In the global landscape of data protection regulations, the European Union's General Data Protection Regulation (GDPR) has been a beacon of comprehensive and rigorous privacy rules. Quebec's Law25, whose most pertinent provisions came into effect September 22, 2023, meanwhile, represents a significant step forward for Canadian data privacy. But how do these two regulations compare? Let's delve into the key differences and similarities between Law25 and the GDPR:1. Geographic Scope:GDPR: Applies to organizations located within the EU, as well as those outside the EU if they offer goods/services to or monitor the behavior of EU data subjects.Law25: Specifically targets organizations that are established in Quebec or offer goods/services to Quebec residents, regardless of the company's physical location.2. Consent Mechanisms:GDPR: Emphasizes clear, specific, and informed consent. It must be freely given, specific, informed, and unambiguous, requiring a clear affirmative action. However, consent is only one of 6 available bases for the processing of personal data.Law25: Also underscores the need for clear and informed consent, echoing many of the GDPR's principles. However, it places an even more substantial emphasis on explicit consent, especially concerning sensitive personal information and in the context of cookies. Furthermore, consent is the only basis for the processing of personal information, with a limited and exhaustive set of exceptions. For a deep dive into Law25 and consent requirements, you can consult this whitepaper, co-authored by the author of this article.
3. Children's Data:
GDPR: Offers protections for children's data, suggesting that individuals under 16 (or younger, down to 13, if member states choose) can't give consent for data processing without parental authorization.Law25: Similar to the GDPR, it adds special protections for children and sets the age up until which a minor cannot consent to 14 years. In addition to a parent, a “tutor” can also give consent on behalf of the child. A tutor can be appointed if a minor’s parents have passed or are not in a position to care for the minor.
4. Right to Erasure & Data Portability:
GDPR: Introduces the 'right to be forgotten' that allows individuals to request the erasure of their data. It also grants the right to data portability, enabling individuals to receive their data in a structured format.Law25: Echoes these rights, emphasizing both the right to data portability and the right to erasure, ensuring individuals have control over their data life cycle. The ‘right to be forgotten’ means something different under Law25, namely the de-indexing of any hyperlink attached to the person’s name.
5. Data Protection Officer (DPO):
GDPR: Requires the appointment of a DPO for public authorities and organizations that engage in large scale systematic monitoring or processing of sensitive data. According to the Working Party’s guidance, the DPO is not personally responsible for the company’s compliance with the GDPR.Law25: Makes it mandatory for all organizations to appoint a person responsible for data protection, akin to the GDPR's DPO. In contrast to the DPO, Privacy Officers are not mandated to have specific qualifications, it is not required that resources are allocated to them, or that the business refrain from giving instructions to the Privacy Officer. If no Privacy Officer is appointed, the person with the highest authority at the company automatically performs this role. Similar to the GDPR, the company ultimately carries the responsibility for compliance, but personal liability can arise if the Privacy Officer is the CEO, namely under section 93 of Law25:
- 93. Where an offence under this Act is committed by a legal person, the administrator, director or representative of the legal person who ordered or authorized the act or omission constituting the offence, or who consented thereto, is a party to the offence and is liable to the prescribed penalty.
6. Breach Notification:GDPR: Organizations must notify the relevant supervisory authority of a data breach within 72 hours unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.Law25: Requires organizations to notify the Commission d'accès à l'information (CAI) "as soon as possible" after recognizing a breach. The emphasis is on speed, but without a specified timeframe like the GDPR7. Penalties:GDPR: Can levy fines up to €20 million or 4% of global annual turnover, whichever is higher, for serious infringements. Law25: Introduces substantial penalties, with potential fines reaching as high as CAD $25 million or 4% of worldwide turnover, aligning closely with the GDPR's stringent approach.ConclusionWhile both the GDPR and Law25 emphasize the protection of individuals' privacy rights in the age of digital ubiquity, they have their unique nuances. Organizations operating in both jurisdictions must be keenly aware of these differences to ensure full compliance. Both regulations underscore a global trend towards prioritizing personal data protection, emphasizing the need for businesses to adopt a privacy-first approach.Fundamental to both the GDPR and Law 25 is the need to understand the types and quantities of personally identifiable information (PII) being collected and minimize such PII to what’s actually necessary for the business. Private AI can help with that task, which can otherwise be difficult, particularly if the business deals with vast amounts of unstructured data. Leveraging its hyper accurate machine learning tool that can identify over 50 entities, classifying personal information in free text, images, audio, video and other unstructured data is simplified to three lines of code. Request an API key here.
Get started with PrivateGPT today:
