ChatGPT
Claude
Perplexity
Gemini
GrokWhy Canadian schools face cross-border privacy exposure every day
A Canadian university or college using Google Workspace, Zoom, Salesforce, or any US-hosted CRM is, by definition, communicating personal information to organizations located outside Canada. This is not a theoretical compliance risk — it is the daily operational reality of virtually every Canadian higher education institution.
Canada's privacy landscape changed materially in September 2023, when Quebec's Act respecting the protection of personal information in the private sector — commonly called Law 25 — came into full force. Law 25 introduced one of North America's most stringent cross-border data transfer requirements: a mandatory privacy impact assessment before any personal information is communicated outside Quebec. At the federal level, the Personal Information Protection and Electronic Documents Act (PIPEDA) continues to govern commercial organizations operating across provincial and international borders.
For institutions recruiting internationally — particularly from Europe, where GDPR applies — a third layer of compliance obligation may arise. Understanding how these three frameworks interact is essential for any institution managing admissions at scale.
The Canadian legal framework for cross-border data transfers
PIPEDA: the federal baseline
PIPEDA applies to commercial activities that cross provincial or national borders. Most private colleges and universities fall within its scope. PIPEDA's Principle 4.1.3 provides that organizations remain accountable for personal information transferred to third parties for processing — and must use contractual or other means to ensure comparable protection.
In practice, PIPEDA compliance for cloud transfers means having a written agreement with SaaS vendors that specifies the purposes of processing, requires the vendor to maintain comparable privacy protection, and provides for notification in the event of a security breach or unauthorized disclosure. PIPEDA does not require a formal privacy impact assessment for cross-border transfers — that is where Law 25 introduces a higher standard for Quebec-based operations.
Law 25 (Quebec): ÉFVP and the strictest provincial standard
Law 25 applies to any organization that holds personal information about Quebec residents, regardless of where the organization is located. For Quebec-based colleges, CEGEPs, and universities, it is the primary compliance framework.
The most operationally significant provision for data transfers is Section 17: before communicating personal information outside Quebec, an organization must conduct a Privacy Impact Assessment (Évaluation des facteurs relatifs à la vie privée — ÉFVP) that analyzes whether the jurisdiction of the recipient provides adequate protection. If the assessment determines that protection is inadequate, additional contractual measures must be implemented before the transfer proceeds.
This requirement applies regardless of whether the recipient is in a country with an international adequacy recognition. There is no equivalent to the EU's adequacy decision list in the Quebec framework: even the United States — the destination for most Canadian SaaS data — requires a documented ÉFVP before personal information can be communicated there.
Additional Law 25 obligations relevant to cross-border transfers:
- Section 63.3: contracts with service providers must include specific privacy protection clauses that mirror the protections required by Law 25
- Section 3.2: organizations must designate a Responsable de la protection des renseignements personnels (privacy officer) and publish their contact information
- Privacy by design (Section 3.3): privacy measures must be built into any new project involving personal information from the design stage
The Commission d'accès à l'information (CAI) supervises Law 25 enforcement in Quebec. Penalties for serious violations can reach $25 million CAD or 4% of worldwide turnover — penalties that exceed GDPR in absolute dollar terms for most organizations.
Bill C-27: federal reform in progress
Bill C-27, which would modernize PIPEDA into the Consumer Privacy Protection Act (CPPA) with stricter cross-border transfer requirements and stronger enforcement, was introduced in 2022 but had not been enacted as of April 2026. Until C-27 becomes law, PIPEDA remains the federal baseline. Institutions should monitor its legislative progress, as it would introduce explicit consent requirements for international transfers and stronger powers for the Office of the Privacy Commissioner of Canada (OPC).
The ÉFVP in practice: what a privacy impact assessment requires
The ÉFVP under Law 25 is a documented analysis — not a checkbox exercise — covering four elements:
- The nature of the personal information being transferred (category, sensitivity, volume of records affected)
- The legal framework of the destination jurisdiction — does it offer protection comparable to Quebec law? For the United States, the CAI's position is that US law does not generally provide comparable protection without additional contractual measures
- The contractual and technical safeguards in place (data processing agreement terms, encryption, access controls, government access request handling)
- Residual risk and additional measures — what further steps are required if protection is deemed inadequate before the communication can proceed
For US-hosted SaaS tools, most major vendors (Google, Microsoft, Zoom, Salesforce) have published Law 25-specific documentation and ÉFVP support guides to simplify the assessment process. Your designated privacy officer must review, complete, and sign off on each ÉFVP.
Cloud tools used by Canadian schools: compliance status
| Tool | Personal information held | PIPEDA DPA available | Law 25 ÉFVP required | Law 25 contract clauses |
|---|---|---|---|---|
| Google Workspace for Education | Email, Drive, Meet, forms | Yes | Yes — US-hosted by default | Available in Google DPA Appendix |
| Microsoft 365 / Teams | Email, SharePoint, Teams | Yes (OST + DPA) | Yes | Available — Canadian data centre option reduces scope |
| Zoom | Video calls, recordings | Yes | Yes | Available in DPA |
| Salesforce (CRM) | Admissions pipeline, prospect records | Yes | Yes | Available — Canadian data centre option |
| HubSpot | Marketing, email | Yes | Yes | Available |
| OUAC (Ontario Universities' Application Centre) | Applicant data | N/A — domestic processor | No — data stays in Canada | N/A |
| Slate / Ellucian | CRM, student information | Yes | Yes | Verify Law 25 addendum with vendor |
Key note on OUAC and SRAM/SRACQ: The Ontario Universities' Application Centre (OUAC) and Quebec's regional admission services (SRAM in Montreal, SRACQ in Quebec City) are domestic Canadian processors. Personal information submitted through these systems does not leave Canada and does not trigger an ÉFVP requirement under Law 25. However, if your institution imports that data into a US-hosted CRM, the CRM integration constitutes a cross-border communication requiring an ÉFVP.
90-day compliance action plan for Canadian schools
Days 1–30: Inventory and assess
List all SaaS tools used in admissions, marketing, and student services that hold personal information about Quebec residents. For each tool, document: the jurisdiction of data hosting, whether a DPA exists under PIPEDA, and whether an ÉFVP has been completed. For institutions with no prior Law 25 documentation, this gap analysis is the critical first step before any remediation.
Expected output: a register of data processors with Law 25 and PIPEDA status per tool, identifying gaps.
Days 31–60: Complete ÉFVPs and update contracts
For each US-hosted tool that lacks a completed ÉFVP, begin the assessment using vendor-supplied Law 25 documentation where available. Your privacy officer must review and approve each ÉFVP. Where DPAs are missing or lack Law 25-compliant clauses — particularly the contractual protections required by Section 17 — request updated agreements from vendors.
For high-volume tools like your primary CRM and email marketing platform, consider whether activating a Canadian or EU data residency option reduces the scope of cross-border communication requiring ÉFVP documentation.
Days 61–90: Governance and ongoing compliance
Appoint or confirm your Responsable de la protection des renseignements personnels and publish their name and contact information on your institution's website — Law 25 requires this. Implement a procurement review process: no new SaaS tool should go live without ÉFVP documentation and Law 25-compliant contract clauses. Train admissions and marketing staff on student and prospective student data rights under Law 25 (right to access, correction, withdrawal of consent, and de-indexation).
One frequently overlooked area: cooperative education (co-op) placements. If student information is shared with employer partners outside Quebec as part of a co-op program, those disclosures also require ÉFVP documentation and appropriate contractual protections.
FAQ
Does Law 25 apply to English-language universities in Quebec such as McGill and Concordia?
Yes. Law 25 applies to any organization that holds personal information about Quebec residents, regardless of the institution's language of instruction or corporate structure. McGill, Concordia, Bishop's University, and all anglophone CEGEPs in Quebec must comply with Law 25 in the same manner as French-language institutions. The law does not distinguish by language of operation.
Is a separate ÉFVP needed for every individual data transfer, or once per tool?
The ÉFVP is required per category of communication — interpreted as one assessment per system-level data flow (e.g., one ÉFVP for Salesforce, one for Google Workspace). You do not need a new ÉFVP every time a record is processed. The assessment must be reviewed and updated when there is a material change: the nature of the data communicated changes, the destination country changes, or the vendor materially changes their data handling practices.
Canada has an EU adequacy decision under GDPR — does that protect Canadian schools under Law 25?
These are two separate instruments with independent scope. The EU adequacy decision for Canada allows personal data to flow from EU organizations to Canadian organizations under GDPR — it means EU data can flow to Canada without additional safeguards on the EU side. It has no bearing on how Canadian organizations must treat their outbound transfers under Law 25. Under Law 25, any communication of personal information outside Quebec requires an ÉFVP regardless of the destination country, including transfers to EU member states.
What are the penalties for Law 25 violations relating to cross-border transfers?
The CAI can impose administrative monetary penalties of up to $25 million CAD or 4% of worldwide gross revenue, whichever is higher, for intentional or grossly negligent violations. This threshold applies to failures to conduct an ÉFVP before communicating personal information outside Quebec, failures to maintain adequate contractual protections with processors, and failures to notify affected individuals in a privacy incident. The CAI published its first penalty decisions in 2024; the framework is actively being applied.
Canadian institutions have navigated PIPEDA for two decades. Law 25 introduces a materially higher standard — one that requires documented impact assessments, not just contractual assurances, before personal information leaves Quebec. For any institution using US-hosted SaaS in admissions or marketing, the compliance gap is real and addressable with a structured vendor documentation program.
Try Skolbot on your school — 30 seconds, no commitmentRelated: GDPR and student data: a complete guide for schools · Recruiting more students in higher education
