Your Typical Canadian Employees May Not Care All that Much About Cybersecurity or Privacy at Work, it Seems

The media reported recently disconcerting results from a recent survey of Canadian employees about the protection of personal information and cybersecurity.

The report at issue indicates about 1/3 of Canadian employees do not think data theft is really in an issue they should be concerned with, or that they are likely to be targeted by cybercriminals when at work. Even with everything happening in the past couple of years, including almost daily announcements of computer intrusions and ransomware attacks (including in Canada), your typical employee does not seem all that worried.

In Québec, 3/4 of employees who answered the survey indicated they did not think the protection of personal information had anything to do with them, rather thinking this is an issue that IT is responsible for. Heck, the same proportion of respondents even admitted they had received NO training whatsoever at work about cybersecurity. None. Yikes.

Yeah, it seems, even today, with everything being published and privacy laws being adopted, your typical Canadian business may not be all that concerned about protecting data, whether it be personal or otherwise. Given that even some SME officers and business owners often still basically choose to ignore the issue, it is not all that surprising that a lot of employees do too. The Vietnamese have a good saying that may apply here: A house leaks from the roof on down.

Our job educating businesses and employees about this may not be quite done, it seems.

Businesses within the Province of Quebec Have Homework to Do as to their Employees and their Data

As you may already know, Quebec’s Bill 64 was passed into law a couple of months back, setting in motion a substantial revamp of the province’s main privacy statute. Much like what’s been going on in Europe and, more recently, at Federal level, the province finally decided it was time to update its antiquated statute governing the protection of personal information within Quebec.

The law’s coming into force of an Act to modernize legislative provisions as regards the protection of personal information (the “Act”) will stretch until 2024. In the meantime, the first provisions of the new law came into force last week, including numerous new obligations for Quebec businesses and organizations about their employees.

In practice, until now, little attention was generally paid in Quebec as to rules that may govern and apply to the personal information of employees, an issue that was often swept under the rug. Well, now that the Act is here things have to change -fast.

Indeed, the Act provides for a whole slew of obligations that apply to employers within the province of Quebec. For example, as is the case elsewhere, Quebec organizations should draft and make generally available their data handling policy, including as to how you handle employee information. This is but an example of what the new regime requires.

The first thing quite a few Quebec businesses and organization should do, including relatively small ones, is come to terms with the fact that the world has indeed changed and that Quebec business may no longer look at privacy as this theoretical issue that no SMB really bothers with. With the advent of the Act, all businesses and organization should (quickly) make the transition, from apathy as to privacy, to being highly involved. If you need motivation to do so, the staggering amount of potential penalties provided by the Act should help: 25 MILLION dollars or, and here’s the kicker, 4% of annual revenues. Yup, that’s right, just like Europe did a while back, we’re now realizing that dollar amounts may not be enough, but percentage of revenues, now THAT scares the bejesus out of ANY business.

As to employees, without going into details, to start, you should probably simply understand that personal information is now treated as such, whether it relates to a customer or an employee. Both are individuals, right? So, from now on, the Act basically assumes that organizations should have processes, policies and protocols in place to deal with personal information, wherever it comes in or from -employee-related information including. One should also note as to these, that the Act now requires making these policies generally available, including to employees, so that individuals can know how you are handling their information. Though this may seem a no brainer, in actuality, quite a few Quebec organizations still do not comply with this.

The Act also provides constraints as to how an organization may use automated processing of data to make or reach decisions as to individuals. If your company has AI sorting CVs, for example, individual may have to be made aware of this fact, etc.

One should also make note of the fact that, no only must employees be made aware what information of theirs is collected and used (and how), but employees can now lodge complaints with the Quebec privacy watchdog called the Commission d’accès à l’information (the “CAI”), should they want to question the employer’s data-handling practices, for example, if they suspect their employer’s practices are not in-line with the Act.

As is the case in numerous other jurisdictions, the Act also now provides for a mandatory notification in case of hacking incidents (and similar incidents where personal information may have been compromised), including when it comes to employee information.

Another change mandates that employers (and all organizations in fact) appoint a privacy officer, who will handle personal information-related matters on behalf of the entity, moving forward. This will have to include issues relating to employee information. Such a person may, for example, be a an officer of the company and should, generally, be selected based on his/her ability to deal with eventual issues relating to the types of data that the organization at issue normally handles. In other words, though the Act presumes the president of the company may be the person in charge, he/she may or may not be the best person for the job. All in all, if you are located in the province of Quebec and have employees, you may very well now be subject to the new Act. The time to educate yourself, seek advice and act is… now.

Canada Updates its Competition Act

I recently became aware of changes to the Canadian Competition Act (the Act) meant to modernize this piece of legislation, including to give it a little more teeth.

The changes at issue include the following, in case you hadn’t been following this (I hadn’t):

  • The act now prohibits “drip-pricing” by on-line retailers, as it may be tantamount to false (or misleading) advertising. This is familiar to anyone who has shopped on-line where you may be drawn to a particular source offering a what seems like a good deal, until you go through the whole process and realize fees and costs are successively tacked on, so that you end-up with a price that is substantially more than the “price” that attracted you in the first place.
  • Speaking of false (or misleading) advertising, the recent changes to the Act now allow courts to impose penalties that are no longer limited to fixed (capped) amounts. From now on, whenever a judge must impose a penalty on a given business for this, (s)he may elect to set the penalty according either to what profit the business derived from its misdeed, or better yet, on a percentage (3%) of its annual global revenue. Do I have your attention now?
  • Likewise, the recent changes also remove the cap on competition-related criminal penalties, instead providing that judges now have discretion under the Act as to the amount of penalties imposed on wrongdoers.
  • Anti-poaching agreements between employers are now a big no-no, as an unacceptable constraint on the working conditions of Canadian employees by what amounts to a form of cartel. As to this, one has to admit, if you allow business to agree between them to refrain from hiring from competitors, you’re seriously limiting the prospects of employees working in that industry.

The changes at issue came into effect on June 22, 2022.