PIPEDA vs Law 25: Key Differences for DSAR Compliance

PIPEDA (Federal) The Personal Information Protection and Electronic Documents Act is Canada's federal private-sector privacy law. It applies across Canada except where provinces have enacted substantially similar legislation. Law 25 (Québec) Québec's Act to modernize legislative provisions as regards the protection of personal information is considered substantially similar to PIPEDA. It applies to organizations collecting personal information in Québec. Key Point: If you operate in Québec, Law 25 generally takes precedence for provincial activities. PIPEDA may still apply to interprovincial and international data flows.

Response Deadline PIPEDA: 30 days (can extend in limited circumstances) Law 25: 30 days (can extend by 10 additional days) Both laws require response within 30 days, but Law 25 explicitly allows a 10-day extension with notification. Right to Access PIPEDA: Yes — individuals can request access to personal information Law 25: Yes — same right, with additional transparency requirements Right to Correction PIPEDA: Yes — individuals can request correction of inaccurate information Law 25: Yes — same right Right to Deletion PIPEDA: Limited — no explicit "right to be forgotten" Law 25: Yes — explicit right to deletion when data is no longer necessary This is a major difference. Law 25 provides stronger deletion rights. Right to Portability PIPEDA: No explicit right Law 25: Yes — individuals can request data in transferable format Law 25 is more progressive on data portability.

PIPEDA Penalties • No direct monetary penalties for most violations • Federal Court can award damages • Privacy Commissioner can name organizations • Reputational consequences Law 25 Penalties • Administrative fines up to $10 million or 2% of worldwide turnover • Penal fines up to $25 million for organizations • Private right of action with minimum $1,000 damages • Personal liability for officers Key Difference: Law 25 has significantly stronger enforcement mechanisms and higher potential penalties.

PIPEDA Consent • Meaningful consent required • Consent must be informed • Can be express or implied depending on sensitivity • Withdrawal of consent allowed Law 25 Consent • Express consent required for sensitive information • Consent must be specific and granular • No bundled consent • Clear and simple withdrawal process required • Consent for biometric data has specific requirements Key Difference: Law 25 has stricter consent requirements, especially for sensitive data and biometrics.

PIPEDA • Organizations must designate someone accountable for compliance • No specific title required • Contact information must be available Law 25 • Must designate a "Person in Charge of Personal Information Protection" • Title and contact must be published on website • Default: highest authority in the organization • Specific responsibilities defined in law Key Difference: Law 25 requires a formally designated privacy officer with public contact information.

PIPEDA • No mandatory requirement • Recommended as best practice • Privacy Commissioner encourages PIAs Law 25 • Mandatory for certain projects involving personal information • Required before transferring data outside Québec • Must assess foreign law adequacy • Documentation must be maintained Key Difference: Law 25 mandates PIAs in specific circumstances; PIPEDA does not.

PIPEDA • Must notify Privacy Commissioner of breaches with real risk of significant harm • Must notify affected individuals • Must keep records of all breaches for 24 months Law 25 • Must notify the CAI (Commission d'accès à l'information) • Must notify affected individuals • Must notify any person/organization that can reduce risk • More detailed notification requirements Key Difference: Similar frameworks, but Law 25 requires notification to additional parties who can help mitigate risk.

Law 25 applies if: • Your organization operates in Québec • You collect personal information of Québec residents • You employ people in Québec • You offer goods/services to Québec residents PIPEDA applies if: • Your organization operates in provinces without substantially similar laws • You engage in interprovincial or international commercial activities • You're a federally regulated organization (banks, telecoms, airlines) Both may apply if: • You operate across multiple provinces including Québec • You transfer data between Québec and other jurisdictions • You're federally regulated but employ Québec residents Practical Approach: Build your DSAR process to meet Law 25 requirements (the stricter standard), and you'll comply with PIPEDA as well.

To comply with both frameworks, your DSAR process should: 1. Meet the Strictest Deadline Aim to respond within 30 days for all requests, with a process to extend by 10 days when genuinely needed. 2. Support All Request Types Enable access, correction, deletion, AND portability requests even if PIPEDA doesn't require all of them. 3. Implement Proper Consent Use Law 25's stricter consent standards for all Canadian data subjects. 4. Maintain Documentation Keep audit trails that satisfy both regulators — the Privacy Commissioner and the CAI. 5. Publish Privacy Information Make privacy officer contact information publicly available per Law 25 requirements. 6. Track by Jurisdiction Know which law applies to each request based on the requester's location and your activities.