Cross-Border Privacy Impact Assessments Under Bill C-36 (PPCDA): Which Vendors Trigger the Requirement

What section 57 of the PPCDA requires

Before transferring or disclosing personal information outside Canada, an organization must do two things under section 57 of the PPCDA:

1. Conduct a Privacy Impact Assessment — before the transfer begins, or before continuing an existing transfer once the PPCDA comes into force (section 57(1)(a))
2. Implement measures to mitigate the identified risks — contractual protections, certification programs, or other prescribed measures (section 57(1)(b))

The completed PIA must be provided to the Digital Safety and Data Protection Commission on request (section 57(2)).

This obligation applies to every transfer of personal information outside Canada — not just new vendor relationships established after the PPCDA comes into force. Organizations already transferring personal information to US-based service providers will need to conduct PIAs for those existing relationships when the law comes into effect.

---

How this differs from PIPEDA

Under PIPEDA, organizations that transfer personal information to service providers in other countries must use contractual means to provide comparable protection. The OPC has consistently held that organizations remain accountable for information transferred to third parties — they cannot transfer accountability by contract alone. But PIPEDA does not require a Privacy Impact Assessment before a transfer.

Under the PPCDA, the PIA is mandatory. The contract is still required — but it is now one of the mitigation measures the PIA identifies, not the only step.

For most Canadian SMBs, this represents a new documentation obligation for vendor relationships that already exist.

---

Which vendor categories trigger the requirement

Any vendor that stores or processes personal information outside Canada triggers section 57. For a typical Canadian small business, that includes most of the following:

Email and productivity platforms Google Workspace and Microsoft 365 are the two dominant platforms. Both have Canadian data residency options for some workloads — but the default configuration for most SMBs routes data through US infrastructure. If your organization has not specifically configured Canadian data residency and confirmed it applies to all workloads, assume the transfer is occurring.

CRM and customer management Salesforce, HubSpot, Zoho, and similar CRM platforms are predominantly US-based. Customer contact information, deal history, and communication records in these platforms are almost always processed outside Canada in default configurations.

Payment processing Stripe, PayPal, and Square process transaction data — which includes personal information — through US-based infrastructure. Every payment transaction involving a Canadian individual's personal information passes through a US data centre.

Accounting and bookkeeping QuickBooks Online, FreshBooks, and Wave process financial records containing personal information. Most default to US-based data storage. Xero is New Zealand-based. All trigger section 57.

Payroll ADP, Ceridian, and Gusto process employee personal information — names, SINs, banking details, compensation records. Some have Canadian payroll processing options; confirm whether data ever leaves Canada during processing.

Cloud storage and file sharing Dropbox, Box, and Google Drive in default configurations store files on US servers. SharePoint and OneDrive have Canadian data residency options under certain Microsoft 365 licensing tiers.

Communication and collaboration Slack, Zoom, Microsoft Teams, and similar platforms route communication data through US-based infrastructure. Even organizations that believe their data stays in Canada should confirm whether metadata, recordings, and message content are processed in the US.

IT management and security tools MSPs and IT teams using remote monitoring and management tools, ticketing systems, or endpoint security platforms should verify where client data is stored and processed. Many RMM and PSA platforms are US-based.

---

What "outside Canada" means in practice

The PPCDA applies to transfers of personal information to a country other than Canada. The relevant question is where the personal information is stored and processed — not just where the vendor is headquartered.

A vendor headquartered in the US but operating exclusively on Canadian servers, with no US-based access to Canadian data, may not trigger section 57 for that specific data flow. But most US-headquartered vendors — even those offering Canadian data residency — route some functions through US infrastructure: customer support access, security operations, sub-processor services, or backup storage.

Before concluding that a vendor does not trigger section 57, confirm in writing with the vendor:

• Where data is stored
• Where data is processed and by whom
• Which sub-processors have access to the data and from where
• Whether support or operations staff in the US or other jurisdictions can access Canadian-stored data

A vendor's marketing claim of "Canadian data residency" is not the same as a contractual confirmation that no personal information ever leaves Canada.

---

What the PIA must cover

The PPCDA does not prescribe a specific PIA template for cross-border transfers. Based on section 57(1) and the general PIA framework, a cross-border transfer PIA should document:

The transfer itself

• What personal information is being transferred (categories, volume, sensitivity)
• Which vendor is receiving it
• The country or countries where it will be stored and processed
• The legal privacy framework in the destination country

The risks to individuals For transfers to the United States, the key risk factors include:

• The absence of a comprehensive federal privacy law comparable to PIPEDA or the PPCDA — US privacy law is sectoral and varies by state
• The US CLOUD Act, which allows US authorities to compel US-based vendors to disclose data stored anywhere in the world, including Canada
• Sub-processors in the US or other third countries who may have access to the data

The mitigation measures

• The contractual protections in place (Data Processing Agreement, sub-processor clauses, breach notification requirements)
• The vendor's security certifications (ISO 27001, SOC 2 Type II)
• Technical controls (encryption in transit and at rest, access controls, data minimization)
• How the organization will monitor the vendor's compliance over time

The PIA is a document — not a checkbox exercise. It must be specific to the vendor, the data being transferred, and the identified risks. A generic PIA template applied to every vendor without vendor-specific content will not satisfy section 57.

---

What mitigation measures look like

Section 57(1)(b) requires measures that mitigate the risks identified in the PIA. Three categories are recognized:

Contractual protections A signed Data Processing Agreement (DPA) with the vendor is the baseline. The DPA should specify: what personal information the vendor can process and for what purposes, security requirements, breach notification obligations, sub-processor controls, data return or destruction on contract termination, and the organization's audit rights.

Most major US vendors (Google, Microsoft, Stripe, Salesforce) have standard DPAs available. Many SMBs have never signed them — they accepted the vendor's terms of service without a DPA. Under the PPCDA, the DPA is a required mitigation measure, not optional.

Certification programs ISO 27001 certification and SOC 2 Type II reports are the recognized third-party certifications for information security. A vendor holding a current ISO 27001 certificate or a recent SOC 2 Type II report has had its security controls independently assessed. Confirming these certifications for each vendor is part of the cross-border transfer due diligence.

Technical controls Encryption in transit (TLS) and at rest, multi-factor authentication, role-based access controls, and data minimization reduce the risk that transferred personal information will be improperly accessed or disclosed. These are not substitutes for contractual protections — they are additional mitigations that reduce the residual risk after contracts are in place.

---

Scope note

This article covers the PPCDA (Bill C-36), which applies to private-sector organizations engaged in inter-provincial or international commercial activity. Quebec organizations primarily engaged in intra-provincial commercial activity are governed by Quebec's Act respecting the protection of personal information in the private sector (Law 25 / Bill 64), which has its own cross-border transfer provisions. Quebec obligations are not covered here.

---

What to do before the PPCDA comes into force

The PPCDA is not yet law. PIPEDA remains operative. But the cross-border PIA obligation is one of the most operationally intensive requirements in the PPCDA — building the foundation now is substantially easier than conducting PIAs for every vendor relationship under compliance pressure.

Four steps to prepare:

1. Map your vendors. Identify every vendor your organization uses that receives, stores, or processes personal information. For each one, determine where that data goes and whether any of it leaves Canada. This vendor inventory is the prerequisite for every PIA.

2. Confirm data residency with each vendor in writing. Do not rely on marketing materials. Ask the vendor specifically: where is data stored, where is it processed, who has access and from where, and which sub-processors are involved. Get the answer in writing.

3. Execute Data Processing Agreements. For every vendor where a DPA is not already in place, request and sign one. This is a PPCDA requirement and a PIPEDA best practice. Most major vendors have standard DPAs — the obstacle is usually that no one has asked.

4. Collect security certifications. For each vendor, obtain a copy of their current ISO 27001 certificate or SOC 2 Type II report. These documents become part of your cross-border transfer mitigation record under section 57.

---

Related guides

• What Is Bill C-36? Canada's New Privacy Law for Small Businesses
• What Is a Privacy Management Program Under Bill C-36 (PPCDA)?
• Legitimate Interest Under Bill C-36 (PPCDA): New to Canadian Privacy Law
• Bill C-36 (PPCDA): Canada's New Privacy Law Lets Customers Sue You Directly

---

Start your breach assessment

Breach reporting obligations under the PPCDA are identical to PIPEDA. Your current breach assessment process transfers directly. Confirm it is in place now.

Start your breach assessment →

Vendor Data Mapping and cross-border PIA tools coming in Phase 2. ClearBreach will generate your vendor inventory and cross-border transfer documentation. Notify me when available →