Navigating cross-border privacy compliance is on every general counsel’s radar and has become increasingly complex for organizations operating in today’s global landscape. With evolving regulations like Quebec’s Law 25 and the continuing and far-reaching influence of foreign privacy laws, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), businesses must balance legal requirements, practical implementation, and risk management across multiple jurisdictions.
In this Q&A, privacy and compliance experts Imran Ahmad, Katherine Barbacki, John Cassell, and Manpreet Singh, share their perspectives and offer practical guidance on cross-border data governance in Canada and beyond.
Q: What are the main complexities organizations face with cross-border privacy compliance?
Manpreet Singh (MS): One of the initial questions there is how local privacy laws will apply when organizations want to transfer data cross-border. Our follow-up questions are typically: what are those local laws, where are you sending the data, and do you have the appropriate consent or disclosures in your privacy materials? In Canada, depending on the laws you fall under, you may have certain provincial requirements, including to provide notice to individuals that their information will be transferred and stored outside of their local jurisdiction. PIPEDA does not necessarily require express consent, but it does require transparency about the transfer and its implications, such as moving data overseas and that data then being subject to the laws of another jurisdiction.
Katherine Barbacki (KB): To add to that, Quebec’s Law 25 is the most significant privacy development in Canada over the last few years. The kind of Canadian federal requirements that Manpreet spoke to have been in place for a while now, but Law 25 has specific requirements that must be met when transferring information outside of Quebec. The requirements for cross-border transfers kick in as soon as the data is being transferred outside of Quebec — even if it's going just across the river, from Gatineau to Ottawa. The requirements are the same as if it were transferred internationally.
There's the transparency notice or consent that has to be obtained from individuals at the time of the collection or transfer, which is basically a notice in the privacy policy that says that information may be transferred outside of Quebec, which aligns with the requirement as well under the federal law. There are also a couple of requirements that are not necessarily enforced in other privacy laws in Canada. So essentially, under Quebec, if information is going to be leaving Quebec, a privacy impact assessment has to be conducted, which basically is meant to identify any gaps in the legislation in the jurisdiction where the information is going to be transferred. And then it requires that you put in place certain contractual measures, usually a data protection addendum, to kind of mitigate any of the risks identified in that privacy impact assessment. These are encouraged under the federal legislation, but they're not yet required. It’s significant that now in Quebec, these two things are required.
Imran Ahmad (IA): Zooming out, most Chief Privacy Officers in Canada are responsible for privacy compliance that extends beyond Canadian borders. They often operate within global teams or oversee international operations. Their biggest strategic challenge is harmonizing a privacy program that isn’t solely focused on one jurisdiction — whether European, Canadian, or U.S. — but instead identifies commonalities and key differences across regions to build a cohesive framework. This cross-border complexity is where compliance becomes particularly challenging. On top of that, there are more tactical, jurisdiction-specific issues to manage — such as Quebec’s Law 25.
Q: How do global privacy frameworks influence Canadian organizations?
MS: In terms of legislative frameworks, the GDPR has probably had the biggest influence just because of how robust and comprehensive it is. We have seen a lot of certain trickle-down practices here in Canada, specifically with data protection agreements (DPAs), which have now become a part of Quebec's requirements, for example. We also see a lot of GDPR-centric terminology being used in DPAs here in Canada, specifically the controller-processor dynamic.
IA: There are several privacy frameworks available globally, and one of the key challenges for privacy officers is deciding which one to adopt. While legal compliance is jurisdiction-specific, a framework provides the foundation for an overall privacy program — something that must be scalable and adaptable to an organization’s needs.
Options include the NIST Privacy Framework, ISO standards (which offer certification), and the Canadian Standards Association (CSA) framework, among others. The real challenge lies in selecting the right framework and tailoring it appropriately, rather than simply pursuing certification.
Beyond choosing a framework, a critical aspect we often advise clients on is demonstrable accountability. If you're ever investigated or face a compliance issue, it’s not enough to claim you're following the law — you need to show how your practices align with a structured program. For example, when a client asks us to review their privacy policy, we don’t just assess the language; we evaluate whether the organization’s actual practices support what the policy states. After all, that policy is your public commitment. If a regulator calls and says, “Your policy says X — show us how you’re doing X,” you need to be able to provide evidence. That’s where compliance becomes more complex.
In short, while frameworks exist, the hard part is choosing the right one, scaling it to fit your organization, and embedding it into your operations in a way that supports both compliance and accountability.
KB: The way we had seen it done more often than not, was companies or organizations that had basically looked at all the different major legal frameworks — GDPR compared to PIPEDA, compared to Law 25 in Quebec, compared to California, for example — and then depending on the jurisdictions in which they operated, see where the gaps were. They’d say we’re mostly compliant with PIPIDA, but there are some gaps with Law 25 and GDPR, and often they’d take the strictest approach. They’d apply the most stringent requirements throughout jurisdictions to minimize back-end complexities by not requiring different processes.
MS: We do see many more organizations, particularly if they operate in the EU, to Katherine and Imran's point, deciding they're going to apply a slightly more stringent standard to their own practices here in Canada.
Q: What practical steps and best practices should organizations follow for cross-border compliance?
IA: Our typical recommendation is to start with a thorough data inventory. Many organizations are surprised to discover they don’t have a full understanding of the data they hold — what qualifies as personal information, what falls under privacy regulations, and even which data they truly own. It’s important to distinguish between data collected directly from individuals and data obtained through third parties.
Having a clear picture of your data is foundational. It helps determine which privacy framework best fits your organization, how to meet legal and regulatory obligations, and how to scale your compliance program appropriately. This understanding also supports ongoing governance, as regular reviews are essential to keep your program current and effective.
When companies go through changes — such as acquisitions or divestitures — those events can significantly impact compliance. That’s why it’s critical to treat privacy not as a one-time exercise, but as a dynamic process that evolves with your business.
MS: When you’re doing your due diligence and you're obtaining services from a vendor, then as the client you need to understand where the vendor will keep your information, especially when dealing with vendors who operate in multiple jurisdictions. If you're the vendor, the issue of cross-border transfers can be a bit nuanced as certain companies may have comfort with some jurisdictions, but not others. There are arrangements that the parties should discuss in advance so that the contract is workable for everyone. For example, companies can mitigate risks by keeping their data stored in Canada while still permitting the data to be accessible by the vendor’s personnel elsewhere but only for operational purposes.
KB: Specifically, from the Quebec perspective, we must make sure we have all the notice requirements fulfilled. That means letting people know in a privacy policy or other consent that the information is going to be transferred cross-border, and what the implications of that are, like Manpreet explained. You want to make sure you’re conducting a privacy impact assessment if the information is leaving Quebec and then make sure the DPA is in place as well.
I would say outside of the Quebec area, those are still all very useful tools. In fact, the DPA is something all organizations should have in place when they're transferring data, whether or not it's a hard requirement under privacy laws, and those are becoming quite standard.
MS: It's important to make sure that the DPAis comprehensive and robust enough. That if a regulator were to tap you on the shoulder, they would be comfortable that you met your accountability responsibilities. You want to make sure you have the ability to audit, the ability to control how the information is used, ensure safeguards are in place and the data is used only for the agreed-upon purposes, and you want the right to control retention, return and destruction. In other words, within that DPA, you want to make sure that your rights are reserved and that you can demonstrate you've taken responsibility but organizations need to do their due diligence as well.
IA: Building on Manpreet’s point about audits — having well-drafted contracts with strong privacy clauses is important, but if you haven’t done proper due diligence, especially when transferring data to a jurisdiction or vendor with a poor or unknown track record, those clauses won’t protect you. There’s a responsibility to assess the third party receiving the data to ensure they provide a level of privacy protection that’s at least equivalent to what’s required in Canada. Ultimately, it’s not just about what’s on paper — it’s about verifying that your partners can uphold the standards your organization is committed to.
Q: To that end, what other advice would you have when clients are vetting vendors?
MS: You want to look at their internal policies. What’s their privacy compliance posture? What internal controls do they have in place? What are the security safeguards they're using? Are there subprocessors or subcontractors who may have access to your data? You're going to want to set guard rails around that access. Those are important considerations. It's definitely good to know how your vendor treats information internally to get a good idea on how they're going to treat your data.
John Cassell (JC): As you're doing the due diligence process Manpreet mentioned, the risk classification you give the vendor will impact the provisions you put in their contract — or that you try and negotiate into the contract. It's really that two-step process. Often it's difficult to attempt to negotiate those provisions in when you haven't done the due diligence because you’re negotiating in a vacuum. We recommend building a bit of a vendor third party risk management privacy program for when you're onboarding or thinking of onboarding a particular vendor or third party. That'll help screen the risk, particularly around data transfers. You know that you're dealing with it appropriately.
Q: What are the risks if organizations fall short of compliance?
IA: Privacy has long been a part of the corporate landscape, but today there’s a heightened awareness of its importance at the board and executive levels. That’s why most organizations now have dedicated roles like Chief Privacy Officer or Data Protection Officer — it’s become a top-of-mind issue. While some compliance matters are relatively minor and easily addressed, others are more complex and carry significant risk.
For example, retaining data longer than necessary, transferring it improperly across borders, or failing to comply with foreign regulations can lead to serious consequences — including fines or litigation, depending on the jurisdiction. We’re seeing this increased awareness translate into more active enforcement, both in Canada and globally. John and I have seen this firsthand, particularly in the context of cybersecurity breaches and related litigation. Even the federal Privacy Commissioner is becoming more proactive, working more closely with provincial counterparts to initiate investigations.
To manage this risk, organizations need to take a “backwards analysis” approach — start by considering the worst-case scenario, then build a compliance strategy that demonstrates both adherence to the law and a genuine effort to meet obligations. This proactive posture can serve as a mitigating factor if issues arise.
One common challenge we see is that clients often want to solve everything at once — to build a complete privacy program in a single day. But meaningful compliance requires foundational work with internal teams, gathering input, and building the program in a modular, scalable way. That’s where a framework becomes invaluable. It provides a roadmap for achieving and maintaining compliance. The key isn’t which framework you choose — whether it’s NIST, ISO, or another — but rather your ability to demonstrate progress and a commitment to continuous improvement.KB: In terms of enforcement, the biometric space is one where we’ve seen quite significant enforcement action on the part of the regulator in Quebec. Essentially, the requirements in Quebec are very strict when it comes to biometrics. The regulator has the highest enforcement powers, so the Commission d’accès à l’information (CAI) can enforce quite significant fines, administrative and monetary penalties.
Many of our clients receive outreaches either stemming from complaints from employees for biometric timekeeping devices or otherwise. It’s an area that we are seeing the regulator take a particular interest in in terms of making sure that companies are following the requirements in terms of declaring the systems and the databases that they're using in terms of biometrics and complying with the requirements around those systems.
JC: Often this is an area where privacy intersects with cyber. The risks of noncompliance with privacy are significant, but often they're illuminated during a cyber incident. That's when, potentially, regulators are more likely to conduct an investigation into the data practices of an organization post-incident, when a company is at its most vulnerable, feeling a lot of pressure, and perhaps has had a data breach publicly disclosed. The risks are heightened that their worst privacy practices are exposed during this time. To put it another way, that's when the skeletons in the closet will become visible. We’ve seen it with a lot of clients.
We're also seeing increased regulatory scrutiny. Certainly, commissioners in Canada are asking more detailed questions, with multiple follow ups. Also, the risk of litigation, particularly class action litigations, is always increasing. We're starting to see that a bit more in Canada with an active plaintiff class action bar that’s not scared to commence a class action on the basis of improper data handling practices. Usually, that's folded into part of a class action arising out of a cyber incident. So, if there's data that should have been deleted, that'll be included in a class action as part of a cyber class action, for example.
Overall, risks for non-compliance are increasing across the board.
MS: On a more business level, you risk losing customer trust. A lot of our laws are intended to empower individuals to have control over their data. That's why cross-border transfers are so sensitive, because individuals are losing control, you're sending theirdata to another country. You want to have transparency. For companies that don't do it well, it impacts their reputation, which, in a business environment, can be very detrimental. And that's all before litigation arises or some of the more serious consequences of that non-compliance that my colleagues have discussed.
Q: Any final thoughts?
KB: When we're speaking to clients, they want to be compliant. They want to know all the different requirements, make sure they put them in place, and have all the paper, policies, and contracts done. But above that, there must be proper procedures in place that the organization is actually going to follow at a practical level. Because you can have everything papered and all the policies are good, but if nobody's following it internally, it's useless.
JC: To sum it up, privacy compliance is not simple. It’s not a one-day endeavor. It's complex and requires a thoughtful, coordinated, strategic response — particularly for global companies, in light of the risks that are increasing every day in this area.