Law 25 and Its Impact on Protecting Citizen Data in Cities and Municipalities

Authors: Vivianne Gravel, LL.M and Gabriel Montagne 

In Quebec, Law 25 was adopted in September 2021 to enhance personal information protection, signifying a significant moment for businesses and public entities like cities and municipalities. However, a concerning trend has surfaced: by September 2023, only 3% of small and medium-sized businesses (SMEs) were found compliant with the law, as per a survey by the Interdisciplinary Research Group in Cybersecurity (GRIC) at the University of Sherbrooke.

GRIC Survey Findings Show Only 3% of Quebec Organizations Complied with Requirements in September

This concerning situation affects Quebec cities and municipalities directly. Despite efforts by the Union of Quebec Municipalities (UMQ) to raise awareness through webinars and guides, compliance remains a significant challenge. City administrators lack resources to implement the law, and its complexity demands a multidisciplinary approach for effective execution.

What are the risks for cities and municipalities of not complying with Law 25?

Cities that fail to comply may be subject to significant fines of up to $10,000,000 for organizations or 2% of global revenue for the previous year, whichever is greater. The Commission d’access à l’information du Québec may impose sanctions for the following reasons:

• Failure to comply with the obligation to report a data breach
• Failure to respect the protection of personal information
• The unlawful collection, use or dissemination of information
• Failure to comply with the obligation to inform people.

Failure to Comply with Law 25 May Result in Fines

In addition, depending on the nature of the offense, the Commission for Access to Information may initiate criminal proceedings with a maximum fine of CA$10,000 for individuals and CA$25,000,000 or 4% of the figure of global business for corporations. And in the event of a repeat offense, the penalties will be doubled.

Cyberattacks can harm your city’s reputation

Non-compliance can also harm the City's reputation. Citizens may lose confidence in the ability of cities and municipalities to protect their personal data, which will lead to a reduction in the efficiency of services and an increase in costs. The risks associated with data security are significant because non-compliance puts the City at risk for data theft and cyberattacks.

The Cost of Data Theft

The cost of an amicable agreement for the theft of data was $200,000,000, not counting the operational costs linked to crisis management. According to an IBM study in August 2022, the cost of data theft is estimated at $4.35 million on average worldwide in 2022 (up 2.6% compared to 2021 and 12.7% per year compared to 2020). 

B-CITI's Solution for Law 25 Compliance

Solutions B-CITI Inc (Bciti), a major player in the field of digital solutions for smart cities, is a key partner to support municipalities in this transition. Our expertise in ethical citizen data management and the bciti+ Intelligent Citizen Services Platform (PaaS), designed with "Private Data by Design" principles, provides tailored tools to meet the requirements of Law 25. 

Bciti also co-owns a patent that utilizes a blockchain variant to automate the logging of personal information usage. This patent, central to the Digital Lab initiated by Bciti, aims to streamline this technology for the benefit of cities and municipalities.

How the Bciti Digital Lab is Supporting Cities with Law 25 Compliance

The Digital Lab for Law 25 Automation, started on February 7. Bciti is assisting 5 cities and municipalities in complying with the law. Throughout February and March, we are mapping citizens’ journey in their interactions with municipalities to highlight sensitive contact points under the Act's regulations. Additionally, we're automating communication processes with citizens, restricting data access by city employees, and implementing logging for decision-makers' peace of mind in cities and municipalities.

This project, which will run until June 2025, promises to revolutionize the way cities, towns and municipalities manage and protect the personal data of their citizens and visitors. As such, Bciti and its partners are committed to ensuring compliance with Law 25 not only as a legal obligation, but also as an opportunity to improve the relationship between cities, their citizens, and visitors.

By building on strong foundations of ethical data management, we enable the use of anonymized and automated data, respecting citizens' consent. This allows us to utilize artificial intelligence, such as generative AI and augmented analytics, to anticipate citizens' needs better and make informed decisions in an increasingly complex civic management context.

Stay tuned to track the progress of this Digital Lab and see how Bciti and Quebec cities are working together to protect personal data while making life easier for citizens and cities alike.