IndexProvincialMarch 2026
Provincial Data Sovereignty Exposure Index
By Joshua van Es, Founder of Upper Harbour
Canada's privacy landscape is fragmented. Quebec has the strictest privacy law in the country. British Columbia mandates data residency for public bodies. Alberta has its own private-sector framework. Seven provinces have no private-sector privacy law at all. This index maps the regulatory reality across all 13 provinces and territories for the first time in one place.
The framework comparison
Canadian data sovereignty obligations vary dramatically by province. An organization operating nationally must navigate a patchwork of federal and provincial requirements — and the gap between the most protected jurisdiction (Quebec) and the least protected is enormous.
| Province | Private-Sector Law | TIA Required | Max Penalty | Private Action | Residency Mandate | Framework Strength |
|---|
| Quebec | Law 25 | Yes | $25M / 4% | Yes ($1K min) | No (assessment req.) | ■■■■■ Strong |
| British Columbia | PIPA | No | $100K | No | Yes (public bodies) | ■■■□□ Moderate |
| Alberta | PIPA | No | $100K | No | No | ■■■□□ Moderate |
| Ontario | PIPEDA (federal) | No | $100K | No | No | ■■□□□ Weak |
| New Brunswick | PIPEDA (federal) | No | $100K | No | No | ■■□□□ Weak |
| Nova Scotia | PIPEDA (federal) | No | $100K | No | No | ■■□□□ Weak |
| Manitoba | PIPEDA (federal) | No | $100K | No | No | ■■□□□ Weak |
| Saskatchewan | PIPEDA (federal) | No | $100K | No | No | ■■□□□ Weak |
| PEI | PIPEDA (federal) | No | $100K | No | No | ■■□□□ Weak |
| NL | PIPEDA (federal) | No | $100K | No | No | ■■□□□ Weak |
| Yukon | PIPEDA (federal) | No | $100K | No | No | ■□□□□ Minimal |
| NWT | PIPEDA (federal) | No | $100K | No | No | ■□□□□ Minimal |
| Nunavut | PIPEDA (federal) | No | $100K | No | No | ■□□□□ Minimal |
Detailed provincial profiles
Private-Sector Law
Law 25 (Act to modernize legislative provisions as regards the protection of personal information)
Public-Sector Law
Act respecting Access to documents held by public bodies
Enforcement Body
Commission d'accès à l'information du Québec (CAI)
Maximum Penalty
$25M or 4% of global turnover
TIA Required
Yes — before any cross-border data transfer
Private Right of Action
Yes — minimum $1,000 per violation; class actions permitted
Consent Standard
Express opt-in; parental consent for minors under 14
Privacy Officer Required
Yes — name must be published on website
Quebec's Law 25 is the most comprehensive privacy law in Canada and comparable to the EU's GDPR. It is the only province with mandatory TIAs for cross-border data transfers, a private right of action, and penalties scaled to global revenue. For SaaS compliance, Law 25 creates the highest bar in Canada — every US-parented tool processing personal information of Quebec residents requires a documented assessment. Upper Harbour's research focuses heavily on Law 25 compliance because it represents where Canadian privacy law is heading.
Private-Sector Law
Personal Information Protection Act (PIPA)
Public-Sector Law
Freedom of Information and Protection of Privacy Act (FIPPA)
Enforcement Body
Office of the Information and Privacy Commissioner (OIPC)
Maximum Penalty
$100,000 (individuals: $10,000)
Data Residency Mandate
Modified — FIPPA amended in 2021: PIA required for sensitive PI stored outside Canada
TIA Required
No formal requirement, but OIPC guidance recommends assessment
BC historically had the strictest data residency requirement in Canada under FIPPA section 30.1. The 2021 amendment (Bill 22) relaxed the blanket prohibition — public bodies can now store sensitive personal information outside Canada after completing a privacy impact assessment that evaluates jurisdictional risk. For private-sector organizations, PIPA provides a framework deemed substantially similar to PIPEDA. BC's OIPC has been more active than most provincial commissioners on cloud and sovereignty issues, publishing specific guidance on cloud computing for public bodies. However, PIPA lacks the TIA requirement, penalty scale, and private right of action that make Law 25 so significant.
Private-Sector Law
Personal Information Protection Act (PIPA)
Enforcement Body
Office of the Information and Privacy Commissioner of Alberta
Maximum Penalty
$100,000 (individuals: $10,000)
Cross-Border Provisions
Contractual safeguards required for international transfers
Alberta's PIPA is the only provincial private-sector law that specifically addresses cross-border data transfers through contractual requirements. While it doesn't mandate formal TIAs like Law 25, it requires organizations to ensure comparable protection through contracts. Alberta's growing technology sector and oil and gas industry — with significant SaaS adoption — make sovereignty an increasingly relevant issue for the province.
Private-Sector Law
None — governed by federal PIPEDA
Public-Sector Law
FIPPA (provincial) + MFIPPA (municipal) + PHIPA (health)
Maximum Penalty (PIPEDA)
$100,000 per violation
Ontario is Canada's largest province by population and GDP, yet it has no private-sector privacy law of its own. Private organizations are governed only by PIPEDA — which has no TIA requirement, lower penalties, and no private right of action. Ontario has sector-specific legislation for health information (PHIPA), but general private-sector data sovereignty obligations are minimal. This creates a significant gap: a company operating in both Ontario and Quebec faces dramatically different compliance requirements depending on whose personal information it's processing.
New Brunswick, Nova Scotia, Manitoba, Saskatchewan, Prince Edward Island, Newfoundland and Labrador, Yukon, Northwest Territories, and Nunavut do not have their own private-sector privacy legislation. Organizations in these jurisdictions are governed by PIPEDA. Each has its own public-sector freedom of information and privacy legislation with varying levels of specificity around data sovereignty. Some provincial health information acts (e.g., Nova Scotia's Personal Health Information Act) include provisions relevant to cross-border data, but these are sector-specific. For private-sector SaaS compliance in these provinces, PIPEDA's relatively permissive framework applies — meaning no formal TIA requirements and maximum penalties of $100,000.
Key findings
Quebec stands alone. No other Canadian province comes close to Law 25 in terms of cross-border data transfer requirements, penalty exposure, or individual rights. The gap between Quebec and every other province is not incremental — it's structural.
BC's framework has shifted from residency to risk assessment. FIPPA's blanket Canada-only storage mandate was relaxed in 2021. Public bodies must now conduct privacy impact assessments that evaluate jurisdictional risk — including foreign government access laws — before storing sensitive data outside Canada. This creates a de facto sovereignty assessment requirement, though it applies only to public bodies. BC has not enacted equivalent requirements for the private sector.
Seven provinces have no private-sector law at all. Organizations in Ontario, the Atlantic provinces, the prairies (except Alberta), and the territories operate under PIPEDA alone — the least demanding framework in Canada for cross-border data transfers.
The trajectory is toward Quebec's standard. The proposed federal Consumer Privacy Protection Act (CPPA) would bring federal law closer to Law 25 — including mandatory PIAs, higher penalties, and a private right of action. Organizations already compliant with Law 25 will be ahead of the curve when the CPPA eventually passes.
For national organizations
If you operate across provinces, your compliance baseline should be Law 25 — the strictest standard you're subject to. Complying with Law 25 will generally satisfy requirements in all other provinces. HarbourScan maps your SaaS stack to jurisdictional exposure regardless of which province you're in. Run a free assessment →
For detailed guidance on the specific frameworks discussed here, see our guides on Law 25 and your SaaS stack, PIPEDA vs Law 25, and sovereignty requirements for government procurement.