The headline finding
Only one Canadian jurisdiction — Quebec — has a data sovereignty framework that would be recognizable as adequate by international standards. British Columbia and Alberta have their own private-sector privacy laws, which gives them a foundation to build on, but neither has implemented cross-border transfer controls or CLOUD Act-specific provisions. The federal government's framework, PIPEDA, is a 25-year-old statute with no meaningful penalty structure, no TIA requirement, and no enforcement teeth. Ontario — Canada's largest province and economic centre — has no private-sector privacy law at all.
This is not a marginal gap. The distance between Quebec's score (82) and the average score of all other jurisdictions (27) is the distance between a country that takes data sovereignty seriously and one that doesn't. When the Prime Minister says digital sovereignty is a national priority, the scorecard shows that most of Canada's legal infrastructure does not yet support that ambition.
The proposed Consumer Privacy Protection Act (CPPA) under Bill C-27 died on the order paper in January 2025. The Osler legal review expects new legislation in late 2025 or early 2026, but as of February 2026 no replacement for PIPEDA has been enacted. This means Canada's federal private-sector privacy framework dates to 2001 and carries a maximum penalty of $100,000 — roughly what a mid-size SaaS contract costs. The European Commission's adequacy determination for Canada, which enables cross-border data flows with the EU, was made on the basis of PIPEDA. If Canada's framework is deemed insufficient for adequacy renewal, the trade implications are significant.
Methodology
The scorecard evaluates each jurisdiction across six equally weighted dimensions, each scored 0–4 on a transparent rubric. The six dimension scores are summed (maximum 24) and converted to a percentage (maximum 100). We selected dimensions that map directly to whether a jurisdiction's legal framework can actually protect Canadian data from foreign jurisdictional reach — which is what sovereignty means in practice.
Dimension 1: Legislation strength (0–4)
Does the jurisdiction have modern, comprehensive private-sector privacy legislation with data sovereignty provisions? Scores range from 0 (no provincial private-sector law, relies on PIPEDA) to 4 (comprehensive, modern legislation with explicit cross-border and sovereignty provisions, comparable to GDPR).
Dimension 2: Enforcement capacity (0–4)
Does the regulator have order-making power, adequate resources, and a demonstrated track record of enforcement? A law without enforcement is a suggestion. Scores range from 0 (regulator can only make recommendations) to 4 (regulator has order-making power, has issued post-reform enforcement actions, and processes a significant volume of complaints and incident notifications).
Dimension 3: Procurement sovereignty (0–4)
Does government procurement policy require or incentivize data sovereignty for public-sector SaaS and cloud purchases? Government procurement is the single largest policy lever for driving sovereignty standards into the market. Scores range from 0 (no sovereignty requirements in procurement) to 4 (explicit data sovereignty and Canadian-ownership requirements in government technology procurement, with enforcement mechanisms).
Dimension 4: Cross-border transfer controls (0–4)
Are Transfer Impact Assessments or equivalent mechanisms mandatory for cross-border data flows? This is the operational heart of sovereignty: if an organization can send data offshore without documenting the risks, the framework is incomplete. Scores range from 0 (no TIA or equivalent requirement) to 4 (mandatory TIAs with specific evaluation criteria for foreign legal frameworks, including extraterritorial law access).
Dimension 5: CLOUD Act awareness (0–4)
Does the legal framework explicitly acknowledge or address the risk of foreign law access to data, including the US CLOUD Act? The CLOUD Act is the single biggest jurisdictional threat to Canadian data sovereignty. A framework that doesn't address it is ignoring the primary risk. Scores range from 0 (no mention or acknowledgment) to 4 (legal framework explicitly addresses extraterritorial foreign law access, with binding requirements for organizations to assess and mitigate CLOUD Act exposure).
Dimension 6: Penalty and accountability (0–4)
Are penalties meaningful enough to drive compliance? Do individuals have private rights of action? Compliance follows consequences. Scores range from 0 (no meaningful penalties, no private right of action) to 4 (administrative penalties in the millions or percentage of revenue, penal fines, and private right of action with minimum statutory damages).
Full rankings
| Rank | Jurisdiction | Legislation | Enforcement | Procurement | Transfer Controls | CLOUD Act | Penalty | Total /100 |
|---|---|---|---|---|---|---|---|---|
| 1 | Quebec | 4 | 4 | 3 | 4 | 2 | 4 | 82 |
| 2 | British Columbia | 3 | 2 | 3 | 1 | 1 | 2 | 54 |
| 3 | Alberta | 3 | 2 | 1 | 1 | 1 | 3 | 46 |
| 4 | Federal (PIPEDA) | 2 | 1 | 2 | 1 | 1 | 1 | 34 |
| 5 | Ontario | 0 | 1 | 1 | 0 | 0 | 1 | 18 |
| 6 | Saskatchewan | 0 | 1 | 0 | 0 | 0 | 1 | 14 |
| 7 | Manitoba | 0 | 1 | 0 | 0 | 0 | 1 | 14 |
| 8 | New Brunswick | 0 | 1 | 0 | 0 | 0 | 1 | 14 |
| 8 | Nova Scotia | 0 | 1 | 0 | 0 | 0 | 1 | 14 |
| 8 | Prince Edward Island | 0 | 1 | 0 | 0 | 0 | 1 | 14 |
| 8 | Newfoundland & Labrador | 0 | 1 | 0 | 0 | 0 | 1 | 14 |
| 8 | Yukon | 0 | 1 | 0 | 0 | 0 | 1 | 14 |
| 8 | Northwest Territories | 0 | 1 | 0 | 0 | 0 | 1 | 14 |
| 8 | Nunavut | 0 | 1 | 0 | 0 | 0 | 1 | 14 |
Jurisdiction analysis
The structural problem
This scorecard reveals something more important than individual grades: it shows that Canada's data sovereignty posture is structurally fragmented. The variation between jurisdictions is not a feature of federalism — it is a vulnerability.
Consider what this means in practice. A national organization headquartered in Ontario, with employees in Quebec and clients in British Columbia, faces three entirely different compliance regimes. Its Quebec employees' data requires TIAs for every US-parented SaaS tool. Its Ontario operations have no such obligation. Its BC public-sector clients may require data residency in Canada. None of this is coordinated. There is no mutual recognition framework. There is no baseline standard.
The EU solved a comparable coordination problem through the GDPR — a single, binding regulation that applies across all member states with consistent enforcement. Canada has gone the opposite direction: a patchwork of federal, provincial, and territorial frameworks with no unifying floor.
If enacted in a form comparable to Bill C-27, the CPPA would raise the federal score significantly: penalties would increase to $25M or 5% of revenue, a private right of action would be introduced, the OPC would gain order-making power, and the proposed Tribunal would create an enforcement mechanism with teeth. The critical open question is whether the CPPA will include explicit cross-border transfer assessment requirements and CLOUD Act-specific provisions. If it does, the federal score could jump from 34 to the low 70s — which would automatically raise the floor for the seven provinces and three territories that rely on PIPEDA. If it doesn't address cross-border sovereignty explicitly, the CPPA will be a better privacy law but still an incomplete sovereignty framework.
Policy implications
Three things need to happen for Canada's data sovereignty posture to match its stated ambitions:
First, the federal government needs to pass CPPA — with explicit cross-border sovereignty provisions. The CPPA as proposed in Bill C-27 would significantly strengthen the penalty structure and enforcement capacity. But it needs to go further. Mandatory Transfer Impact Assessments for cross-border data flows, explicit CLOUD Act risk assessment requirements, and a sovereignty-aware procurement framework should be built into the legislation, not left to guidance documents that can be ignored.
Second, Ontario needs a private-sector privacy law. The largest province in Canada cannot continue to rely on a 25-year-old federal statute for private-sector privacy protection. Ontario's lack of legislation creates a sovereignty gap at the centre of the Canadian economy. Every other G7 country's largest economic jurisdiction has modern privacy legislation. Ontario is the outlier.
Third, Canada needs a coordination mechanism. The current fragmentation is not just inefficient — it is a strategic vulnerability. A national organization cannot manage 13 different sovereignty frameworks efficiently. The federal government, in consultation with provinces, should establish a minimum sovereignty standard — a floor that no jurisdiction falls below — while allowing provinces like Quebec to exceed it. This is not an unprecedented ask: Canada already does this in securities regulation, environmental assessment, and building codes.
How we'll track progress
This scorecard will be updated quarterly. As legislation is introduced, enacted, or amended, scores will be adjusted with full transparency about what changed and why. Alberta's expected PIPA amendments will be a significant early test — if the review committee's 12 recommendations are enacted, Alberta could move from a C to a B. The CPPA's passage (or continued absence) will be the single biggest score change on the next update.
Jurisdictions that want to improve their score know what to do. The methodology is transparent. The dimensions are weighted equally. There are no subjective style points. A province's score improves when its legal framework demonstrably strengthens the sovereignty of Canadian data within its borders.
This scorecard was developed by Joshua van Es at Upper Harbour, drawing on the analysis underlying the Canadian Technology Sovereignty Index (715 tools mapped), the Provincial Exposure Index, and the Government SaaS Stack Audit. Van Es has a background in corporate law and policy research, and his work has been published in Maclean's, OpenCanada, BetaKit, and by McGill-Queen's University Press. Questions, corrections, and feedback: [email protected].