ChatGPT
Claude
Perplexity
Gemini
GrokLegal disclaimer: This article is for general informational purposes only and does not constitute legal advice. Canadian privacy law, including PIPEDA, Loi 25, and provincial frameworks, is complex and jurisdiction-specific. Consult a qualified Canadian privacy counsel before acting on any information in this article.
What prospect data your tools collect and where it goes
Every time a prospective student fills in an enquiry form, starts a chatbot conversation, or clicks a retargeting ad, your tools are capturing personal information. That information does not stay on your institution's servers. It flows — automatically and instantly — to the US data centres behind the platforms your admissions team uses daily.
Google Workspace logs the email thread between an admissions advisor and a prospect, storing it in Google's US infrastructure unless Canadian data residency is explicitly configured. Meta Ads ingests names, email addresses, phone numbers, and behavioural signals via the Meta Pixel on your school's website, processing that data on servers subject to US jurisdiction. OpenAI's API, used by an increasing number of AI recruitment tools, sends conversation content to US servers where it is processed under the terms of your enterprise agreement — and under the reach of the US CLOUD Act.
The cross-border flow is not inherently unlawful under Canadian law. PIPEDA permits transfers outside Canada, subject to accountability requirements. Quebec's Loi 25 permits them too, subject to a completed privacy impact assessment and a contractual safeguard. The problem is not the transfer — it is the gap between what these tools actually do and what your institution has documented, assessed, and disclosed to prospects.
58% of prospects engaging with Canadian schools are non-native English or French speakers — international student recruitment (which Canada actively promotes) relies on multilingual AI tools that process data on US servers (Source: Automatic language detection across 8,500 Skolbot conversations, 2025–2026). These tools are not optional additions; they are the infrastructure of modern international enrolment. Compliance cannot mean abandoning them. It means managing them properly.
For the full Canadian student data protection framework, see our guide to student data protection for Canadian schools.
PIPEDA, Loi 25, and Canadian privacy rules for cross-border transfers
Canada does not operate a single, unified privacy law. Most private higher education institutions — career colleges, private universities, English-language schools — fall under federal PIPEDA. Institutions operating in Quebec are also subject to Loi 25. Institutions operating primarily in Alberta or British Columbia follow those provinces' Personal Information Protection Acts (PIPA), which are deemed substantially similar to PIPEDA by the federal government.
PIPEDA: the accountability framework for transfers abroad
The Personal Information Protection and Electronic Documents Act (PIPEDA) does not prohibit transferring personal information to a foreign country. Its accountability principle (Principle 1) holds your institution responsible for ensuring that any third party receiving the information — including a US cloud provider — provides a comparable level of protection. In practice, this requires a written contract covering the purposes of use, security safeguards, breach notification, and prohibition on onward disclosure.
The OPC's guidance on cloud computing is explicit: your institution remains fully accountable when prospect data moves to a cloud provider. You cannot outsource accountability by signing a vendor's standard terms. Your privacy notice must inform prospects that their information may be processed outside Canada, and you must be able to demonstrate — not merely assert — that comparable safeguards are in place.
The US CLOUD Act creates a specific risk the OPC has flagged. US authorities can compel a US-based cloud provider to disclose data held anywhere in the world, including data about Canadian residents stored in Canadian data centres, if the provider is a US person. This risk cannot be fully eliminated by contractual language with a US vendor — it is a structural feature of US law. Institutions must assess this risk, document the assessment, and inform prospects accordingly.
Quebec's Loi 25: the strictest standard in Canada
Quebec's Loi 25 applies to any organisation that collects, uses, or discloses personal information about Quebec residents, regardless of where the organisation is headquartered. For any institution recruiting Quebec students, Loi 25 is mandatory.
Loi 25 imposes three requirements that go beyond federal PIPEDA for cross-border transfers. First, before transferring personal information outside Quebec, your institution must complete an Évaluation des facteurs relatifs à la vie privée (EFVP) — a privacy impact assessment that specifically evaluates the protection framework of the destination country and the specific risks posed by the transfer. Second, the transfer must be governed by a written agreement that expressly requires the recipient to apply protection equivalent to Quebec standards. Third, the EFVP and the transfer agreement must be available to the Commission d'accès à l'information (CAI) on request. Penalties for non-compliance reach up to $25 million CAD or 4% of worldwide turnover.
BC and Alberta: PIPA in lieu of PIPEDA
Institutions in British Columbia and Alberta whose activities are substantially intra-provincial follow their provincial PIPA legislation. The transfer accountability principle is the same: personal information sent to a foreign provider must be protected by contractual safeguards. Neither province's legislation requires a formal written privacy impact assessment for cross-border transfers, but best practice — and increasingly, institutional risk management — calls for one regardless.
The EU adequacy question
Canada has historically benefited from a European Commission adequacy decision under GDPR, enabling EU personal data to flow to Canada without additional transfer mechanisms. That decision is under review, and its renewal in 2026 is not confirmed. Institutions recruiting European students should monitor this situation closely and should not assume that the adequacy shortcut remains available for EU-origin prospect data flowing into Canadian systems.
Google Workspace, Meta Ads, OpenAI — compliance scorecard for Canadian schools
The following table summarises the compliance position of the three most common US cloud tools in Canadian school recruitment, as of mid-2026. Compliance status reflects available contractual terms and published guidance; it is not a guarantee of adequacy in any specific institution's context.
| Tool | Data processing location | PIPEDA DPA available? | Loi 25 EFVP support | CLOUD Act exposure | Canadian data residency option | Notes |
|---|---|---|---|---|---|---|
| Google Workspace for Education | US (default); Canada-based storage configurable | Yes — Google Workspace Data Processing Amendment | Partial — Google's Privacy Resource Centre provides transfer impact documentation usable in EFVP | Yes — as a US company, Google is subject to CLOUD Act | Yes — Canadian data region available for Workspace for Education | Must explicitly configure Canadian region; default is US. Review sub-processor list annually. |
| Meta Ads (Facebook/Instagram) | Primarily US; some EU processing for EU users | Yes — Meta's Data Processing Terms for Ads are available for Canadian entities | Limited — Meta provides standard transfer documentation; institution must assess adequacy for Quebec purposes | Yes — Meta is a US company; CLOUD Act applies | No — no Canadian data centre option for Ads data | Prospect data uploaded via Custom Audiences is subject to Meta's standard ad data terms. Pixel data processed in US. Complete EFVP before enabling Pixel on Quebec-recruiting pages. |
| OpenAI (API / enterprise) | US (default); EU data residency available via Enterprise | Yes — OpenAI Data Processing Addendum (enterprise tier) | Partial — EU residency option reduces (but does not eliminate) CLOUD Act risk; institution must document residual risk | Yes — OpenAI is a US company regardless of data residency | No Canadian option; EU option available | Zero Data Retention (ZDR) mode available via API — prompts not stored or used for training. Strongly recommended for any recruitment AI tool processing prospect data. |
Three observations are worth drawing out. First, Canadian data residency for Google Workspace eliminates many transfer concerns under PIPEDA but does not eliminate CLOUD Act risk, because Google remains a US person. The OPC's guidance treats this as a residual risk to be documented rather than a prohibition on use. Second, Meta Ads has no Canadian data centre option — any institution deploying Meta Pixel on pages visible to Quebec prospects should complete an EFVP before go-live and ensure the Meta Data Processing Terms are signed. Third, OpenAI's Zero Data Retention mode materially changes the compliance calculus for API-driven AI tools: if prompts are not retained, the transfer risk profile is significantly lower.
5 steps for your Canadian school's privacy compliance
Step 1 — Map your data flows
Before you can manage cross-border transfers, you must know where your prospect data goes. Create a data flow map covering every tool in your admissions and marketing stack: CRM, chatbot platform, email marketing, advertising pixels, analytics, and event registration. For each tool, identify the data centre location, the contractual relationship, the personal information categories transferred, and the legal mechanism for the transfer. This map is the foundation of PIPEDA accountability documentation and Loi 25 compliance.
Step 2 — Execute or audit your DPAs
Every US cloud vendor processing prospect data on your behalf requires a signed Data Processing Agreement that meets PIPEDA's accountability standard. Review your current agreements against the checklist in our guide to PIPEDA-compliant chatbot vendors: purpose limitation, security safeguards, breach notification timelines, prohibition on AI model training using your data, and sub-processor disclosure. For Quebec institutions, verify that each DPA contains the specific provisions required by Loi 25 and that you have documented the agreement in your EFVP file.
Step 3 — Complete EFVPs for Quebec transfers
If your institution recruits Quebec-resident students and transfers their personal information outside Quebec — which it almost certainly does via any US cloud tool — you are required by Loi 25 to complete an EFVP before that transfer occurs. An EFVP must describe the personal information transferred, the purposes, the destination country's legal framework, the specific risks, and the mitigating measures. For the US, the EFVP must address CLOUD Act exposure specifically. The EFVP must be reviewed whenever the transfer circumstances change materially — a new sub-processor, a change in data residency, or a change in the applicable US law.
Step 4 — Update your privacy notice
Your public privacy notice must inform prospects that their personal information may be processed outside Canada, identify the countries or regions involved, describe the purposes of the transfer, and explain that comparable safeguards are in place. Under PIPEDA, this notice must be accessible before collection begins. Under Loi 25, it must identify your institution's designated privacy officer by name and contact details. Bury the cross-border transfer disclosure in a 12-page privacy policy that requires scrolling to page nine, and an OPC investigator will note it.
Step 5 — Set and enforce retention limits
Cross-border transfer risk accumulates with time. The longer you hold prospect data in a US cloud service, the longer the exposure window. PIPEDA's retention principle (Principle 5) and Loi 25's destruction obligation both require that personal information be deleted once its purpose is achieved. For non-converted prospects, the OPC's guidance points to three years from last active contact as the outer limit. Configure automated purging in every tool — CRM, chatbot platform, email marketing, analytics — so that data is not retained in US cloud services beyond that limit. For a detailed retention framework, see our guide to prospect data retention periods for Canadian schools.
FAQ
Does PIPEDA require Canadian data residency for prospect data?
No. PIPEDA does not require that personal information about Canadian residents be stored in Canada. It requires that personal information transferred to a foreign third party — including a US cloud provider — receive comparable protection, established through contractual safeguards. Canadian data residency is preferred and reduces risk, but it is a compliance strategy, not a legal requirement under federal law. Quebec's Loi 25 takes the same position: transfers outside Quebec are permitted with a completed EFVP and a written agreement requiring equivalent protection.
What is the CLOUD Act, and why does it matter for Canadian schools?
The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) authorises US law enforcement to compel US-based technology providers to produce data stored anywhere in the world, including in Canada, without necessarily notifying the data subject or the Canadian government. This applies to Google, Meta, OpenAI, and essentially any US-based cloud provider. The OPC has flagged CLOUD Act exposure in its guidance on US cloud services. It does not prohibit using US services, but it must be disclosed in your privacy notice and addressed in your EFVP for Quebec transfers. Contractual data sovereignty clauses with a US vendor do not override CLOUD Act obligations on the vendor.
Does signing a vendor's standard DPA satisfy PIPEDA's accountability requirement?
Partially. A signed DPA from a major vendor such as Google or Meta satisfies the formal requirement for a written agreement. However, PIPEDA's accountability principle requires that you verify the agreement actually provides comparable protection — not merely that a contract exists. In practice, this means reviewing the DPA against PIPEDA's ten principles, confirming that sub-processor lists are complete and disclosed, ensuring that the DPA prohibits using your prospect data to train AI models, and verifying breach notification timelines. For Quebec institutions, the DPA must be incorporated into the EFVP file and assessed specifically against Loi 25 requirements.
Do we need an EFVP even if we have a signed DPA with the vendor?
Yes, if you are subject to Loi 25 and are transferring personal information about Quebec residents outside Quebec. A DPA is a necessary contractual safeguard, but it does not replace the EFVP. Under Loi 25, the EFVP is a substantive assessment of the privacy risks of the transfer, conducted before the transfer begins. The DPA is one of the mitigating measures you will document in the EFVP. Both are required; neither substitutes for the other.
Is a school using OpenAI's free API tier compliant with PIPEDA?
No. OpenAI's free API tier does not include a Data Processing Addendum, and prompts submitted via the free tier may be used by OpenAI for model training — a secondary purpose that prospect data was not collected for, creating a purpose limitation violation under PIPEDA. Any school using AI tools powered by OpenAI must be on an enterprise or API tier that includes a signed DPA with a training data carve-out and, if available, Zero Data Retention mode enabled. For Quebec institutions, the absence of a signed agreement makes an EFVP impossible to complete properly, because no contractual safeguard exists to document.
Managing cross-border data flows is not a once-a-year compliance exercise. It requires ongoing attention to vendor sub-processor lists, DPA renewals, EFVP reviews when transfer circumstances change, and privacy notice updates when new tools are added to your stack. Canadian schools that treat privacy compliance as a procurement filter — not an afterthought — are better positioned to recruit internationally, respond to OPC or CAI inquiries, and maintain the institutional trust that drives enrolment.
Official resources:
Test Skolbot on your school in 30 seconds
