Law 25 vs GDPR: What Quebec Borrowed from Europe (and What It Added)

Quebec's Law 25 draws directly from the European General Data Protection Regulation (GDPR), which came into force on May 25, 2018. Both laws share the same philosophy: giving individuals control over their personal information and imposing significant financial penalties on organizations that fail to protect it. Professor Nicolas Vermeys of the Université de Montréal described Law 25 as a "copy-paste of the GDPR in many respects."

But Law 25 is not a simple copy. On several important points, Quebec went further than Europe. Here's what's similar, what's different, and what it means for your financial services firm.

What Law 25 Borrowed Directly from the GDPR

The two laws share a common foundation of principles and mechanisms.

Strengthened consent. Like the GDPR (Articles 6 and 7), Law 25 requires manifest, free, and informed consent. Default consent (pre-checked boxes) is no longer valid. The individual must clearly understand what they're consenting to, and each purpose must be the subject of separate consent. Right to erasure. Inspired by GDPR Article 17 (the "right to be forgotten"), Law 25 allows any person to request deletion of their personal information when collection or retention is no longer necessary for the purposes for which it was collected. Data portability. Like GDPR Article 20, Law 25 (Phase 3, September 2024) grants the right to receive one's data in a structured, commonly used format, and to have it transmitted to another organization. Impact assessments. Law 25's PIA (Privacy Impact Assessment, called EFVP in French) is the equivalent of the GDPR's DPIA provided for in Article 35. Both require a risk analysis before any project involving personal information. Privacy by default. Both frameworks require that the most protective privacy settings be applied by default, without the individual having to activate them. GDPR Article 25 speaks of "data protection by design and by default." Mandatory breach notification. Both laws require notifying the supervisory authority (the CAI in Quebec, the national data protection authority in Europe) and affected individuals in case of an incident presenting a risk to individuals' rights. Penalties proportional to revenue. The "fixed amount or percentage of global revenue, whichever is greater" mechanism is structurally identical. The GDPR (Article 83) uses "€20M or 4% of annual worldwide turnover." Law 25 uses "$25M or 4% of global revenue" for criminal fines. The wording is nearly identical.

Where Quebec Goes Beyond the GDPR

On several aspects, Law 25 imposes stricter requirements than the GDPR. These additions are often unknown, even to companies that believe they're compliant because they comply with the GDPR.

Responsibility falls on the highest-ranking officer. Under Law 25, responsibility for personal information protection rests by default on the person with the highest authority in the organization. Under the GDPR, the obligation is borne by the organization as a legal entity, and the DPO (Data Protection Officer) is an advisory role separate from management. Law 25 places responsibility directly on the shoulders of the principal officer. PIAs are mandatory before any transfer outside the province. This is probably the most significant difference for Canadian businesses. The GDPR governs transfers outside the European Economic Area (EEA) to third countries, with an adequacy decision mechanism. Law 25 requires a PIA before any communication of personal information outside Quebec, including to Ontario or Alberta. There is no automatic adequacy mechanism between Canadian provinces. Each transfer outside Quebec requires an assessment of the destination's legal framework. Private right of action with a $1,000 floor. Section 93.1 of Law 25 creates a civil action right unique in North America. The court must award punitive damages of at least $1,000 per person who is a victim of an intentional infringement or gross fault. Class actions are expressly permitted. The GDPR (Article 82) provides a right to compensation for any material or moral damage, but without a mandatory minimum floor. The Quebec mechanism is significantly more favorable to plaintiffs. Automatic doubling for repeat offenses. Section 92 of Law 25 provides that criminal fines are automatically doubled for repeat offenses. Under the GDPR, recidivism is one aggravating factor among others (Article 83, paragraph 2), but there is no automatic doubling. The difference is significant: under Law 25, it's automatic. Under the GDPR, it's at the supervisory authority's discretion. Mandatory opt-in for all tracking and profiling. Law 25 requires explicit opt-in consent before using tracking or profiling technologies. The GDPR, in certain cases, allows reliance on legitimate interest (Article 6(1)(f)) as a legal basis for profiling, without necessarily obtaining explicit consent. Quebec is the only jurisdiction in North America to require systematic opt-in for tracking. Stricter privacy by default. Under Law 25, the default privacy settings of technology products and services must ensure the highest level of privacy, without individual intervention. The GDPR is similarly worded, but European practice has allowed more flexibility in interpretation. The CAI has signaled strict application of this principle in its early surveillance decisions.

The Fine Mechanism Side by Side

The following compares penalty caps between the two regimes.

Administrative penalties (non-criminal path):

GDPR, tier 1: €10M or 2% of global revenue. GDPR, tier 2: €20M or 4% of global revenue. Law 25, AMPs: $10M or 2% of global revenue. In both cases, whichever is greater applies.

Criminal fines:

The GDPR does not directly provide a criminal path at the regulation level (member states may provide one in their transposition). Law 25 provides distinct criminal fines: $25M or 4% of global revenue, imposed by the Court of Québec.

Repeat offenses:

GDPR: aggravating factor at the supervisory authority's discretion. Law 25: automatic doubling of criminal fines.

Private action:

GDPR: right to compensation without a floor (Article 82). Law 25: right of action with mandatory floor of $1,000 in punitive damages, class action permitted.

Individuals (officers):

GDPR: no direct penalties on individuals at the regulation level. Law 25: personal liability of directors and officers (section 93), AMPs up to $50,000 and criminal fines from $5,000 to $100,000.

The structure is similar, but Law 25 adds a distinct criminal layer, automatic doubling, and a private right of action that the GDPR doesn't have.

Concrete Enforcement: Two Very Different Speeds

The biggest difference between the two regimes is not in the text, but in enforcement.

Since May 2018, European authorities have imposed cumulative fines exceeding €5.65 billion under the GDPR. Record sanctions include fines of hundreds of millions of euros against tech giants. The GDPR has a considerable body of interpretation: EDPB guidelines (European Data Protection Board), CJEU case law (Court of Justice of the European Union), and thousands of decisions from national authorities.

In Quebec, as of early 2026, the CAI has not yet imposed any publicly disclosed AMP under Law 25. Its approach has been educational and progressively supervisory. Orders have been issued (facial recognition at Transcontinental, biometric project at Metro), but no AMPs. The trajectory mirrors the early years of the GDPR (2018-2019), where European authorities initially focused on guidance before moving to heavy penalties.

This window of leniency won't last forever. Several law firms describe the regime as "fully operational" and observe a progressive intensification of enforcement activity. Companies waiting for the first penalties before complying are playing a risky game.

What This Means for Your Firm

If you comply with Law 25, you're largely aligned with the GDPR. Law 25 is overall more demanding. A firm that meets the [seven Law 25 obligations](/blog/law-25-obligations-checklist) would be in good standing under the GDPR as well. The reverse isn't always true. A company compliant with the GDPR could have gaps under Law 25, particularly regarding the mandatory PIA for interprovincial transfers (a requirement with no equivalent in Europe, where intra-EEA transfers are free), the private right of action with the $1,000 floor (a financial risk the GDPR doesn't generate in the same way), and the personal liability of officers. For firms doing business with European clients (e.g., expatriates or clients with foreign accounts), Law 25 compliance covers the vast majority of GDPR requirements, but not all. Cross-border transfer mechanisms differ, and the GDPR imposes additional obligations for transfers to Canada (Canada benefits from a partial adequacy decision from the European Commission, limited to organizations subject to federal PIPEDA).

In practice, for most Quebec financial services firms, Law 25 compliance is the priority. The GDPR is only relevant if you process data of European residents, which remains marginal for firms serving a local clientele.

---

*This article is part of a series on Law 25 and compliance for financial services firms. See also:*

• *[Quebec's Law 25: What Every Financial Advisor Needs to Know in 2026](/blog/quebec-law-25-guide-financial-advisors)*
• *[Law 25 Fines: Understanding Penalty Calculations for Your Firm](/blog/law-25-fines-penalty-calculations)*
• *[The 7 Law 25 Obligations Your Firm Must Meet Now](/blog/law-25-obligations-checklist)*
• *[Law 25 Class Actions: The Financial Risk Small Firms Underestimate](/blog/law-25-class-action-risk-small-firms)*
• *[PIA: How to Conduct a Privacy Impact Assessment](/blog/pia-privacy-impact-assessment-law-25)*