (or focus group ) to test reasonableness (i.e. the reasonable expectation of the average consumer)
3. Make sure you have explicit consent for the use of data
4. Respect the wishes of customers
5. Have the technological means of our ambitions
It's a challenge, but one of the fundamental principles is that the law must be technologically neutral. Which means we won't have to change it in 6 months or 1 year. Which also means that we have more flexible laws, and therefore gray areas.
In other words, we need to do risk management, less compliance. It's hard to tick boxes. We have to stop seeing everything black or everything white. Rather, it is about navigating risk intelligently and responsibly, taking consumer psychology into account.
Because let's not forget one thing: all these upheavals are for the good of the consumer. If we do things that way, it should be fine.