How Law25 Compares to the GDPR

Law25 GDPR

Share This Post

In the global landscape of data protection regulations, the European Union’s General Data Protection Regulation (GDPR) has been a beacon of comprehensive and rigorous privacy rules. Quebec’s Law25, whose most pertinent provisions came into effect September 22, 2023, meanwhile, represents a significant step forward for Canadian data privacy. But how do these two regulations compare? Let’s delve into the key differences and similarities between Law25 and the GDPR:

1. Geographic Scope:
 

GDPR: Applies to organizations located within the EU, as well as those outside the EU if they offer goods/services to or monitor the behavior of EU data subjects.
 
Law25: Specifically targets organizations that are established in Quebec or offer goods/services to Quebec residents, regardless of the company’s physical location.

 2. Consent Mechanisms:

GDPR: Emphasizes clear, specific, and informed consent. It must be freely given, specific, informed, and unambiguous, requiring a clear affirmative action. However, consent is only one of 6 available bases for the processing of personal data.
 
Law25: Also underscores the need for clear and informed consent, echoing many of the GDPR’s principles. However, it places an even more substantial emphasis on explicit consent, especially concerning sensitive personal information and in the context of cookies. Furthermore, consent is the only basis for the processing of personal information, with a limited and exhaustive set of exceptions. For a deep dive into Law25 and consent requirements, you can consult this whitepaper, co-authored by the author of this article.

3. Children’s Data:

GDPR: Offers protections for children’s data, suggesting that individuals under 16 (or younger, down to 13, if member states choose) can’t give consent for data processing without parental authorization.
 
Law25: Similar to the GDPR, it adds special protections for children and sets the age up until which a minor cannot consent to 14 years. In addition to a parent, a “tutor” can also give consent on behalf of the child. A tutor can be appointed if a minor’s parents have passed or are not in a position to care for the minor.

4. Right to Erasure & Data Portability:

GDPR: Introduces the ‘right to be forgotten’ that allows individuals to request the erasure of their data. It also grants the right to data portability, enabling individuals to receive their data in a structured format.
 
Law25: Echoes these rights, emphasizing both the right to data portability and the right to erasure, ensuring individuals have control over their data life cycle. The ‘right to be forgotten’ means something different under Law25, namely the de-indexing of any hyperlink attached to the person’s name.

5. Data Protection Officer (DPO):

GDPR: Requires the appointment of a DPO for public authorities and organizations that engage in large scale systematic monitoring or processing of sensitive data. According to the Working Party’s guidance, the DPO is not personally responsible for the company’s compliance with the GDPR.

Law25: Makes it mandatory for all organizations to appoint a person responsible for data protection, akin to the GDPR’s DPO. In contrast to the DPO, Privacy Officers are not mandated to  have specific qualifications, it is not required that resources are allocated to them, or that the business refrain from giving instructions to the Privacy Officer. If no Privacy Officer is appointed, the person with the highest authority at the company automatically performs this role. Similar to the GDPR, the company ultimately carries the responsibility for compliance, but personal liability can arise if the Privacy Officer is the CEO, namely under section 93 of Law25:

  • 93. Where an offence under this Act is committed by a legal person, the administrator, director or representative of the legal person who ordered or authorized the act or omission constituting the offence, or who consented thereto, is a party to the offence and is liable to the prescribed penalty.
6. Breach Notification:
 
GDPR: Organizations must notify the relevant supervisory authority of a data breach within 72 hours unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.
 
Law25: Requires organizations to notify the Commission d’accès à l’information (CAI) “as soon as possible” after recognizing a breach. The emphasis is on speed, but without a specified timeframe like the GDPR
 
7. Penalties:
 
GDPR: Can levy fines up to €20 million or 4% of global annual turnover, whichever is higher, for serious infringements.
 
Law25: Introduces substantial penalties, with potential fines reaching as high as CAD $25 million or 4% of worldwide turnover, aligning closely with the GDPR’s stringent approach.
 
Conclusion
 
While both the GDPR and Law25 emphasize the protection of individuals’ privacy rights in the age of digital ubiquity, they have their unique nuances. Organizations operating in both jurisdictions must be keenly aware of these differences to ensure full compliance. Both regulations underscore a global trend towards prioritizing personal data protection, emphasizing the need for businesses to adopt a privacy-first approach.
 
Fundamental to both the GDPR and Law 25 is the need to understand the types and quantities of personally identifiable information (PII) being collected and minimize such PII to what’s actually necessary for the business. Private AI can help with that task, which can otherwise be difficult, particularly if the business deals with vast amounts of unstructured data. Leveraging its hyper accurate machine learning tool that can identify over 50 entities, classifying personal information in free text, images, audio, video and other unstructured data is simplified to three lines of code. Request an API key here.
 
 

Get started with PrivateGPT today:

Subscribe To Our Newsletter

Sign up for Private AI’s mailing list to stay up to date with more fresh content, upcoming events, company news, and more! 

More To Explore

Download the Free Report

Request an API Key

Fill out the form below and we’ll send you a free API key for 500 calls (approx. 50k words). No commitment, no credit card required!

Language Packs

Expand the categories below to see which languages are included within each language pack.
Note: English capabilities are automatically included within the Enterprise pricing tier. 

French
Spanish
Portuguese

Arabic
Hebrew
Persian (Farsi)
Swahili

French
German
Italian
Portuguese
Russian
Spanish
Ukrainian
Belarusian
Bulgarian
Catalan
Croatian
Czech
Danish
Dutch
Estonian
Finnish
Greek
Hungarian
Icelandic
Latvian
Lithuanian
Luxembourgish
Polish
Romanian
Slovak
Slovenian
Swedish
Turkish

Hindi
Korean
Tagalog
Bengali
Burmese
Indonesian
Khmer
Japanese
Malay
Moldovan
Norwegian (Bokmål)
Punjabi
Tamil
Thai
Vietnamese
Mandarin (simplified)

Arabic
Belarusian
Bengali
Bulgarian
Burmese
Catalan
Croatian
Czech
Danish
Dutch
Estonian
Finnish
French
German
Greek
Hebrew
Hindi
Hungarian
Icelandic
Indonesian
Italian
Japanese
Khmer
Korean
Latvian
Lithuanian
Luxembourgish
Malay
Mandarin (simplified)
Moldovan
Norwegian (Bokmål)
Persian (Farsi)
Polish
Portuguese
Punjabi
Romanian
Russian
Slovak
Slovenian
Spanish
Swahili
Swedish
Tagalog
Tamil
Thai
Turkish
Ukrainian
Vietnamese

Rappel

Testé sur un ensemble de données composé de données conversationnelles désordonnées contenant des informations de santé sensibles. Téléchargez notre livre blanc pour plus de détails, ainsi que nos performances en termes d’exactitude et de score F1, ou contactez-nous pour obtenir une copie du code d’évaluation.

99.5%+ Accuracy

Number quoted is the number of PII words missed as a fraction of total number of words. Computed on a 268 thousand word internal test dataset, comprising data from over 50 different sources, including web scrapes, emails and ASR transcripts.

Please contact us for a copy of the code used to compute these metrics, try it yourself here, or download our whitepaper.