Skip to main content
Privacy Horizon
Privacy Impact Assessment

Privacy Impact Assessment Services in Quebec

Assess and document privacy risks in your programs and systems across Quebec.

Québec stands apart from every other Canadian province when it comes to privacy impact assessments. Under Law 25, a PIA is not simply a best practice — it is a legal obligation. Before any organization acquires, develops, or significantly overhauled an information system that involves personal information, and before any personal information is communicated outside Québec, a Privacy Impact Assessment must be conducted. This requirement is enforceable by the Commission d'accès à l'information du Québec (CAI), which has the authority to investigate, order corrective measures, and impose significant administrative monetary penalties.

Law 25 phased in between 2022 and 2024 and substantially modernized Québec's private-sector privacy regime. The obligations it introduced — mandatory breach reporting, privacy-by-default, stricter consent requirements, and the PIA mandate — apply to any organization that handles the personal information of Québec residents, not just organizations headquartered in the province. If you process Québec customer or employee data, Law 25 applies to your systems, and the PIA requirement follows.

Privacy Horizon conducts PIAs that satisfy the CAI's expectations under Law 25 — methodologically sound, documented in a format the regulator recognizes, and actionable for the teams who need to implement the findings. Our work begins with a comprehensive data flow map that covers every system, integration, and third-party relationship involved in handling personal information. That map drives the risk identification phase, where we evaluate both the likelihood and the potential impact of each privacy risk against the specific requirements Law 25 imposes.

For cross-border transfers — a particular area of regulatory focus under Law 25 — we conduct the privacy protection assessment that the Act requires before information leaves Québec, evaluate whether the destination jurisdiction's laws offer comparable protection, and document the conclusions in a form your legal and compliance teams can rely on. The result is a PIA that does not just check a box: it gives you a defensible record that due diligence was conducted properly, before the system launched or the transfer was made.

Privacy & security regulation in Quebec

Regulator: Commission d'accès à l'information du Québec (CAI)

Québec has Canada's most prescriptive private-sector privacy regime following Law 25, enforced by the Commission d'accès à l'information, with obligations that often exceed PIPEDA.

Law 25Act to modernize legislative provisions as regards the protection of personal information

Québec's Law 25 substantially modernized the province's private-sector privacy regime. Phased in between 2022 and 2024, it introduced mandatory breach reporting, privacy-by-default, stricter consent and transparency obligations, and significant administrative monetary penalties.

Read the legislation

PIPEDAPersonal Information Protection and Electronic Documents Act

PIPEDA is Canada's federal private-sector privacy law. It sets out ten fair information principles governing how organizations collect, use, and disclose personal information in the course of commercial activity. It applies wherever a province has not enacted substantially similar legislation — and, even in provinces that have (Alberta, British Columbia, Québec), it continues to apply to federally regulated businesses such as banks, airlines, and telecommunications, and to personal information that flows across provincial or national borders.

Read the legislation

What Privacy Impact Assessment includes

A privacy impact assessment (PIA) identifies and mitigates privacy risks before they become problems — and produces the documentation regulators and partners expect.

Data Flow Mapping

Understand how personal information moves through your systems.

Risk Identification

Surface privacy risks early, before launch.

Mitigation Planning

Concrete steps to reduce identified risks.

Regulator-Ready Documentation

Defensible records of your privacy diligence.

Law 25's Mandatory PIA Trigger and What It Covers

The obligation to conduct a PIA under Law 25 is triggered in three circumstances: acquiring a new information system that involves personal information, developing one from scratch, or overhauling an existing system to a degree that materially changes how it handles personal information. It is also triggered before communicating personal information outside Québec. The CAI's guidance makes clear that this is not a once-and-done exercise — if a system changes significantly, a new or updated assessment is required. Privacy Horizon helps organizations build a PIA program that is repeatable and properly scoped, so you are not starting from zero each time a trigger arises.

Cross-Border Communication and the Privacy Protection Assessment

Before personal information can be communicated outside Québec under Law 25, an organization must conduct a privacy protection assessment that evaluates the sensitivity of the information, the legal framework in the destination jurisdiction, and the contractual safeguards in place. If the assessment identifies risks that cannot be adequately mitigated, the communication must not proceed. This is a materially higher bar than what PIPEDA requires for cross-border transfers, and organizations that rely on US cloud infrastructure or international data processors need to understand where this obligation is triggered. Our team has direct experience navigating the CAI's expectations in this area and produces the documentation the assessment requires.

What's Protecting Your Business from the Next Threat?

Don't wait for a breach to expose your vulnerabilities. Let Privacy Horizon secure your data, ensure compliance, and build lasting trust.