What is Law 25?
Law 25 — formally the Act to modernize legislative provisions as regards the protection of personal information — is Quebec's overhaul of its privacy framework. It came into force in stages starting September 2022, with the most significant compliance obligations taking effect in September 2023 and September 2024.
It is widely considered the most stringent privacy law in Canada, drawing comparisons to the EU's GDPR. For organizations based in Quebec or processing the personal information of Quebec residents, Law 25 introduces obligations that go well beyond what PIPEDA requires at the federal level.
The provisions most relevant to your SaaS stack are the requirements around cross-border data transfers, Transfer Impact Assessments, and written agreements with service providers.
Why your SaaS stack matters
Every SaaS tool your organization uses is, from a privacy law perspective, a data processor. When you use Slack for internal communications, your employee messages flow through Salesforce, Inc.'s servers — a US-headquartered company subject to the CLOUD Act. When your accounting team uses QuickBooks, your financial records pass through Intuit's infrastructure in the United States.
For a Quebec organization, each of these constitutes a transfer of personal information outside the province — and in most cases, outside Canada entirely. Law 25 has specific requirements for every one of these transfers.
Under Law 25, before transferring personal information outside Quebec, an organization must conduct a Privacy Impact Assessment (also called a Transfer Impact Assessment or TIA) that evaluates whether the receiving jurisdiction provides adequate privacy protection. This assessment must be documented and available for review by the Commission d'accès à l'information (CAI).
What Law 25 requires for cross-border SaaS
1. Transfer Impact Assessments (TIAs)
For every SaaS tool that processes personal information outside Quebec, you must complete a TIA before the transfer occurs. The assessment must evaluate the sensitivity of the information being transferred, the purposes for which it will be used, the protection measures that would apply to it (including the legal framework of the receiving jurisdiction), and the risks associated with the transfer.
In practice, this means if you use 15 US-based SaaS tools, you need 15 documented TIAs.
2. Written agreements with service providers
Law 25 requires written agreements with any service provider that processes personal information on your behalf. These agreements must include provisions about what information is being shared, the purposes for processing, the security measures in place, and requirements around breach notification and data destruction.
In the SaaS context, this means having a Data Processing Agreement (DPA) in place with each vendor. While many large SaaS vendors offer standard DPAs, most Quebec organizations have never executed them — and standard DPAs may not meet Law 25's specific requirements.
3. Privacy Officer designation
Every organization must designate a Privacy Officer (the highest-ranking person in the organization by default, typically the CEO). The name and contact information of this person must be published on your website. This person is personally accountable for compliance.
4. Breach reporting and incident register
Any confidentiality incident (data breach) involving personal information must be reported to the CAI if it presents a risk of serious injury. Organizations must maintain an incident register for at least five years.
Enforcement is active and accelerating. In its 2023–2024 annual report, the CAI disclosed 277 privacy complaints received (242 processed), 444 confidentiality incident notifications (81% from the private sector), and 503 access and rectification dispute requests. The CAI issued its first enforcement order under the new Law 25 powers in September 2024, ordering a company to cease biometric data collection. No major monetary penalties have been announced as of February 2026 — but the enforcement infrastructure is operational, the complaint pipeline is building, and the CAI has signalled it is prepared to use its new powers. Organizations that are not yet compliant should understand this as a question of when, not if.
The CLOUD Act problem
The challenge isn't just where your data is stored — it's who can compel access to it. The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act) allows US federal law enforcement to compel US-headquartered technology companies to provide data stored on their servers, regardless of where that data is physically located.
This means even if a US SaaS vendor offers "Canadian data residency" — storing your data on servers physically located in Canada — the parent company is still subject to US legal process. A US court order can compel Slack, Microsoft, Google, or any other US-incorporated company to hand over data stored in Canadian data centres.
For Quebec organizations conducting TIAs under Law 25, this creates a fundamental tension: the legal framework of the United States, through the CLOUD Act, may not provide privacy protection equivalent to what Quebec law requires.
Data residency ≠ data sovereignty. Data residency means your data is stored on servers in Canada. Data sovereignty means your data is subject only to Canadian law. With US-parented SaaS, you can have residency without sovereignty.
Common SaaS tools and their jurisdictional exposure
Here's a sample of widely-used SaaS tools and their jurisdictional status for Quebec organizations:
| Tool | Parent | Jurisdiction | CLOUD Act | Risk |
|---|---|---|---|---|
| Microsoft 365 | Microsoft Corp. | United States | Yes | Exposed |
| Slack | Salesforce, Inc. | United States | Yes | Exposed |
| Google Workspace | Alphabet Inc. | United States | Yes | Exposed |
| QuickBooks Online | Intuit Inc. | United States | Yes | Exposed |
| Zoom | Zoom Video Communications | United States | Yes | Exposed |
| Clio | Themis Solutions | Canada | No | Review |
| Wealthsimple | Wealthsimple Inc. | Canada | No | Canadian |
The pattern is clear: the majority of commonly-used SaaS tools are US-headquartered, US-jurisdictioned, and CLOUD Act exposed. A typical Quebec organization using 10–20 SaaS tools will find that 60–80% of their stack falls under US jurisdiction.
What most organizations are getting wrong
Based on our assessments, the most common compliance gaps are predictable and consistent across industries:
No TIAs completed. The single biggest gap. Most Quebec organizations have not completed a single Transfer Impact Assessment, despite using multiple cross-border SaaS tools daily. This has been a requirement since September 2023.
No DPAs executed. While large SaaS vendors typically have DPA templates available, most organizations have never requested or signed them. A vendor having a DPA available is not the same as having one in place with your organization.
Confusing data residency with data sovereignty. Organizations that have configured Canadian data residency on tools like Microsoft 365 often believe they've addressed the compliance concern. They haven't — the CLOUD Act exposure remains regardless of where data is physically stored.
No Privacy Officer published. Many organizations haven't designated a Privacy Officer or published their contact details on their website, as required.
No incident register. Organizations are required to maintain a register of confidentiality incidents for five years. Most have no formal process for this.
How to start: a practical compliance path
If you're a Quebec organization that hasn't addressed these requirements, here's a realistic path forward — in order of priority:
First: map your SaaS stack. Before you can assess compliance, you need to know what tools you're using and where they sit jurisdictionally. Identify every SaaS tool that processes personal information, determine its parent company and headquarters, and document whether Canadian data residency is available and configured.
Second: designate your Privacy Officer. This is a quick, high-impact action. Designate someone (or acknowledge the default — your CEO), and publish their name and contact information on your website.
Third: establish your incident register. Even a simple spreadsheet works to start. The important thing is having a documented process.
Fourth: begin TIA documentation. Start with your highest-risk tools — those processing the most sensitive data (employee records, client files, financial data, health information) through foreign-jurisdictioned vendors. You don't need to complete all TIAs simultaneously, but you need to demonstrate you've started the process.
Fifth: execute DPAs. Contact your SaaS vendors and request their Data Processing Agreements. Review them for Law 25 adequacy. Sign them.
HarbourScan maps your SaaS stack to parent jurisdictions, flags CLOUD Act exposure, and generates a compliance gap report in about 10 minutes — directly in your browser. It's a good starting point for step one. Run a free assessment →
The regulatory trajectory
Law 25 enforcement is still in its early stages, but the CAI has signaled increasing scrutiny. Quebec is also not operating in isolation — at the federal level, the proposed Consumer Privacy Protection Act (CPPA) would modernize PIPEDA with requirements similar to Law 25. Ontario, British Columbia, and Alberta are all watching Quebec's implementation closely.
Organizations that address their SaaS compliance gaps now are positioning themselves ahead of a regulatory trend that is moving in one direction: stricter requirements, higher penalties, and greater enforcement activity around cross-border data transfers.
The question isn't whether these requirements will be enforced. It's when — and whether you'll be ready when they are.