Quebec legal experts say a new law regulating electronic documents and the use of biometric information is still a mystery to corporate enterprises and government.
The Quebec Act to Establish a Legal Framework for Information
Technology is the first in Canada to explicitly equate the value of an electronic document and signature with its written counterpart, experts say. A digitally signed contract, for example, could carry the same legal weight under the act as a printed contract delivered in person or by surface mail.
Though it has been in effect since November of last year, the details of the law are not known to a lot of Quebec enterprises. Only now are many of them seeking information on what the legislation covers and how it applies to their businesses, says Marie-Hélène Constantin, an associate at Montreal-based law firm Blake, Cassels & Graydon.
The lack of awareness is not limited to the private sector, says Douglas Simsovic, associate at Heenan Blaikie, another Montreal law firm.
“”I’ve had to consult a government regulatory body regarding an issue that has to do with this law. They didn’t know the law exists,”” he said.
The act, which Simsovic describes as a “”mini-revolution,”” addresses a number of issues surrounding e-commerce, but its effect on the daily operations of e-commerce merchants is more of a side-effect, says Constantin.
“”In the rest of Canada electronic commerce legislation is really aimed at fostering electronic commerce,”” she says. “”That’s not really what they were intending to do here. The legislators were just trying to make it clear that electronic documents could have the same value as other documents.””
That objective has resulted in a unique feature of the law — it mandates the secure transmission of confidential data over the Net, says Constantin.
“”I haven’t seen this in other acts. There wasn’t necessarily the obligation to ensure the protection of privileged information in your electronic communication before,”” she says. “”You could say that it was implied, but it wasn’t outright stated like it is now.””
This requirement is particularly of concern to enterprise legal departments, Constantin says, especially since the law doesn’t explain what steps the transmitter must take to comply with the law. It also doesn’t outline penalties for failing to protect corporate data.
“”It may be that we have to encrypt certain information,”” she says. “”I think it will always depend on the type of information you’re talking about and on the circumstances.””
The act also has some major privacy implications, says CATA Alliance president John Reid. Section 44 of the act states that anyone gathering biometrics information can only do so with the express consent of the person they’re getting the information from. The act also forbids the use of such information for purposes other than to which individuals consented.
“”There is a legitimate risk here in not understanding exactly what the limitations and the regulations are regarding the collection of this type of information,”” says Reid. “”You’re opening yourself up if an individual feels a grievance, you’re exposing yourself to business risk and legal suits.””
The act also states that the Quebec Comission d’access à l’information must be notified before a database of biometrics information is created. The commission has the right, under the new law, to regulate the use, storage, sharing and destruction of any biometrics information within a database. This may cause some confusion, since the federal Personal Information Protection and Electronic Documents Act (PIPEDA) treats biometrics information somewhat differently, says Richard Owens, executive director of the University of Toronto’s Centre for Innovation Law and Policy.
“”Interestingly enough, a retinal scan unless associated with the individual’s name and address wouldn’t be considered personal information under federal law,”” he says.
Ontario is currently working on its own privacy legislation, which could complicate things even more for businesses, says Reid. In Canada there tends to be a ping-pong effect, where one province introduces legislation and motivates other provinces to introduce their own. The end result of is often legislation concerning the same business practice that’s different from one province to the other, he says.
“”When you have a company operating in different provinces their exposure will be different, so you can be sideswiped by these types of developments,”” says Reid.
The federal government has said existing Quebec privacy legislation may be similar enough to PIPEDA to exempt the province from the national law. Quebec has had its own privacy legislation the Act Respecting the Protection of Personal Information In the Private Sector, since 1994, as well as one governing the public sector. It’s enough to give a CEO a headache, Owens says.
“”Quebec businesses will have to follow the Quebec act and not the federal act. But that probably won’t be the case for (federally-contracted) companies doing business within Quebec, for them the federal act will still apply,”” he says. “”So there are different jurisdictional issues here, like can the government even legislate?””
Even though this law puts new responsibilities on enterprises, it shouldn’t be an obstacle to conducting business with a little preparation since there are ways to ensure business practices are legally compliant Canada-wide, says Constantin.
Ensuring compliance may require some work though, says Owens, since the federal legislation can confuse not only businesses but also their lawyers.
“”The federal law mandates a set of privacy protection rules which are the worst-drafted legislation on the planet, frankly. Lawyers don’t know whether to laugh or cry over it,”” he says.
So what should law-abiding enterprises do?
“”Get yourself some good council,”” laughs Simsovic, “”and you’ll be fine.””
Comment: [email protected]