Last review date: 18 December 2024

Yes.

Alberta PIPA specifically requires organizations to notify individuals if they use a service provider outside Canada to collect and/or process personal data.

The Quebec Act specifically requires organizations to obtain individuals' consent in order to communicate their personal data outside Quebec or give a person outside Quebec the authority to hold, use or communicate the information, though implied consent (i.e., by providing appropriate notice) can be sufficient if the personal data is not sensitive personal data. Effective 22 September 2023, the amended Quebec Act requires organizations to conduct a mandatory privacy impact assessment before transferring personal information outside of Quebec. On 22 September 2023, the Quebec CAI released guidance on conducting a privacy impact assessment pursuant to the Quebec Act, and released a model privacy impact assessment for each organization’s consideration.

Transfers of personal data to third countries are only permissible if there is a legal basis for the processing/transfer and one of the following applies:

☒      approved standard contractual clauses

☒       other solutions

Please see separate question for information on data localization provisions that are not restricted to personal data.

Generally, if an organization transfers personal data to a third party (whether inside or outside of Canada), the organization must use contractual or other means to ensure a comparable level of protection for the data while it is being processed by the third party. An organization must also ensure that the data is not used for purposes other than those for which it is transferred.