Research Seminar

Beyond the protection of personal information: the obligation of security in Québec law

A seminar by Nicolas Vermeys, presented by IMC2

For its April 2024 ‘Cyber Monday,’ IMC2 had the pleasure of welcoming Nicolas Vermeys, Director of the Centre for Public Law Research (CRDP), Deputy Director of the Cyberjustice Laboratory, and Professor at the Faculty of Law of the University of Montreal (not to mention a member of the IMC2 Management Committee!). Mr. Vermeys (who is also CISSP) is one of the few legal experts in the country to possess cross-disciplinary expertise in legal and information security aspects. His presentation was the occasion for very interesting exchanges and will certainly lead to a follow-up session!


The obligation to ensure information security is often associated with the protection of personal information (PPI), and for many, limited to this domain. In fact, legislative obligations related to information security are mainly found in laws aimed at PPI, such as the Loi sur la protection des renseignements personnels et les documents électroniques or the Loi sur la protection des renseignements personnels dans le secteur privé. However, the categories of data that must be protected extend beyond just personal information, and the provisions imposing such an obligation are not exclusively found in laws related to PPI. This seminar will be an opportunity for Mr. Vermeys to demonstrate how essential it is for businesses and organizations to understand the real extent of their security obligation in order to adopt and implement a comprehensive policy adapted to the applicable legal framework.