The storage vs. processing distinction
Google Cloud operates a Canadian region in Montréal (northamerica-northeast1). Google Workspace administrators can configure data region policies to store covered data at rest in Canada. This covers primary data for core services — Gmail content, Calendar data, Drive files, Docs, Sheets, Slides, Chat messages, and Meet recordings.
But Google's architecture processes data differently from how it stores it. When you search your Gmail, when Google indexes your Drive files, when spam filtering analyses your email content — that processing may occur outside the region where the data is stored. Google's data region policy governs storage at rest, not processing in transit.
This distinction matters for compliance frameworks that regulate data transfers. Under Law 25, a cross-border transfer includes any instance where personal information is communicated outside Quebec. If data stored in Montréal is processed on infrastructure in the US — even momentarily — that constitutes a transfer requiring documentation.
What "covered data" actually covers
Google's data region policy applies to "covered data" for core services. This is narrower than it sounds. It covers the primary content data — the body of emails, the files in Drive, the recordings in Meet. It does not necessarily cover metadata, logs, indexing data, or content processed by add-ons and connected third-party applications.
For organizations that rely heavily on Google's ecosystem — including Marketplace apps, Chrome extensions, and third-party integrations — the data residency commitment may cover less of their actual data footprint than they assume. A thorough assessment should map which data flows are covered by the region policy and which are not.
Google Analytics and the advertising data question
Google Analytics, while technically separate from Google Workspace, is widely deployed alongside it. Analytics data — which includes IP addresses, behavioural data, and potentially personal information — is processed on Google's global infrastructure with no Canadian data residency option.
For organizations that use both Google Workspace and Google Analytics, the compliance assessment must cover both. A Canadian data region for Workspace does not extend to Analytics, and the personal information flowing through Analytics may trigger separate TIA requirements.
Gemini AI and processing location
Google has integrated Gemini AI across Workspace — in Gmail drafting, document creation, and meeting summarization. Like Microsoft's Copilot, Gemini processes content through AI infrastructure that may not be co-located with the data region where the content is stored.
Google has stated that Workspace data used by Gemini features is subject to the same data processing terms as other Workspace data. However, the physical location of AI inference processing is distinct from data storage location. Organizations should verify whether Gemini processing occurs within their configured data region or whether it constitutes an additional cross-border data flow.
Google's position on government access
Alphabet is incorporated in Delaware and headquartered in California. It is fully subject to the CLOUD Act. Google publishes a transparency report detailing government requests for user data, including the number of requests, the percentage complied with, and the requesting jurisdiction.
Google has publicly stated that it scrutinizes government requests and challenges those it considers overbroad. It also notifies users of requests where legally permitted. These are meaningful safeguards — but they are voluntary corporate policies, not structural protections. A CLOUD Act order overrides Google's internal policies.
What this means for Law 25 and PIPEDA compliance
Quebec organizations using Google Workspace must complete a Transfer Impact Assessment. The assessment should document: Alphabet's US incorporation and CLOUD Act status, the configured data region (Montréal), the distinction between storage and processing location, which data categories flow through Workspace, whether Gemini features are enabled and where processing occurs, and what contractual safeguards are in place.
Google Workspace's Canadian data region is a genuine mitigating factor — it demonstrates that the organization has taken steps to keep data within Canadian borders. But it does not eliminate the CLOUD Act exposure. The TIA should acknowledge both the safeguard and the residual risk.
Practical considerations
Client-Side Encryption: Google offers Client-Side Encryption (CSE) for Workspace, where encryption keys are managed by the customer or a third-party key management service. When enabled, Google cannot read the content — meaning a CLOUD Act order would produce encrypted data that Google cannot decrypt. This is the strongest technical safeguard available, but it limits some Workspace functionality.
Data region configuration: Ensure the data region policy is actually configured. Many organizations eligible for data region controls have not enabled them. The default is Google's global infrastructure, not a specific region.
Education sector: Google Workspace for Education is widely deployed in Canadian schools and universities. Student data flowing through a US-jurisdictional platform raises specific concerns under provincial education privacy statutes. Several Canadian provinces have issued guidance on cloud services in education that should be consulted alongside federal and Quebec privacy requirements.
Google Workspace is operated by Alphabet Inc. (US-incorporated) and is subject to the CLOUD Act. BC public bodies using Google Workspace with sensitive personal information must complete a privacy impact assessment under the amended FIPPA. Google offers a Canada data region, but CLOUD Act exposure remains because the parent entity is US-jurisdictioned. Read the full FIPPA SaaS compliance guide → · Download PIA template →