In the global landscape of data protection regulations, the European Union’s General Data Protection Regulation (GDPR) has been a beacon of comprehensive and rigorous privacy rules. Quebec’s Law25, whose most pertinent provisions came into effect September 22, 2023, meanwhile, represents a significant step forward for Canadian data privacy. But how do these two regulations compare? Let’s delve into the key differences and similarities between Law25 and the GDPR:
GDPR: Applies to organizations located within the EU, as well as those outside the EU if they offer goods/services to or monitor the behavior of EU data subjects.
Law25: Specifically targets organizations that are established in Quebec or offer goods/services to Quebec residents, regardless of the company’s physical location.
GDPR: Emphasizes clear, specific, and informed consent. It must be freely given, specific, informed, and unambiguous, requiring a clear affirmative action. However, consent is only one of 6 available bases for the processing of personal data.
Law25: Also underscores the need for clear and informed consent, echoing many of the GDPR’s principles. However, it places an even more substantial emphasis on explicit consent, especially concerning sensitive personal information and in the context of cookies. Furthermore, consent is the only basis for the processing of personal information, with a limited and exhaustive set of exceptions. For a deep dive into Law25 and consent requirements, you can consult this whitepaper, co-authored by the author of this article.
3. Children’s Data:
GDPR: Offers protections for children’s data, suggesting that individuals under 16 (or younger, down to 13, if member states choose) can’t give consent for data processing without parental authorization.
Law25: Similar to the GDPR, it adds special protections for children and sets the age up until which a minor cannot consent to 14 years. In addition to a parent, a “tutor” can also give consent on behalf of the child. A tutor can be appointed if a minor’s parents have passed or are not in a position to care for the minor.
4. Right to Erasure & Data Portability:
GDPR: Introduces the ‘right to be forgotten’ that allows individuals to request the erasure of their data. It also grants the right to data portability, enabling individuals to receive their data in a structured format.
Law25: Echoes these rights, emphasizing both the right to data portability and the right to erasure, ensuring individuals have control over their data life cycle. The ‘right to be forgotten’ means something different under Law25, namely the de-indexing of any hyperlink attached to the person’s name.
5. Data Protection Officer (DPO):
GDPR: Requires the appointment of a DPO for public authorities and organizations that engage in large scale systematic monitoring or processing of sensitive data. According to the Working Party’s guidance, the DPO is not personally responsible for the company’s compliance with the GDPR.
Law25: Makes it mandatory for all organizations to appoint a person responsible for data protection, akin to the GDPR’s DPO. In contrast to the DPO, Privacy Officers are not mandated to have specific qualifications, it is not required that resources are allocated to them, or that the business refrain from giving instructions to the Privacy Officer. If no Privacy Officer is appointed, the person with the highest authority at the company automatically performs this role. Similar to the GDPR, the company ultimately carries the responsibility for compliance, but personal liability can arise if the Privacy Officer is the CEO, namely under section 93 of Law25:
- 93. Where an offence under this Act is committed by a legal person, the administrator, director or representative of the legal person who ordered or authorized the act or omission constituting the offence, or who consented thereto, is a party to the offence and is liable to the prescribed penalty.
Get started with PrivateGPT today: