Cross-border data transfer
A cross-border data transfer is any movement of personal information outside the jurisdiction where it was collected — which, in Quebec, triggers a mandatory assessment before the data leaves.
Sending personal information to a service provider, affiliate, or server in another province or country is a cross-border transfer. Under federal PIPEDA, transfers for processing are allowed, but the organization remains accountable and must use contractual and other means to ensure a comparable level of protection.
Quebec’s Law 25 is stricter: before communicating personal information outside Quebec, you must conduct a privacy impact assessment (ÉFVP) that weighs the data’s sensitivity, the purpose, the safeguards in place, and the legal framework of the destination. The transfer may proceed only if the assessment shows the information will receive adequate protection, and it should be governed by a written agreement.
In practice: inventory your transfers in your ROPA, run the PIA where required, lock in contractual safeguards, and consider data residency options to reduce the number of transfers you have to justify.