How do the three provinces compare?

Alberta (POPA), British Columbia (FIPPA), and Quebec (Law 25) all now require some form of privacy assessment for SaaS tools. But Alberta's approach is the most demanding. It is the only province that requires a mandatory template AND submission to a regulator. BC and Quebec require assessments but don't mandate a specific format, and neither requires filing with the commissioner. In Alberta, the OIPC will read your PIA.

What makes Alberta's requirements harder?

Three things: (1) The OIPC provides a mandatory template — you must use it, no alternative format accepted. (2) Certain PIAs must be submitted to the OIPC for review — the commissioner's office will evaluate whether your jurisdictional analysis is complete. (3) The template explicitly asks about CLOUD Act exposure in Section H2, Risk 7 — you can't skip or gloss over it. If your analysis is incomplete, the OIPC will know.

What does BC require?

BC's FIPPA was amended in 2021 to allow public bodies to store data outside Canada — but they must complete Privacy Impact Assessments evaluating jurisdictional risk. There's no mandatory template and no required submission to the OIPC of BC. Public bodies have more flexibility in format and approach, but less structured guidance.

What does Quebec require?

Quebec's Law 25 requires Transfer Impact Assessments (TIAs) for any cross-border transfer of personal information. This applies to all organizations — public and private sector — not just public bodies. Penalties are severe: up to $25 million or 4% of worldwide turnover. However, there's no mandatory template and no required submission to the CAI (Commission d'accès à l'information).

Which province should I worry about most?

If you're an Alberta public body, Alberta's requirements are the most immediately pressing — the mandatory template is new (March 2026), the PMP deadline is June 2026, and the OIPC is actively reviewing submissions. If you operate across multiple provinces, you may need to comply with all three frameworks. Upper Harbour's tools cover all three: Alberta POPA guide, BC FIPPA guide, Quebec Law 25 guide.

Auto-fill Alberta's mandatory template

Alberta is the only province with a mandatory PIA template submitted to a regulator. Our PIA Research Tool generates the jurisdictional answers for Sections F, G, and H2. $199.

Start PIA Research Tool →
Related guides

Alberta POPA overview → · CLOUD Act & Canadian data → · Data residency vs sovereignty → · PIA Research Tool →

Frequently asked questions

Do I need both a PIA and a TIA?

If you're an Alberta public body that also operates in Quebec, potentially yes — POPA requires PIAs and Law 25 requires TIAs. Upper Harbour offers compliance reports for both.

Is Alberta's template based on BC or Quebec formats?

No. The OIPC developed its own template specifically for POPA. It has unique sections (including cloud computing risks) that BC and Quebec templates don't require.

Sources: OIPC PIA resources · PIA template & guide · Upper Harbour classification methodology.