Decoding Quebec’s Law 25: What Companies Need To Know With Sharon Bauer

Intro  0:01

Welcome to the She Said Privacy/He Security Podcast. Like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels  0:21

Hi, Jodi Daniels here. I’m the Founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional providing practical privacy advice to overwhelmed companies.

Justin Daniels  0:36

Hello, Justin Daniels here. I am a Corporate Partner in M&A and tech transactions at the law firm Baker Donelson. I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping clients design and implement cyber plans as well as help them manage and recover from data breaches.

Jodi Daniels  1:05

Like 150 of these you tell it’s funny, we keep saying the words in the exact same tone every time. Alright, but this episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, e-commerce, professional services, and digital media. In short, we use data privacy to transform the way companies do business together. We’re creating a future where there is greater trust between companies and consumers. To learn more, and check out our best-selling book, Data Reimagined: Building Trust One Byte at a Time, visit redcloveradvisors.com. You having fun?

Justin Daniels  1:49

I see you’re very perky now.

Jodi Daniels  1:51

I had lunch. I have energy.

Justin Daniels  1:53

Yes. And I got one slice of Turkey. No, no.

Jodi Daniels  1:57

No, there were four. And that is because you ate a huge amount at breakfast time. So then I was really nice. And I shared I cut it in half. I was so nice. Maybe

Justin Daniels  2:06

you could just buy more than

Jodi Daniels  2:08

I did. You were you were you were very hungry. But I hear we’re supposed to talk about privacy and not turkey sandwiches today.

Justin Daniels  2:16

Well, both of them could go together.

Jodi Daniels  2:18

Gosh, I can’t wait for you to blend turkey sandwiches and privacy. So we have a really special guests. So, we have Sharon Bauer, who is the Founder of Bamboo Data  Consulting, a privacy and security consulting firm based in Canada. And I feel like Bamboo Data Consulting is trying to have the same mission that Red Clover is, and so it’s so exciting to have Sharon here. Sharon has been named a Top 20 Women in Cybersecurity in Canada. And she provides privacy solutions to companies in technology marketing, retail FinTech, health and education. She develops creative privacy programs and solves hidden privacy challenges for startups to multinational corporations. See, I could like say the same thing. It’s so exciting to have you here, Sharon, and Sharon, you also act as a virtual chief privacy officer. And apparently Justin has something funny and clever to say about virtual chief privacy officers.

Justin Daniels  3:13

Yeah, she’s a VCPO instead of three CPO.

Jodi Daniels  3:18

You know we really should air this then on like all the Star Wars days May fourth, we’ll read it. Well, we will up there we go. We’re gonna deal with the VCBO

Sharon Bauer  3:28

Am I allowed to use that for some of my marketing because that is brilliant. I love it. And I never thought about that. Yeah,

Jodi Daniels  3:36

I didn’t either. Where were you? I mean, we have a lot of conversations about marketing. We do the same thing you didn’t

Justin Daniels  3:42

just came to me today, just like when I go on some of the TV spots and I end was like remember in privacy? Just say no to data collection.

Jodi Daniels  3:53

That’s only funny if you remember the 1980s Yes,

Justin Daniels  3:56

I know. It isn’t. It’s a Nancy Reagan thing. That’s not funny. Yeah. Fine. I just go with in cybersecurity scaring is caring,

Jodi Daniels  4:05

Scaring as caring.

Justin Daniels  4:07

All right. Let’s talk. It’s your job. Oh, right. It’s my job. So Sharon, tell us about your career and how you got to where you are today as the VCPO.

Sharon Bauer  4:19

Um, first of all, thanks for having me guys. It is such a pleasure because I’ve been watching you on the sidelines and totally inspired by the work that you do. So thank you very, very much. Okay, how do I get started? I started off as a litigator, I was a litigator for 10 years, doing something completely different. I was in personal injury. So in personal injury, I learned how to do how to advocate I learned how to do really good storytelling, how to think very critically on both sides. And, and I also learned a lot about business because from a pretty I’m early start, once I was able to prove myself to the partner at the law firm that I was at, he basically said, you’re now on eat what you kill. So you bring in your own files, you figure it out for yourself. And so a kind of like turn on some business switch in my brain that I never had before and never thought that I could do but was forced to do. And so I did that for about 10 years. And although it felt really great to advocate for individuals who were catastrophically injured families who had loved ones die because of car accidents, or other sort of accidents. I felt like there was something missing, I wasn’t super passionate about what I was doing. And I would look at those lawyers who just loved being in court and loved reading case law, and felt very jealous that I didn’t have that fire in me. Um, one day, I watched the Edward Snowden documentary, and all of a sudden, I was like, What is going on. And that led to me just reading a little bit more, and realizing how passionate I was about this privacy topic and felt like I just needed to absorb as much as I could. So what ended up happening is, I had my full time job during the day. And then at night time, I would start learning about privacy and reading legislation and reading anything I could get my hands on, and slept very little, because I felt like sleeping was a waste of time, I just wanted to learn, eventually. And all this was under the radar because I was afraid that either my clients are the people referring me files with stop working with me because they knew I was one foot out the door. But eventually, I felt like this was my calling. I spoke to several great people who became my mentors. And I was offered a position at one of the big fours and decided to sell my practice and have a completely fresh start and worked at the Big Four company for about just less than two years before founding Bamboo Data Consulting. And here we are.

Jodi Daniels  7:21

A fun story. Just the beginning of really fun privacy stories is a Quebec law that seems to go under the radar. There are a few companies who are asking more about it. But I really think this is one that is just not getting enough attention. And it needs to and I’m so excited to talk more about it today. Can you tell us about Law 25, which is an I’m gonna save the excitement for what it used to be called because that’s already causing some confusion? And what are the basics that companies need to be aware of? There are a whole bunch of sub questions and I’ll tease out one, which is who does it apply to? For example, does it apply to a company with just the consumers? Does it cover employees? Does it cover business contacts? Fill us in.

Sharon Bauer  8:13

Okay. So, Law 25, which is Quebec’s privacy legislation. I like when I think about it, what are the key concepts that you need to take out of it? Number one is governance. And being able to demonstrate governance, having those policies in place we know for you do lots of businesses that have informal practices, and that’s not going to be good enough, we need to actually have formalized policies, including retention, including privacy complaint handling, amongst you know, everything else that you would need. In addition, you need to have a privacy officer. That privacy officer does not have to be in Quebec, and you certainly don’t need. I mean, the legislation doesn’t say that the privacy officer has to be qualified in any particular way. But if you’re not going to formally appoint a privacy officer, the person in the highest position such as your CEO, is going to be accountable for privacy. And the other really interesting concept of Law 25 And it kind of gets it from the GDPR is the transfer risk or transfer impact assessment. Under Law 25. It is still called a P IA. But every time Quebec data leaves the jurisdiction you need to conduct that transfer. I’ll call it the transfer impact assessment to determine if he’s going to get the same level of protection that it would in Quebec. Law 25 also provides individuals with several new rights that they didn’t have before: right to data portability, r right to be forgotten, and not not necessarily erasure. So we’re talking about the D indexing of information from an individual’s name, for example, they talk about privacy by default. And that is very specifically in there. And we know that from GDPR. The one interesting part about the privacy by default, part of Law 25 is, even though it says you should have the highest level of confidentiality, there’s one exception to that, and that is cookies. So you don’t have to have cookies off by default, like you do with GDPR. They can be on except if you are collecting information that can identify, locate, or profile an individual, in which case, those cookies have to be off by default. And the other few things is around transparency. Of course, we know that we always have to be transparent, we need to be transparent about automated decision making. And then finally, with respect to the employment question, so if we’re talking about employee information that falls under Law 25. So as an employer, if I have employees in Quebec, I must comply with Law 25, as it relates to that employee’s personal information. When we’re talking about b2b data. So for example, lead gen, you’re storing all sorts of business information in Salesforce or HubSpot, whatever it may be that that does not fall into Law 25. So so that’s, I guess, good for a lot of businesses. When it comes to who does Law 25 apply to it applies to businesses that are located in Quebec. But of course, also those businesses are not located in Quebec, but are collecting Quebec data.

Jodi Daniels  12:12

I have two areas I want to dig into a little bit more. One was the transfer impact assessment. Under GDPR, we need adequacy measures to be able to move that data. Is there something similar here in Quebec? Or do I just need to kind of go through the assessment and understand the risk and make sure I have good security measures in place? And then my second question is on the cookies, there are a variety of different cookies that could be considered location and profile, aren’t you to be able to collect that location information or to be doing any kind of profiling? Are there any kind of common cookie examples that you might be able to offer so people can understand the kinds of cookies that might actually require consent?

Sharon Bauer  13:01

Good questions. Um, so for the first one, remind me what the first one is, again,

Jodi Daniels  13:07

the transfer impact assessment and regarding kind of adequacy mechanisms, so no,

Sharon Bauer  13:12

there’s no adequacy standing under Law 25, it would be very helpful if there was but also lots of other complexities if there was so maybe good thing there isn’t. Right now. I mean, we’re, this is a brand new legislation, right? So we’re all really trying to figure it out at the moment like at Bamboo, we’re currently building out a whole system on how to do these transfer impact assessments. And a lot of it is, well, what what does the legislator want us to do? Like, what are we supposed to do with this? And so a lot of it is just, well, maybe we take a similar GDPR approach and apply it. And so at this point, I feel like this is very much a risk based approach. In looking at do we feel that there is an equal level of security when it comes to data? So hopefully, that kind of answers your question. And who knows, maybe in a year from now, I’ll have a completely different answer for you as we’re diving into this and trying to sort it out. In terms of cookies, a lot when we’re talking to our clients around cookies, and when you need to get explicit consent for it. A lot of it has to do with like analytics in trying to figure out like, are you profiling individuals with these cookies? Like are you collecting information that will tell you enough about the individual that will allow you to categorize them in a certain way, and then send them adds because of that particular segment of a, of a, of a population that you’re collecting information about? So there’s still a A lot of, I guess, tweaking in terms of our understanding of, well, what is profiling? Really? And are we really are we really able to identify an individual. And so this is kind of like a gray zone. We like to advise our clients, whether they take our advice or not, is be a little bit more conservative when it comes to cookies in Law 25. Their marketing team isn’t always happy about that. And that then becomes a business decision. And risk appetite. Yeah. So,

Justin Daniels  15:39

Sharon, I was curious. We have US laws where it’s basically business government person third GDPR. Privacy is looked at as a fundamental right. Can you talk a little bit about how the cultural norms work in Canada in terms of how people think about privacy from a Canadian perspective?

Sharon Bauer  16:02

Yeah, so um, it’s. So privacy is not within our Constitution, it is not necessarily, you know, a human right, per se. But in terms of like, our privacy regulator, just recently put out his annual report to parliament and based on their research, 93% of Canadians are concerned about their privacy, with what I think is really interesting is, despite our inch, our concern about our personal information in Canada, and I think this goes, what I’m about to say, is not just a Canadian thing, it’s a worldwide thing, despite our concern, we’re still giving up our information. So our you know, our behavior and our attitude don’t really speak to each other and aren’t consistent. And one of the reasons why we may care about privacy, but still give up our personal information is because we’ve kind of resigned, right? Like we, we have to give up our information. In order to participate in society in order to remain relevant, we have to use these apps if we want to communicate with our friends, for example. Or if we want to order something from Amazon, or if we want to use ways to get us from point A to point B. And so whether it’s a convenience, or we have to or we choose to, we are concerned about privacy, but we still give it up. And that is perhaps why we’re starting to see some regulations in Canada are starting to become a little bit more strict and more prescriptive, because the regulators are starting to understand that there’s this uneven playing field where companies are willing to take this information and individuals are concerned but are willing to give it up because they really, they feel like they have no choice, right? If they want to participate in society.

Justin Daniels  18:07

So do you think Law 25 Has any type of influence? So like, for example, as you know, in the US, California leads the way. And in Canada, Quebec is unique province, because it has its French origins. Do you see any of that cultural norm? What that French influence or anything like that playing a role in Law 25 or anything like that, or not so much?

Sharon Bauer  18:28

Well, I guess what I could tell you is like, based on on my experience, and again, this is a pretty new law. And so there’s only so much experience that I haven’t so much insight that I have. A lot of the companies that we’re working with that are implementing Law 25 are saying, You know what, let’s just use Law 25 across the board, we’ll streamline it to the entire organization, even though a very small part of their organization sits within Quebec or they’re collecting very little Quebec personal information, because I think what they’re seeing is that our federal privacy legislation, which is PIPA is soon going to be completely amended. We have a second reading to build C 27. And what we’re expecting is C 27. Catching up to Law 25 Talking be identical. It may not be as strict but similar to the US where you have various states having different privacy legislations and trying to figure out you know, what you have to comply with? You might go with the strictest privacy legislation, maybe under CCPA. You guys are probably better suited to talk about that than me. I think the Canadian side is saying, You know what, what is the strictest privacy legislation and let’s just comply with that and know that we’re then compliant with everything else, with of course, a few deltas. With that being said

Jodi Daniels  19:57

for a global organization can who might have started with GDPR? Are they all done? Or is there something extra special that they’re going to need to also do to comply with law? 25?

Sharon Bauer  20:10

Yeah, I think that’s a that is a really good question and one that our clients ask us quite a bit. So I would say they are certainly ahead of the game. So that’s really good. And it’s not going to take a whole lot to catch up, there are a few differences in the biggest one I would say is around the lawful basis processing. So as we know, GDPR has six different bases for which you can process personal information, Law 25, doesn’t have those six, it has one. And that’s consent. And so you have to always get the consent in order to process personal information with of course, several exceptions to it. Now, that is not completely different than the way we’ve been practicing. Because in Canada, consent is really the foundation of our privacy legislation, we don’t have the luxury of six different bases. But so so that is probably the biggest one. For example, with respect to children’s personal information a lot. 25 says a minor is up to the age of 14, when it comes to reporting a privacy breach, whereas GDPR 72 hours off 25 is as soon as reasonably possible, which is actually, you know, a little bit easier than the 72 hours. And we have a few other differences. We have some great similarities. And an important one is the fines. So under Law 25, similar to GDPR, you can be fined up to $25 million, not euros, or 4% of your annual turnover. So that’s a really interesting similarity. Um, and in terms in I talked about this before, in terms of appointing a privacy officer, sir, unlike the GDPR that specifically prescribes that your privacy officer or DPO, needs to have certain qualifications. Last 25 does not. So there’s a little bit more flexibility there.

Justin Daniels  22:28

So you touched on one of the unique characteristics of Law 25 Is the lawful basis is consent, consent or concent. So we know that you recently published a white paper on consent. Can you talk to us a little bit about what are some of the special quirks about Law 25 And the consents that company needs to be aware of that your white paper touched on?

Sharon Bauer  22:52

Yeah. So um, I love how, you know, we talked about, oh, there’s only consent, but we get very excited because while there’s implied consent, or express consent, and so it’s it gets very interesting. Um, no, but in in kind of more serious talk, to start off with consent has to be an A lot of what I’m saying I feel like, well, everyone knows that, but maybe not. Maybe it wasn’t prescribed in legislation before now it is. But consent has to be clear and simple. That is something that I think we all kind of know, but it needs to be spelled out in the law, and there has to be freedom. So the individual has to be free to give their consent, which means they have to have choice. So explaining what the choice is, in a clear and simple way is going to be very important. It cannot be bundled with other information. This is something that I think was picked up from GDPR, around bundled consent you cannot have, right so there needs to be some separateness around that. And for the most part, consent can be implied. If you’re giving the right information, it’s transparent, it’s clear, and the individual can make a choice. It is implied consent, so long as it’s for the right purpose, the same purpose for which you were originally collecting the information for it needs to be expressed or explicit consent under the following terms, special or sensitive personal information, including biometric data. It needs to be expressed consent, if you’re using it to identify, locate or profile individual, those are some main ideas of when you’re going to need explicit consent or if you’re using it, of course, for a different purpose for what you originally collected. The end formation for you already clear there in consent.

Justin Daniels  25:05

I thought that was very helpful implicit versus explicit sounds like implied versus explicit contract.

Jodi Daniels  25:11

desire that my wheels are turning, and I have 400 Other questions, but I know I can’t ask them all now. So instead, I will say what is the biggest mistake that you see companies making while they’re trying to come into compliance with Law 25?

Sharon Bauer  25:31

With the Law 25, very specifically, the biggest mistake is they think Law 25 doesn’t apply to them. If you’re a company that has a website and e-commerce site, and you are collecting information from pretty much anyone bought 25 is going to apply to you, you are going to be collecting Law 25 data. And the other one that I would say, a lot of companies are getting wrong when we assess them. We’re asking, Okay, are you collecting consent? Can you show us how you’re collecting consent? Okay, what are you using it for? They say, We’re collecting consent. So we can use this data. Meanwhile, they’re taking that data and using it internally for a completely different purpose. But they feel justified in doing so because they collected consent at the very beginning of the journey, without truly mapping, whether the consent that the individual gave was consent to do that other thing that they’re doing internally. So the when you collect consent, it doesn’t mean that, you know, you could do whatever you want with that information. That’s one of the biggest problems we’re seeing.

Jodi Daniels  26:45

Let me ask another another question. So let’s, I’m an ecommerce site, and I’m going to buy something, I give you all my information, I’m going to hit submit. And now you’re going to send it to me, you’re also going to want to mark it to me, so that I can get more, and then you’re potentially might want to use my information to figure out while more people are buying purple sweaters, then blue T shirts, right, some type of analytics and understanding how people are navigating on the site. In your, in your thoughts? Is that individual? Would I need a different consent for each one of those three scenarios? Or is there any part I appreciate? We can’t bundle, but what is what can kind of be bundled together and I’m just trying to take sort of a really simple example to help people understand where the difference lies between implicit and explicit and, and some of the internal use cases that they might commonly use.

Sharon Bauer  27:43

Right? So I mean, in that kind of situation, I would imagine that the marketing team is probably taking a lot of the data that they’re collecting through cookies, not just the information that you’re giving them on the E commerce site, such as your name, your address for the purposes of delivery, or whatever. And so when it comes to the analytics and the profiling, if it comes from the cookies, we would say yes, you’re going to need explicit consent from the cookies. When it comes to using the information that you’re collecting from the E commerce site such as name, address, and say the product and then looking at okay, individuals from this area tend to get this kind of products more. I think we would like again, this is it’s all very contextual. And I hate saying that. And I hate not like committing to an answer. But it really all depends on are we anonymizing that information? How are we using that information for analytics purposes? Because we can look at Alright, individuals in this area tend to collect this type of product without using personal information. Right? In which case, that is okay, so long as you’re not collecting the partners, so long as you’re not using the information, the personal information, if you are remarketing to them then and you’re saying All right, anyone with this email or better postal code, now that we’ve collected now that we know who is getting what, from where now we’re going to target these people with this kind of advertisement, because we know they like this product. That’s when we would say we think you may need explicit consent because now you’re profiling individuals from their location, their their zip code, which could actually be sensitive depending on what you’re marketing.

Jodi Daniels  29:41

Very helpful context. Thank you so much. I know our listeners really appreciate example. So thank you so much.

Justin Daniels  29:48

Well, Sharon, when you’re not doing the privacy thing in your workplace, and you’re hanging out at a cocktail party with some non privacy, folks, is there a Personal best privacy or security tip you’d like to share with our audience?

Sharon Bauer  30:06

Um, I Okay, so I mean, I think I’ll probably say the obvious and enable multi factor authentication, Use different passwords for all of your accounts, use a password manager, like a one password, that would probably be my number one tip and one that I follow.

Jodi Daniels  30:30

And when you’re not advising on privacy, what do you like to do for fun.

Sharon Bauer  30:35

Um, when I have time, I wish I could say I like meditate and do yoga. But I am a mother of two very busy children with big, bigger social lives than me, usually driving them around, and me taking my laptop with me in my car and trying to do my work while my children are doing what they need to be doing. But I also absolutely love love hosting. So my house is usually full of tons of people. And I just want to make people feel at home and welcome. And so when I have the free time, I’m usually just hosting people, it gives me so much pleasure. And I think it also like, translate into the work that I do. So even when my clients making them feel really special, and like we’re giving them as much attention as possible, I think kinda like is who I am at heart, I just want to provide to people. So my children and hosting, bots know

Jodi Daniels  31:44

I’m not the only working mom out there who feels like squeezing in work whenever possible.

Sharon Bauer  31:51

Here’s the thing. And this is why it’s so much fun having kind of like my own business is that I really involve my children in the business. So we are eating at the dinner table. And they’re talking to me about their day. And I’m talking to them about my day. And they’re asking questions about business now, even though there are so little, because they saw me start the serpent boo. And they helped me like, what should the name be? And you know, what looks better this color or this color? And so it’s, it’s so much fun to involve them. And I really feel like there is this integration of personal life and work life in my life.

Jodi Daniels  32:29

I wouldn’t be able to make it work if I didn’t have that integration. Absolutely. If people would like to learn more about you and bamboo, where should they go?

Sharon Bauer  32:38

Sure, they can check out our website at www.bamboodataconsulting.com. I’m pretty active on LinkedIn, you can look me up on LinkedIn as well.

Jodi Daniels  32:48

Well, Sharon, thank you so much for stopping by. I know everyone will appreciate all the nuances that they need to know on Law 25 And it was a pleasure to chat with you today.

Sharon Bauer  32:58

Thank you so much. Really appreciate it.

Outro  33:05

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click subscribe to get future episodes and check us out on LinkedIn. See you next time.