Yes. The Personal Information Protection and Electronic Documents Act ("PIPEDA") is a federal private sector privacy law that applies to the collection, use and disclosure of personal information in the course of a commercial activity and across borders, and to federal works, undertakings or business, including banks. There are also several provincial privacy laws in Canada that are substantially similar to PIPEDA.

PIPEDA requires that any organization transferring personal information cross-border for processing by a third party (including a cloud processor) must use contractual means to protect that personal information. Organizations must also be transparent about how they use personal information, including in certain circumstances advising data subjects that their personal information might be transferred to a third party for processing.

The Québec Act Respecting the Protection of Personal Information in the Private Sector ("Québec Act") does not explicitly address the use of cloud services, though it does provide that personal information cannot be released outside of Québec or entrusted to a body or person outside of Québec unless the information is protected at a level that is equivalent to the protection afforded under the Québec Act. The transferred information must only be used for the purposes for which consent was given.

Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, came into force on 22 September 2022, and has and will make changes to the Québec Act. These changes include the following:

• Mandatory breach reporting requirements
• Certain exemptions to consent where, for example, use of the information is necessary for the purpose of providing or delivering a service requested by an individual
• Notification requirements on enterprises to individuals at the time of collecting personal information