Resources

Personal Information Outside Quebec: What Section 17 of Law 25 Requires

Elite Consultation·2026-05-18
Law 25section 17cloudvendors

If your organization uses Microsoft 365, Google Workspace, Slack, HubSpot, Stripe, or any software hosted outside Quebec, you are sending personal information outside Quebec. This applies to almost every Quebec SME, and most of them have no documentation of it.

Since September 2023, section 17 of the Act respecting the protection of personal information in the private sector (Law 25) has imposed a specific process before any such transfer. The Commission d'accès à l'information (CAI) can request this documentation during an inspection or following a complaint. Organizations without it face significant administrative monetary penalties.

This guide walks through what section 17 actually requires, how it applies to common situations, and where to start if nothing has been done yet.

What Section 17 Says

Section 17 sets out three obligations that apply before any communication of personal information outside Quebec.

1. Conduct a privacy impact assessment (PIA). The assessment looks at the risks tied to the planned transfer. It must be documented and kept on file.

2. Confirm the information will receive adequate protection. The PIA must consider four elements: the sensitivity of the information, the purpose of its use, the protection measures in place (technical, contractual, and organizational), and the legal regime in the destination jurisdiction.

3. Sign a written agreement. The agreement must reflect the conclusions of the PIA and spell out the recipient's protection obligations.

These three steps are not optional. They apply to every Quebec private-sector organization, regardless of size. The public sector has equivalent obligations under the Act respecting access to documents held by public bodies (A-2.1).

What Counts as a Cross-Border Transfer?

The definition is broader than most organizations expect. A cross-border transfer happens any time personal information is made accessible, transmitted, or stored outside Quebec.

Here are situations that count:

  • Cloud hosting on servers in the United States, Europe, or anywhere else (Microsoft 365, Google Workspace, AWS, Azure, Google Cloud)
  • SaaS tools with servers outside Quebec (HubSpot, Salesforce, Stripe, Mailchimp, Zoom)
  • Data access by a team located outside Quebec (technical support in the Philippines, IT team in Toronto, contractor in India)
  • File backups stored in a foreign cloud service
  • Sharing with vendors based outside Quebec (US accounting firm, Toronto marketing agency, New York law firm)

The most common mistake is believing that a Quebec organization that does not actively export data is not making any cross-border transfer. If your emails route through Microsoft's US servers, you are sending personal information outside Quebec every day.

The Three Obligations in Practice

1. The Privacy Impact Assessment

The PIA is a documented exercise that answers several questions:

  • What personal information is being transferred?
  • How sensitive is the information?
  • Why is the transfer necessary?
  • Who at the recipient organization will have access?
  • What technical security measures does the recipient apply?
  • What are the recipient's legal obligations in their jurisdiction?
  • What residual risks remain after protection measures are in place?

The depth of the assessment should match the risk. A PIA for sending a list of business email addresses to an email service provider differs significantly from a PIA for sending health records to a US contractor.

2. Adequate Protection

Section 17 uses the phrase "protection equivalent to that provided under this Act." In practice, you must show that the recipient offers safeguards comparable to what Quebec law requires for:

  • Information security (encryption, access controls, logging)
  • Limits on how the information can be used
  • Retention periods
  • Individual rights (access, correction)
  • Incident notification

To assess the destination jurisdiction, you compare the applicable legal regime. The United States, for example, has no federal law equivalent to Law 25. This absence does not close the door to transfers. It simply shifts more of the protection burden onto the contract and the technical measures around the transfer.

3. The Written Agreement

The agreement with the recipient must reflect the conclusions of your PIA. Several clauses have become essential:

  • Precise description of the information transferred and its purpose
  • Confidentiality commitment and limitation to the stated purpose
  • Minimum required security measures
  • Restrictions (or framework) on sub-transfers to other third parties
  • Prompt notification of confidentiality incidents
  • Cooperation with access and correction requests
  • Return or destruction of the information at contract end
  • Right to verify or audit

For major vendors (Microsoft, Google, AWS), these clauses appear in standardized contractual addenda (DPA, Data Processing Addendum). The agreement still needs to be signed and on file.

Common Scenarios and What They Require

Here is how section 17 applies to the tools most Quebec SMEs use.

| Tool or situation | Triggered obligation | |---|---| | Microsoft 365 (Exchange, OneDrive, Teams) | PIA, DPA on file | | Google Workspace | PIA, DPA on file | | HubSpot, Salesforce, Pipedrive | PIA, DPA on file | | Stripe, Square, Moneris (depending on hosting) | PIA, clause review | | Slack, Notion, Asana | PIA, DPA on file | | Cloud backups (Backblaze, Carbonite) | PIA, choose a hosting region if available | | Contractor or freelancer outside Quebec | Full PIA, custom agreement | | Accounting, legal, or marketing firm outside Quebec | Full PIA, custom agreement |

Major SaaS vendors generally provide compliance tools: regional compliance pages, hosting region selection, standard contractual addenda. Your job is to activate them, sign them, and keep the documentation.

What the CAI Looks for in an Inspection

During an inspection or after a complaint, the CAI typically asks for:

  • The list of vendors and tools that store personal information outside Quebec
  • The PIAs completed for each (at least the most significant ones)
  • The corresponding contractual agreements
  • Evidence those agreements are current
  • The internal procedure for assessing any new vendor

A lack of documentation weighs heavily in the CAI's assessment of how cooperative an organization has been. The CAI considers the quality of the effort, and imperfect-but-genuine documentation is received better than a complete absence of effort.

Where to Start If Nothing Has Been Done

If your organization has just discovered section 17 and has no documentation of cross-border transfers yet, here is a realistic seven-step approach.

  1. Inventory your tools. List every piece of software, cloud service, contractor, and vendor with access to personal information.
  2. Locate the data. For each tool, identify where the data is hosted. This information lives in the vendor's documentation or in their data processing addendum.
  3. Triage by sensitivity. Classify tools by the sensitivity of the information they handle (financial data, health records, HR data, basic contact information).
  4. PIA priorities. Start with the tools that handle the most sensitive information or the largest volume. Avoid trying to cover everything in one week.
  5. Contract review. For each vendor, check whether an adequate addendum is in place. For major vendors, these documents already exist; the work is often just signing them.
  6. Centralized documentation. Keep PIAs, agreements, and supporting evidence in one register, accessible to the privacy officer.
  7. A process for future vendors. Set up a systematic assessment procedure before adopting any new tool. This avoids having to redo the exercise after the fact.

For an organization with 20 to 100 employees, this initial process usually takes between 20 and 60 hours, depending on the complexity of the tech stack.

An Ongoing Process

Section 17 does not apply once. Each new vendor, each platform change, each significant change to the information being transferred triggers a new assessment. A Quebec SME that adopts three or four new tools per year needs to fold this check into its purchasing or vendor selection process.

This is precisely why Observantia centralizes the vendor register, PIAs, and agreements in one place. The dashboard keeps the assessment history, flags upcoming renewals, and gives the privacy officer a clear view of the whole program. Start your 14-day free trial.

Related articles

This content is provided for informational purposes only and does not constitute legal advice. For questions specific to your situation, consult a qualified legal professional.

Ready to simplify your compliance?

Try Observantia free for 14 days.

Start free trial